Skip to contentSkip to navigationSkip to topbar
Page toolsOn this page

OAuth apps


(new)

Public Beta Notice

OAuth apps is available as a public beta release. Twilio might add or change features before declaring OAuth apps Generally Available. Beta products aren't covered by a Twilio SLA.

Learn more about beta product support(link takes you to an external page).

OAuth apps enable OAuth 2.0 authorization for Twilio APIs using the client credentials grant type defined in RFC 6749, section 4.4(link takes you to an external page). This grant type is designed for machine-to-machine (server-to-server) interactions, such as backend services, where an application authenticates directly with another application rather than on behalf of a user.

Users can create OAuth apps directly in the Twilio Console. After creating an app, Twilio provides a client ID and client secret. Users can then use these credentials to request an access token from Twilio's OAuth token endpoint. Once obtained, the access token enables authenticated API calls to Twilio APIs. The sequence diagram below illustrates this client credentials flow.

OAuth apps client credential sequence diagram

Here are the key benefits of using OAuth Apps:

  • Using OAuth credentials short lived access tokens are generated. Right now the expiry is fixed at 1 hr.
  • Access tokens are scoped and have restricted access to only some APIs.
(information)

Note

OAuth apps currently do not support the Authorization Code grant type, which is used for third-party delegated access scenarios. For third-party delegated access, use Twilio Connect instead.


Create an OAuth App

create-an-oauth-app page anchor
  1. Click Admin > Account management in the top right corner.
  2. Under Keys & credentials, click OAuth apps (or go directly to the Console(link takes you to an external page)).
  3. On the OAuth apps page, click Create an OAuth app.
  4. On the Create an OAuth app page, enter App name and Description of the app.
  5. Select OAuth Scopes which are permissions which an OAuth app needs access to.
  6. Click Create app.
  7. On the Credentials page, copy the Client ID and Client Secret and store it somewhere secure.
  8. Select the Got it! checkbox and click Finish.

View/Update an OAuth app

viewupdate-an-oauth-app page anchor
  1. Click Admin > Account management in the top right corner.
  2. Under Keys & credentials, click OAuth apps (or go directly to the Console(link takes you to an external page)).
  3. On the OAuth apps page, click on the App name.
  4. On the OAuth apps detail page view App name, Description of the app, Date created, Created by, OAuth Scopes and Client ID. You can update the App name, Description of the app and OAuth Scopes.
  5. Click Save to update the app or Cancel to go back to the OAuth apps list page.

Rotate Secret of an OAuth app

rotate-secret-of-an-oauth-app page anchor
  1. Click Admin > Account management in the top right corner.
  2. Under Keys & credentials, click OAuth apps (or go directly to the Console(link takes you to an external page)).
  3. On the OAuth apps page, click on the App name.
  4. On the OAuth apps detail page click on the Credentials tab.
  5. Click on Rotate secret, then click on Yes,rotate secret on the confirmation pop-up.
  6. Copy the new Client Secret and store it somewhere secure.
  7. Select the Got it! checkbox and click Done.
(information)

Note

When a secret is rotated, the old secret remains valid for 24 hours before becoming inactive.


  1. Click Admin > Account management in the top right corner.
  2. Under Keys & credentials, click OAuth apps (or go directly to the Console(link takes you to an external page)).
  3. On the OAuth apps page, click on Delete under Actions.
  4. In the pop-up, click Yes,delete application to confirm deletion.

Audit Events can be viewed from Twilio Console under Monitor-> Insights -> Audit(link takes you to an external page). There are 4 Audit Events related to OAuth apps:

  1. oauth-apps.created: This event is triggered when an oauth-app is created.
  2. oauth-apps.updated: This event is triggered every time an oauth-app is updated.
  3. oauth-apps.deleted: This event is triggered every time an oauth-app is deleted.
  4. oauth-apps.secret-rotated: This event is triggered every time the client secret of an OAuth app is rotated.

Scopes/Permissions available with OAuth apps

scopespermissions-available-with-oauth-apps page anchor
(warning)

Warning

An OAuth app has a limit of 100 scopes/permissions that can be associated with it.

Each permission maps to one or more endpoints/actions for each API Resource.

Click on one of the product areas below to download a PDF of the permissions/endpoint actions.

Messaging Permissions(link takes you to an external page)

Phone Numbers Permissions(link takes you to an external page)

Studio Permissions(link takes you to an external page)

TaskRouter Permissions(link takes you to an external page)

Voice Permissions(link takes you to an external page)

Lookup Permissions(link takes you to an external page)

API keys Permissions(link takes you to an external page)

Monitor Permissions(link takes you to an external page)

Verify Permissions(link takes you to an external page)

Event Streams Permissions(link takes you to an external page)

Usage Records Permissions(link takes you to an external page)