Understanding Visibility of Functions and Assets: Public, Protected and Private

A public Function or Asset is accessible to anyone at a specific URL once deployed. For example, if you create a Service with the path /send/sms and deploy it to the environment example-1234.twil.io, the Service is available at:

  https://example-1234.twil.io/send/sms

Similarly, a public Asset called ahoy.mp3 in the same Service would be accessible to anyone at:

  https://example-1234.twil.io/ahoy.mp3

A protected Function or Asset is served through a URL, but each request must include a valid Twilio X-Twilio-Signature header. This allows you to restrict access to your Services and Assets so that they are only accessible by Twilio webhooks, such as an incoming call or SMS message. Twilio Studio widgets, such as the Run Function Widget or the Say/Play Widget, can also access protected Assets. You can additionally allow access from your own Services.

This added security layer makes protected Assets useful for storing sensitive information. Your code or a Studio Flow can reference this information without exposing it to the public.

Private Functions and Assets are library files intended only for access through other Services. These files can't be accessed by URL or exposed to the web. Instead, they're packaged alongside your Service at build time.

For example, if your Service relies on a JSON file of data to read from, you can deploy that file as a private Asset and read it from the Service.

A private Asset can also be used to store a list of five-letter words so that you can build your own Wordle-like game.

Similarly, private Services allow you to reuse code or define private libraries that can be kept out of reach from the wider web.

Now that you understand the different Visibility options, you can apply this knowledge and start building by creating your first Service, or by exploring additional examples.