Today, we’re excited to announce the launch of Public Key Client Validation. Available through the Twilio Enterprise Plan, Public Key Client Validation helps organizations in compliance-heavy industries meet strict security requirements, such as not relying on shared secrets, validating the sender, or verifying message content.
Shipping like a startup is no easy task for enterprise developers. It’s a different environment. Enterprises need to coordinate multiple teams before code can be pushed to production. One of those teams is security and compliance. They often have additional requirements for developers to meet before the product can go live. This is good because it helps to mitigate against the unique risks of enterprise businesses. But it’s also bad, because it slows the pace of innovation by not allowing devs to use cloud API tools like Twilio that allow them to ship fast at scale. The Twilio Enterprise Plan is designed to unblock enterprises by providing for their unique security, administration, and compliance needs.
One requirement we’ve heard from customers within regulated industries, such as finance, is that they need more than shared secrets in order to integrate with Twilio. These requirements range from TLS layer Mutual Authentication to other mechanisms to secure endpoints. To address such requirements, we’ve built the Public Key Client Validation feature.
Stay in Control of Your Secrets
With Public Key Client Validation, you can upload a public key to Twilio, and then subsequently sign REST API requests with the corresponding private key. Since you’re completely in control of the private key, this feature provides an additional layer of security by validating the origin of the request.
With Public Key Client Validation enabled, you will:
- Be the only one who knows the Secret, which means the auth token – a shared secret – will be rendered invalid for REST requests.
- Be able to easily rotate your keys and stay in full control of your credentials.
Client and Message Validation
When you send a request with Public Key Client Validation, Twilio validates:
- That the request comes from a sender who is in control of the private key
- That the message has not been modified in transit
How to use Public Key Client Validation
To get started using Public Key Client Validation, first you’ll need to enroll in the Twilio Enterprise Plan.
Once you’re Enterprise account has been activated, sending a request using Public Key Client Validation is easy:
- Generate RSA Key Pair: The first step is to create a valid key pair. This only had to be done once.
- Submit Public Key: Submit the public key to the Twilio via the Credentials Endpoint. This is a one time requirement as well.
Attach a signature to every request:
- Create Hash of the Canonical Request: Every outgoing request needs to be hashed and signed. This functionality is implemented in the latest alpha branch of the Java helper libraries.
- Generate JWT: Once the hash is created, it needs to be embedded in the JWT payload, which then gets signed with the private key. This is also handled by the latest alpha branch of the Java helper libraries.
- Attach JWT to the request header: The last step is to add to JWT to the header of the request.
Twilio will validate the requests to ensure the message comes from a sender in control of the private key.
On Twilio’s end, once you’ve toggled enforcement of Public Key Client Validation, our API servers will validate that incoming REST requests are properly signed using the public key you provided to Twilio.
Overview of the Enterprise Plan
The Enterprise Plan is a packaged set of security and administration capabilities designed for large businesses building with Twilio. It was developed after listening to Twilio customers – software teams within companies such as Nordstrom, Dell, Salesforce, and ING Bank – that operate a lot like software teams in startups. They use cloud technologies, like Twilio, to ship code faster, however being an enterprise they have to comply with strict security, operations, and procurement processes.
With the addition of Public Key Client Validation, The Enterprise Plan now comes with the following capabilities:
- Access Management: Single Sign-On (SSO)
- Audit Events
- And now Public Key Client Validation