Account-level OAuth apps
Account-level OAuth apps use the OAuth 2.0 standard to authorize access to Twilio APIs. This page explains how to create, view, update, rotate secrets for, and delete account OAuth apps.
Note
Account-level OAuth apps only support the Client Credentials grant type. They do not support the Authorization Code grant type.
- Log in to Twilio Console and go to Settings > Account settings > OAuth applications.
- Click Create an OAuth app.
- On the Application details step, enter a name for your application. Click Next.
- On the Scopes & permissions step:
- Enter the Token expiration time which can be between 1 min and 30 days. It is defaulted to 1 hr.
- Select the scopes and permissions you want to include in the OAuth application. See Permission to API mapping.
- On the Copy secret page, copy the credentials and store them somewhere secure.
- Select the Got it! checkbox and click Finish.
To generate the access token, use the Token API.
- Log in to Twilio Console and go to Settings > Account settings > OAuth applications.
- Click the OAuth app name you want to view or update.
- On the Application details tab, you can see basic information about the application. To update the application's name or description, click Edit application details and update the details, then click Save.
- On the Access settings tab, you can see the Token expiration time and OAuth scopes. You can update Token expiration time and OAuth scopes.
- On the Credentials tab, you can see the client ID and you can rotate the client secret.
- Log in to Twilio Console and go to Settings > Account settings > OAuth applications.
- Click on the OAuth app name you want to rotate secret for.
- On the Credentials tab, click Rotate secret.
- On the confirmation dialog, enter the Grace period (the time the old secret remains valid, between 0 and 30 days) and click Yes, rotate secret. If set to 0, the old secret becomes invalid immediately.
- Copy the new credentials and store them somewhere secure.
- Select the Got it! checkbox and click Done.
Note
To see the grace period for an existing OAuth app, view the oauth-apps.secret-rotated audit event.
- Log in to Twilio Console and go to Settings > Account settings > OAuth applications.
- In the Action column of the OAuth app you want to delete, click Delete.
- In the dialog, click Delete.
To see audit events in the Twilio Console, go to Settings > Account settings > Audit events. Using Legacy Console, go to Monitor > Insights > Audit. There are four audit events related to OAuth apps:
- oauth-apps.created: This event is triggered when an oauth-app is created.
- oauth-apps.updated: This event is triggered every time an oauth-app is updated.
- oauth-apps.deleted: This event is triggered every time an oauth-app is deleted.
- oauth-apps.secret-rotated: This event is triggered every time the client secret of an OAuth app is rotated.
Warning
An OAuth app has a limit of 100 scopes/permissions that can be associated with it.
Each permission maps to one or more endpoints and actions for each API resource. To download a PDF of the permission and endpoint actions, click one of the following links:
- Messaging Permissions
- Phone Numbers Permissions
- Studio Permissions
- TaskRouter Permissions
- Voice Permissions
- Lookup Permissions
- Identity and Access Management (IAM) Permissions
- Monitor Permissions
- Verify Permissions
- Video Permissions
- Event Streams Permissions
- Usage Records Permissions
- Serverless Permissions
- Flex Permissions