Prevent blocked numbers from calling your application

You may wish to block certain numbers from contacting or spamming your application's phone number. Creating a block list and using a Function that compares the incoming number to its contents will allow you to decide whether to Reject an incoming call, or Redirect it to your actual application.

The following examples will show a couple of approaches to this problem. To get started, use the following directions to create two new Functions that will form the base of this application: /filter-calls and /welcome.

Create and host a Function

Before you run any of the examples on this page, create a Function and paste the example code into it. You can create a Function in the Twilio Console or by using the Serverless Toolkit.

ConsoleServerless Toolkit

If you prefer a UI-driven approach, complete these steps in the Twilio Console:

Log in to the Twilio Console and navigate to Develop > Functions & Assets. If you're using the legacy Console, open the Functions tab.
Functions are contained within Services. Click Create Service to create a new Service.
Click Add + and select Add Function from the dropdown.
The Console creates a new protected Function that you can rename. The filename becomes the URL path of the Function.
Copy one of the example code snippets from this page and paste the code into your newly created Function. You can switch examples by using the dropdown menu in the code rail.
Click Save.
Click Deploy All to build and deploy the Function. After deployment, you can access your Function at https://<service-name>-<random-characters>-<optional-domain-suffix>.twil.io/<function-path>
For example: test-function-3548.twil.io/hello-world.

You can now invoke your Function with HTTP requests, configure it as the webhook for a Twilio phone number, call it from a Twilio Studio Run Function Widget, and more.

Block calls using a hard-coded list

To introduce the logic and TwiML involved without extra complications, this example code for /filter-calls includes a sample block list hard-coded into its body.

The Function compares the incoming phone number, provided as From when this Function is connected to your Twilio phone number as a webhook, to the contents of the block list. The resulting Boolean is then used to determine whether the result should be a rejection, or a redirect to the /welcome Function.

The /welcome Function returns a welcome message to the user and primarily serves as an example of how you can still leverage Redirect verbs even within a Serverless project such as this. You're able to use the relative URL '/welcome' since the same Service contains both Functions.

To test this out, copy and paste both samples into their respective Functions, and add your personal phone number to the block list in E.164 format. Save and deploy your Service, and use the following directions to set /filter-calls as the A Call Comes In webhook handler for your Twilio phone number. The application will immediately reject your calls. If you remove your number from the block list and re-deploy, you will instead get the welcome message.

Call filter logic

Sample code for /filter-calls

1exports.handler = (context, event, callback) => {
2  // Prepare a new Voice TwiML object that will control Twilio's response
3  // to the incoming call
4  const twiml = new Twilio.twiml.VoiceResponse();
5  // The incoming phone number is provided by Twilio as the `From` property
6  const incomingNumber = event.From;
7
8  // This is an example of a blocklist hard-coded into the Function
9  const blockList = ['+14075550100', '+18025550100'];
10
11  const isBlocked = blockList.length > 0 && blockList.includes(incomingNumber);
12
13  if (isBlocked) {
14    twiml.reject();
15  } else {
16    // If the number is not blocked, redirect call to the webhook that
17    // handles allowed callers
18    twiml.redirect('/welcome');
19  }
20
21  return callback(null, twiml);
22};

Welcome message

Sample code for /welcome

1exports.handler = (context, event, callback) => {
2  const twiml = new Twilio.twiml.VoiceResponse();
3  twiml.say("Hello, congratulations! You aren't blocked!");
4  return callback(null, twiml);
5};

Set a Function as a webhook

For your Function to react to incoming SMS or voice calls, it must be set as a webhook for your Twilio number. There are a variety of methods to set a Function as a webhook:

Twilio ConsoleLegacy Twilio ConsoleTwilio CLITwilio server-side SDKs

Use the Twilio Console UI to connect your Function as a webhook:

Go to Products & Services > Numbers & Senders > Phone Numbers.
Select the phone number you'd like to connect to your Function.
Go to the Configuration Details tab.

To configure Messaging, choose Edit details in the Messaging section.
To configure Voice calls, choose Edit details in the Voice and emergency calling section.

Select the webhook method and provide your webhook URL. Select an HTTP method to handle responses.
Optional: Configure a secondary webhook in case the primary webhook fails.
Click the Save button.

