Prevent blocked numbers from calling your application

You may wish to block certain numbers from contacting or spamming your application's phone number. Creating a block list and using a Function that compares the incoming number to its contents will allow you to decide whether to Reject an incoming call, or Redirect it to your actual application.

The following examples will show a couple of approaches to this problem. To get started, use the following directions to create two new Functions that will form the base of this application: /filter-calls and /welcome.

Create and host a Function

In order to run any of the following examples, you will first need to create a Function into which you can paste the example code. You can create a Function using the Twilio Console or the Serverless Toolkit as explained below:

ConsoleServerless Toolkit

If you prefer a UI-driven approach, creating and deploying a Function can be done entirely using the Twilio Console and the following steps:

Log in to the Twilio Console and navigate to the Functions tab. If you need an account, you can sign up for a free Twilio account here!
Functions are contained within Services. Create a Service by clicking the Create Service button and providing a name such as test-function.
Once you've been redirected to the new Service, click the Add + button and select Add Function from the dropdown.
This will create a new Protected Function for you with the option to rename it. The name of the file will be path it is accessed from.
Copy any one of the example code snippets from this page that you want to experiment with, and paste the code into your newly created Function. You can quickly switch examples by using the dropdown menu of the code rail.
Click Save to save your Function's contents.
Click Deploy All to build and deploy the Function. After a short delay, your Function will be accessible from: https://<service-name>-<random-characters>-<optional-domain-suffix>.twil.io/<function-path>
For example: test-function-3548.twil.io/hello-world.

The Serverless Toolkit enables you with local development, project deployment, and other functionality via the Twilio CLI. To get up and running with these examples using Serverless Toolkit, follow this process:

From the CLI, run twilio serverless:init <your-service-name> --empty to bootstrap your local environment.
Navigate into your new project directory using cd <your-service-name>
In the /functions directory, create a new JavaScript file that is named respective to the purpose of the Function. For example, sms-reply.protected.js for a Protected Function intended to handle incoming SMS.
Populate the file using the code example of your choice and save. Note A Function can only export a single handler. You will want to create separate files if you want to run and/or deploy multiple examples at once.

Once your Function(s) code is written and saved, you can test it either by running it locally (and optionally tunneling requests to it via a tool like ngrok), or by deploying the Function and executing against the deployed url(s).

Run your Function in local development

Run twilio serverless:start from your CLI to start the project locally. The Function(s) in your project will be accessible from http://localhost:3000/sms-reply

If you want to test a Function as a Twilio webhook, run: twilio phone-numbers:update <your Twilio phone number> --sms-url "http://localhost:3000/sms-reply"
This will automatically generate an ngrok tunnel from Twilio to your locally running Function, so you can start sending texts to it. You can apply the same process but with the voice-url flag instead if you want to test with Twilio Voice.
If your code does not connect to Twilio Voice/Messages as a webhook, you can start your dev server and start an ngrok tunnel in the same command with the ngrok flag. For example: twilio serverless:start --ngrok=""

Deploy your Function

To deploy your Function and have access to live url(s), run twilio serverless:deploy from your CLI. This will deploy your Function(s) to Twilio under a development environment by default, where they can be accessed from:

https://<service-name>-<random-characters>-dev.twil.io/<function-path>

For example: https://incoming-sms-examples-3421-dev.twil.io/sms-reply

Your Function is now ready to be invoked by HTTP requests, set as the webhook of a Twilio phone number, invoked by a Twilio Studio Run Function Widget, and more!

Block calls using a hard-coded list

To introduce the logic and TwiML involved without extra complications, this example code for /filter-calls includes a sample block list hard-coded into its body.

The Function compares the incoming phone number, provided as From when this Function is connected to your Twilio phone number as a webhook, to the contents of the block list. The resulting Boolean is then used to determine whether the result should be a rejection, or a redirect to the /welcome Function.

The /welcome Function returns a welcome message to the user and primarily serves as an example of how you can still leverage Redirect verbs even within a Serverless project such as this. You're able to use the relative URL '/welcome' since the same Service contains both Functions.

To test this out, copy and paste both samples into their respective Functions, and add your personal phone number to the block list in E.164 format. Save and deploy your Service, and use the following directions to set /filter-calls as the A Call Comes In webhook handler for your Twilio phone number. The application will immediately reject your calls. If you remove your number from the block list and re-deploy, you will instead get the welcome message.

