60420: Invalid Contact ID format

Twilio returns this error when your Verify request includes a Contact ID that Twilio cannot parse. In Verify Passkeys, a user is represented as an Entity, and Twilio recommends using an immutable identifier such as a system UUID, GUID, or SID for the identity value. That identity should be 8 to 64 characters long and contain only dash-separated alphanumeric characters. If you send a Passkeys response.userHandle, it must be a Base64-encoded, URL-safe contact ID.

• The Contact ID or identity value contains characters that do not match the allowed format for Verify Entity identifiers.
• The Contact ID is too short or too long for the Verify Entity identifier requirements.
• The identity value changed between Passkeys factor creation and later requests, such as challenge creation. Twilio expects you to use the same identity value when you create a Passkeys challenge.
• The Passkeys response.userHandle value is not Base64-encoded and URL-safe.

• Generate an immutable, non-PII identifier in your system, such as a UUID, GUID, or SID, and use that value consistently as the user's identity.
• Validate the Contact ID before you send the request. For Verify Entity identifiers, keep the value between 8 and 64 characters and use only dash-separated alphanumeric characters.
• Store the identity value you used when you created the Passkeys factor, then reuse that exact value in later Verify requests for the same user.
• If you send response.userHandle in a Passkeys flow, pass it exactly as returned by the authenticator and do not manually reformat or re-encode it.

• Verify Passkeys quickstart
• Entity Resource
• Passkeys Factor Resource