In the legacy Twilio Console, connect your Function as a webhook:

Log in to the Twilio Console's Phone Numbers page.
Click on the phone number you'd like to have connected to your Function.
If you want the Function to respond to incoming SMS, find the A Message Comes In option under Messaging. If you want the Function to respond to Voice, find the A Call Comes In option under Voice & Fax.
Select Function from the A Message Comes In or A Call Comes In dropdown.
Select the Service that you are using, then the Environment (this will default to ui unless you have created custom domains ), and finally Function Path of your Function from the respective dropdown menus.

Alternatively, you could select Webhook instead of Function, and directly paste in the full URL of the Function.

Click the Save button.

You can also use the Twilio CLI to assign the Function as the webhook of your phone number.

Prerequisites

Twilio CLI installed and executable from your terminal.
Either the E.164 formatted value of your Twilio phone number (+1234567890), or its SID (PNXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX).
The full URL of your Function (https://test-1337.twil.io/my-test-function)

Once you have the CLI installed and the necessary information, run the following to connect the Function to respond to incoming SMS:

1twilio phone-numbers:update +1234567890 \
2  --sms-url https://test-1337.twil.io/my-test-function

If you prefer to have the Function respond to incoming calls instead, run:

1twilio phone-numbers:update +1234567890 \
2  --voice-url https://test-1337.twil.io/my-test-function

You may also use the SID of your Twilio phone number instead of the E.164 formatted phone number:

1twilio phone-numbers:update PNXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \
2  --sms-url https://test-1337.twil.io/my-test-function

You can also use any of the available Twilio SDKs to assign the Function as the webhook of your phone number.

Prerequisites

A local development environment for your language of choice and the associated Twilio SDK installed.
The SID (PNXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX) of your Twilio phone number.
The full URL of your Function (https://test-1337.twil.io/my-test-function).

In JavaScript for example, you could execute the following code to assign the SMS webhook of your Twilio phone number. The same logic would apply for assigning to a voice webhook, except that the modified property instead would be voiceUrl:

1// Download the SDK from https://www.twilio.com/docs/node/install
2// Find your Account SID and Auth Token at twilio.com/console
3// and set the environment variables. See https://twil.io/secure
4const accountSid = process.env.TWILIO_ACCOUNT_SID;
5const authToken = process.env.TWILIO_AUTH_TOKEN;
6const client = require('twilio')(accountSid, authToken);
7
8client
9  .incomingPhoneNumbers('PNXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
10  .update({ smsUrl: 'https://test-1337.twil.io/my-test-function' })
11  .then((phoneNumber) => console.log(phoneNumber.smsUrl));
12

Store the block list as a private Asset

To keep your block list separate from and independent of your Function's code, one recommendation is to store the list as JSON in a private Asset. Your Function will read and parse the contents of this file using methods provided by the Runtime Client, and achieve the same functionality with more separation of concerns.

First, create a new private Asset named blocklist.json, populate it with the sample contents (and your personal number like before, to verify the blocking works), and save the Asset. Ensure that this Asset is private in order to protect its contents and to enable helper methods such as Runtime.getAssets, which can only retrieve private Assets.

Next, update the existing /filter-calls Function with the highlighted changes. This new code replaces the hard-coded block list array with a synchronous read of blocklist.json, and a quick JSON.parse to convert the file contents to a usable array.

Save your changes to the Function, and deploy your updated Service. Subsequent calls to your Twilio phone number will behave exactly as before!

Block list private Asset

Save as blocklist.json

["+14075550100", "+18025550100"]

Block incoming calls using a private Asset

Updates to /filter-calls

1exports.handler = (context, event, callback) => {
2  // Prepare a new Voice TwiML object that will control Twilio's response
3  // to the incoming call
4  const twiml = new Twilio.twiml.VoiceResponse();
5  // The incoming phone number is provided by Twilio as the `From` property
6  const incomingNumber = event.From;
7
8  // Open the contents of the private Asset containing the blocklist
9  const blockListJson = Runtime.getAssets()['/blocklist.json'].open();
10  // Parse the string, such as "["+14075550100", "+18025550100"]", to an array
11  const blockList = JSON.parse(blockListJson);
12
13  const isBlocked = blockList.length > 0 && blockList.includes(incomingNumber);
14
15  if (isBlocked) {
16    twiml.reject();
17  } else {
18    // If the number is not blocked, redirect call to the webhook that
19    // handles allowed callers
20    twiml.redirect('/welcome');
21  }
22
23  return callback(null, twiml);
24};

(warning)

Warning

Ensure that you write the Asset name as '/blocklist.json' and not 'blocklist.json'; the leading slash is necessary, as described in the Runtime.getAssets documentation.