Skip to contentSkip to navigationSkip to topbar
Twilio SendGrid Docs
Page tools
On this page
Looking for more inspiration?Visit the

Secure your Twilio account

Secure your Twilio SendGrid account and establish best security practices. Unsecured accounts become likely victims of account takeovers (ATO). An ATO occurs when malicious actors utilize a vulnerability, such as an exposed API key, to gain unauthorized access to an account. With this access, the abuser can use your account to send phish, spoof, or spam to recipients and damage your reputation. While Twilio has systems in place to monitor for ATOs, senders should implement best practices to secure their account.

Store API keys in secure ways

store-api-keys-in-secure-ways page anchor

Once created, store your API keys securely.

  • Never upload keys to GitHub.
  • Store your keys in a secured vault, within .env files, or both.
  • Check applications for accidental exposure.
  • Never leave production applications in debug mode as this can expose keys and other secrets.
(warning)

Rotate out exposed keys

If you expose a key to the public regardless of duration, rotate in a different key and delete the compromised one from the account.

Rotate API keys

rotate-api-keys page anchor

API keys should be rotated on a regular cadence.

  • Rotate keys at least once a quarter.
  • Determine the best schedule for your operations and implement a regular rotation cadence.
  • Delete unused keys.

Set access controls

set-access-controls page anchor

IP access management

ip-access-management page anchor

IP Access Management (IPAM) improves account access management. IPAM allows you to control who can access your SendGrid account based on the originator's IP address. Twilio rejects login requests made from IP addresses not in IPAM.

To learn more, see IPAM Details

Turn on two-factor authentication

turn-on-two-factor-authentication page anchor

Two-factor authentication (2FA) improves security through requiring authentication beyond basic usernames and passwords. Use one-time passwords (OTP) to access the account.

To learn more, see 2FA Details

Implement single sign-on

implement-single-sign-on page anchor

To integrate Twilio user authentication with access management platforms such as Okta and Microsoft Active Directory, use Single Sign-On (SSO). If your organization supports SSO, turn it on your Twilio accounts.

To learn more, see SSO Details

Review Teammate access

review-teammate-access page anchor

Organizations can invite multiple users to an account.

  • These users, known as Teammates, can send on behalf of the account.
  • Review Teammate access regularly.
  • Limit give access to features needed for core job functions.

To learn more, see Teammate Details

Update open source software

update-open-source-software page anchor

To send email, many third party open source solutions integrate with Twilio. These include popular content management systems (CMS) such as WordPress, Joomla, and Drupal. If using one of these solutions, update your CMS installations and plugins regularly with the latest patches and updates. Failure to update these systems might introduce vulnerabilities where bad actors can then send unauthorized email from your account.