Rate this page:

Protect your Function with Basic Auth

When protecting your public Functions, and any sensitive data that they can expose, from unwanted requests and bad actors, it is important to consider some form of authentication to validate that only intended users are making requests. In this example, we'll be covering one of the most common forms of authentication: Basic Authentication.

If you want to learn an alternative approach, you can also see this example of using JWT for authentication.

Let's create a Function that will only accept requests with valid Basic Authentication, and reject all other traffic.

Create and host a Function

In order to run any of the following examples, you will first need to create a Function into which you can paste the example code. You can create a Function using the Twilio Console or the Serverless Toolkit as explained below:

If you prefer a UI-driven approach, creating and deploying a Function can be done entirely using the Twilio Console and the following steps:

  1. Log in to the Twilio Console and navigate to the Functions tab. If you need an account, you can sign up for a free Twilio account here!
  2. Functions are contained within Services. Create a Service by clicking the Create Service button and providing a name such as test-function.
  3. Once you've been redirected to the new Service, click the Add + button and select Add Function from the dropdown.
  4. This will create a new Protected Function for you with the option to rename it. The name of the file will be path it is accessed from.
  5. Copy any one of the example code snippets from this page that you want to experiment with, and paste the code into your newly created Function. You can quickly switch examples by using the dropdown menu of the code rail.
  6. Click Save to save your Function's contents.
  7. Click Deploy All to build and deploy the Function. After a short delay, your Function will be accesible from:
    For example:

The Serverless Toolkit enables you with local development, project deployment, and other functionality via the Twilio CLI. To get up and running with these examples using Serverless Toolkit, follow this process:

  1. From the CLI, run twilio serverless:init <your-service-name> --empty to bootstrap your local environment.
  2. Navigate into your new project directory using cd <your-service-name>
  3. In the /functions directory, create a new JavaScript file that is named respective to the purpose of the Function. For example, sms-reply.protected.js for a Protected Function intended to handle incoming SMS.
  4. Populate the file using the code example of your choice and save.
    Note A Function can only export a single handler. You will want to create separate files if you want to run and/or deploy multiple examples at once.

Once your Function(s) code is written and saved, you can test it either by running it locally (and optionally tunneling requests to it via a tool like ngrok), or by deploying the Function and executing against the deployed url(s).

Run your Function in local development

Run twilio serverless:start from your CLI to start the project locally. The Function(s) in your project will be accesible from http://localhost:3000/sms-reply

  • If you want to test a Function as a Twilio webhook, run:
    twilio phone-numbers:update <your Twilio phone number> --sms-url "http://localhost:3000/sms-reply"​
    This will automatically generate an ngrok tunnel from Twilio to your locally running Function, so you can start sending texts to it. You can apply the same process but with the voice-url flag instead if you want to test with Twilio Voice.
  • If your code does not connect to Twilio Voice/Messages as a webhook, you can start your dev server and start an ngrok tunnel in the same command with the ngrok flag. For example: twilio serverless:start --ngrok=""

Deploy your Function

To deploy your Function and have access to live url(s), run twilio serverless:deploy from your CLI. This will deploy your Function(s) to Twilio under a development environment by default, where they can be accessed from:


For example:

Your Function is now ready to be invoked by HTTP requests, set as the webhook of a Twilio phone number, invoked by a Twilio Studio Run Function Widget, and more!


        Configure your Function to require Basic Authentication

        First, create a new auth Service and add a Public /basic Function using the directions above.

        Delete the default contents of the Function, and paste in the code snippet provided above.

        Save the Function once it contains the new code.

        Remember to change the visibility of your new Function to be Public. By default, the Console UI will create new Functions as Protected, which will prevent access to your Function except by Twilio requests.

        Next, deploy the Function by clicking on Deploy All in the Console UI.

        Verify that Basic Authentication is working

        We can check that authentication is working first by sending an unauthenticated request to our deployed Function. You can get the URL of your Function by clicking the Copy URL button next to the Function.

        Then, using your client of choice, make a GET or POST request to your Function. It should return a 401 Unauthorized since the request contains no valid Authorization header.

        curl -i -L -X POST ''


        $ curl -i -L -X POST ''
        HTTP/2 401
        date: Tue, 03 Aug 2021 21:55:02 GMT
        content-type: application/octet-stream
        content-length: 12
        www-authenticate: Basic realm="Authentication Required"
        x-shenanigans: none

        Great! Requests are successfully being blocked from non-authenticated requests.

        To make an authenticated request and get back a 200 OK, we'll need to generate and send a request with the example username and password encoded as the Authorization header credentials. Leverage one of the following methods to encode your Credentials:

        First, open your browser's developer tools. Navigate to the Console tab, where you'll be able to execute the following JavaScript in the browser to generate your encoded credentials:


        The btoa method is a built-in browser method for conveniently converting a string to base64 encoding.

        For example, with our example credentials, you would input the following into the browser console and get this result:

        > "dHdpbGlvOmFob3kh"

        First, open your terminal and enter the Node.js REPL by running node. You can then execute the following JavaScript in the REPL to generate your encoded credentials:


        For example, going with our example credentials from earlier, you would have the following output from the REPL:

        $ node
        Welcome to Node.js v15.10.0.
        Type ".help" for more information.
        > Buffer.from("twilio:ahoy!").toString('base64')

        Now that you have your encoded credentials, it's time to make an authenticated request to your Function by including them in the Authentication header.

        Using cURL with our example credentials would look like this:

        curl -i -L -X POST '' \
        -H 'Authorization: Basic dHdpbGlvOmFob3kh'

        and the response would be:

        $ curl -i -L -X POST '' \
        -H 'Authorization: Basic dHdpbGlvOmFob3kh'
        HTTP/2 200
        date: Tue, 03 Aug 2021 22:15:37 GMT
        content-type: text/plain; charset=utf8
        content-length: 2
        x-shenanigans: none
        x-content-type-options: nosniff
        x-xss-protection: 1; mode=block

        At this point, Basic Authentication is now working for your Function!

        To make this example your own, you could experiment with:

        • Instead of defining the username and password directly in your Function's code, define other secure values and store them securely as Environment Variables. You could then access them using context.USERNAME and context.PASSWORD respectively, for example.
        • Take things a bit further and establish a database of authenticated users with hashed passwords. Once you've retrieved the decoded username and password from the Authorization header, perform a lookup of the user by username and validate their password using a library such as bcrypt. Your hashing secret can be a secure Environment Variable.
        Rate this page:

        Need some help?

        We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd by visiting Twilio's Community Forums or browsing the Twilio tag on Stack Overflow.


              Thank you for your feedback!

              We are always striving to improve our documentation quality, and your feedback is valuable to us. Please select the reason(s) for your feedback or provide additional information about how we can improve:

              Sending your feedback...
              🎉 Thank you for your feedback!
              Something went wrong. Please try again.

              Thanks for your feedback!

              Refer us and get $10 in 3 simple steps!

              Step 1

              Get link

              Get a free personal referral link here

              Step 2

              Give $10

              Your user signs up and upgrade using link

              Step 3

              Get $10

              1,250 free SMSes
              OR 1,000 free voice mins
              OR 12,000 chats
              OR more