How to use the Twilio APIs
The Twilio APIs are organized around REST. Behind these APIs is a software layer connecting and optimizing communications networks around the world. With the Twilio APIs, you can build applications that help your users send messages, make phone calls, look up phone numbers, and more.
In Twilio's ecosystem, each product corresponds to an API. For example, Twilio Messaging corresponds to the Messaging API. Although each API has its own unique features, they all share a common set of principles and practices. This consistency allows you to work with different Twilio APIs in a similar way. You can use the APIs directly over HTTPS or through Twilio helper libraries available for several programming languages.
In this guide, you'll learn about how to authenticate your requests to the Twilio APIs, what content type to use for API requests, and how the Twilio APIs handle webhooks.
To authenticate requests to the Twilio APIs, Twilio supports HTTP Basic authentication. You can use the following credentials:
| Username | Password | Best practice |
|---|---|---|
| API Key | API Key Secret | This is the recommended way to authenticate with the Twilio APIs. When a key is compromised or no longer used, revoke it to prevent unauthorized access. |
| Account SID | AuthToken | Limit your use to local testing. |
Info
Twilio API credentials are region-specific resources. If your account uses Twilio Regions, see Manage Regional API Credentials.
An API key is a secret unique identifier that controls access to your Twilio Account's API resources. You can create multiple API keys for different purposes, such as for different developers or subsystems within your application. If a key is compromised or no longer used, you can revoke it to prevent unauthorized access.
You can create an API key either in the Twilio Console or using the API.
The API key types are Main, Standard, and Restricted (Public Beta, Key resource v1 only). The following table describes each type:
| Key type | Access permissions | Create in Console | Create with REST API |
|---|---|---|---|
| Main | Full access to all Twilio API resources. Equivalent to using your Account SID and Auth Token for API requests. | Yes | No |
| Standard | Access to all Twilio API resources, except for Accounts (/Accounts) or Keys (/Accounts/{SID}/Keys, /v1/Keys) resources. | Yes | Yes |
| Restricted | Customized, fine-grained access to specific Twilio API resources. Learn more about Restricted API keys. | Yes | Yes (v1 only) |
When making an API request, use your API key as the username and your API key secret as the password.
Note: In the following example, you must use a Main API key.
1curl -G https://api.twilio.com/2010-04-01/Accounts \2-u $YOUR_API_KEY:$YOUR_API_KEY_SECRET
The user remains logged in for the duration of the request. Learn more about how Twilio handles authentication.
Twilio doesn't recommend using your Account SID and Auth Token in production. If a bad actor gains access to your Account SID and Auth Token, then your Twilio Account is compromised.
For local testing, you can use your Account SID as the username and your Auth token as the password. You can find your Account SID and Auth Token in the Twilio Console, under the Account Dashboard.
1curl -G https://api.twilio.com/2010-04-01/Accounts \2-u $YOUR_ACCOUNT_SID:$YOUR_AUTH_TOKEN
A Twilio helper library is a server-side SDK that helps you use Twilio's REST APIs, generate TwiML, and perform other common server-side programming tasks. All Twilio helper libraries come with a Utilities class that validates requests by passing your credentials to the library.
Danger
Always use environment variables to keep credentials before sharing any code or deploying to production. Learn more about setting environment variables.
Twilio's APIs expect the API request content type to be application/x-www-form-urlencoded or multipart/form-data. Using an unsupported content type might cause unexpected behavior or errors.
Webhooks are user-defined HTTP callbacks triggered by an event in a web application. Twilio uses webhooks to let your application know when events happen, like getting an incoming call or receiving an SMS message. Webhooks are triggered asynchronously.
When a webhook event occurs, Twilio makes an HTTP request, such as POST or GET, to the URL you configured for your webhook. Twilio's request to your application includes details of the event like the body of an incoming message or an incoming phone number. Your application can then process the event and reply to Twilio with a response containing the instructions you'd like Twilio to perform.
To handle a webhook when you use Twilio, you need to build a web application that can accept HTTP requests. Check out officially supported helper libraries to get up and running quickly.
- Learn how to make API requests using cURL, Twilio helper libraries, and the Twilio CLI.
- Explore the Twilio APIs: Messaging, Voice, Video, Verify, and more.