Skip to contentSkip to navigationSkip to topbar
Twilio Docs
Page tools
On this pageProducts used
Looking for more inspiration?Visit the

20003: Permission Denied

ERROR: 20003

error-20003 page anchor
API, IAM
ERROR

Description

description page anchor

This error usually means the credentials on your request are incorrect, expired, deleted, scoped to the wrong account, or not valid for the resource you are trying to access. Authenticate Twilio API requests with HTTP Basic authentication. For production, use an API Key and Secret. For local testing, use your Account SID and Auth Token. If you use OAuth, send a valid access token in the Authorization header. Twilio server-side SDKs can also simplify authentication.

Possible causes

possible-causes page anchor
  • You sent the wrong Account SID and Auth Token combination, you used an Auth Token that was deleted, or the credentials include extra characters or spaces.
  • You used Test Credentials against live account resources or against an endpoint that does not support test credentials.
  • You used subaccount credentials to access the main account or another subaccount, or you used main account API keys against subaccount resources that require subaccount authentication.
  • You used a Standard API key for an endpoint that requires a Main API key, such as /Accounts or /v1/Keys.
  • The API key was deleted, or the API key was created in a different Twilio Region than the request you sent.
  • The account is suspended or closed.
  • A web proxy or middleware removed the authentication credentials before the request reached Twilio.
  • You used an Auth Token where an API Key SID and API Key Secret are required to sign a Twilio Access Token or another JWT-based workflow.
  • The OAuth access token is incorrect or expired.

Possible solutions

possible-solutions page anchor
  • Verify that you are sending the correct credentials. For production, use an API Key and Secret. For local testing, use your Account SID and Auth Token.
  • If a token or key was deleted, rotated, or compromised, generate a replacement and update every environment variable, secret store, and deployed application that still uses the old value.
  • Confirm that the credentials belong to the account or subaccount that owns the resource you are calling. Do not use subaccount credentials for main account resources. Do not use main account API keys for subaccount resources that require subaccount authentication.
  • If you are using Test Credentials, call only the supported test resources and do not mix them with live account resources.
  • If you are calling /Accounts or Keys endpoints, use a Main API key instead of a Standard API key.
  • If your account uses Twilio Regions, create or use credentials in the same region as the request.
  • Check any proxy, gateway, or middleware between your application and Twilio. Make sure it forwards the Authorization header unchanged.
  • When you generate Twilio Access Tokens or other JWT-based credentials for client SDKs, sign them with an API Key SID and API Key Secret instead of an Auth Token.
  • If you use OAuth, request a new access token and send it as a Bearer token in the Authorization header.
  • If the account is suspended or closed, contact support before retrying the request.

Additional resources

additional-resources page anchor