Call filter logic

Sample code for /filter-calls

1exports.handler = (context, event, callback) => {
2  // Prepare a new Voice TwiML object that will control Twilio's response
3  // to the incoming call
4  const twiml = new Twilio.twiml.VoiceResponse();
5  // The incoming phone number is provided by Twilio as the `From` property
6  const incomingNumber = event.From;
7
8  // This is an example of a blocklist hard-coded into the Function
9  const blockList = ['+14075550100', '+18025550100'];
10
11  const isBlocked = blockList.length > 0 && blockList.includes(incomingNumber);
12
13  if (isBlocked) {
14    twiml.reject();
15  } else {
16    // If the number is not blocked, redirect call to the webhook that
17    // handles allowed callers
18    twiml.redirect('/welcome');
19  }
20
21  return callback(null, twiml);
22};

Welcome message

Sample code for /welcome

1exports.handler = (context, event, callback) => {
2  const twiml = new Twilio.twiml.VoiceResponse();
3  twiml.say("Hello, congratulations! You aren't blocked!");
4  return callback(null, twiml);
5};

Set a Function as a webhook

In order for your Function to react to incoming SMS and/or voice calls, it must be set as a webhook for your Twilio number. There are a variety of methods to set a Function as a webhook, as detailed below:

Twilio ConsoleTwilio CLITwilio SDKs

You can use the Twilio Console UI as a straightforward way of connecting your Function as a webhook:

Log in to the Twilio Console's Phone Numbers page.
Click on the phone number you'd like to have connected to your Function.
If you want the Function to respond to incoming SMS, find the A Message Comes In option under Messaging. If you want the Function to respond to Voice, find the A Call Comes In option under Voice & Fax.
Select Function from the A Message Comes In or A Call Comes In dropdown.
Select the Service that you are using, then the Environment (this will default to ui unless you have created custom domains ), and finally Function Path of your Function from the respective dropdown menus.

Alternatively, you could select Webhook instead of Function, and directly paste in the full URL of the Function.

Click the Save button.

You can also use the Twilio CLI to assign the Function as the webhook of you phone number. You will need a few prerequisites:

Twilio CLI installed and executable from your terminal.
Either the E.164 formatted value of your Twilio phone number (+1234567890), or its SID (PNXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX).
The full URL of your Function (https://test-1337.twil.io/my-test-function)

Once you have the CLI installed and the necessary information, run the following to connect the Function to respond to incoming SMS:

1twilio phone-numbers:update +1234567890 \
2  --sms-url https://test-1337.twil.io/my-test-function

If you prefer to have the Function respond to incoming calls instead, run:

1twilio phone-numbers:update +1234567890 \
2  --voice-url https://test-1337.twil.io/my-test-function

You may also use the SID of your Twilio phone number instead of the E.164 formatted phone number:

1twilio phone-numbers:update PNXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \
2  --sms-url https://test-1337.twil.io/my-test-function

You can also use any of the available Twilio SDKs to assign the Function as the webhook of you phone number. You will need a few prerequisites:

A local development environment for your language of choice and the associated Twilio SDK installed.
The SID (PNXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX) of your Twilio phone number.
The full URL of your Function (https://test-1337.twil.io/my-test-function).

In JavaScript for example, you could execute the following code to assign the SMS webhook of your Twilio phone number. The same logic would apply for assigning to a voice webhook, except that the modified property instead would be voiceUrl:

1// Download the helper library from https://www.twilio.com/docs/node/install
2// Find your Account SID and Auth Token at twilio.com/console
3// and set the environment variables. See http://twil.io/secure
4const accountSid = process.env.TWILIO_ACCOUNT_SID;
5const authToken = process.env.TWILIO_AUTH_TOKEN;
6const client = require('twilio')(accountSid, authToken);
7
8client
9  .incomingPhoneNumbers('PNXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
10  .update({ smsUrl: 'https://test-1337.twil.io/my-test-function' })
11  .then((phoneNumber) => console.log(phoneNumber.smsUrl));
12

Store the block list as a private Asset

To keep your block list separate from and independent of your Function's code, one recommendation is to store the list as JSON in a private Asset. Your Function will read and parse the contents of this file using methods provided by the Runtime Client, and achieve the same functionality with more separation of concerns.

First, create a new private Asset named blocklist.json, populate it with the sample contents (and your personal number like before, to verify the blocking works), and save the Asset. Ensure that this Asset is private in order to protect its contents and to enable helper methods such as Runtime.getAssets, which can only retrieve private Assets.

Next, update the existing /filter-calls Function with the highlighted changes. This new code replaces the hard-coded block list array with a synchronous read of blocklist.json, and a quick JSON.parse to convert the file contents to a usable array.

Save your changes to the Function, and deploy your updated Service. Subsequent calls to your Twilio phone number will behave exactly as before!

Block list private Asset

Save as blocklist.json

["+14075550100", "+18025550100"]

Block incoming calls using a private Asset

Updates to /filter-calls

1exports.handler = (context, event, callback) => {
2  // Prepare a new Voice TwiML object that will control Twilio's response
3  // to the incoming call
4  const twiml = new Twilio.twiml.VoiceResponse();
5  // The incoming phone number is provided by Twilio as the `From` property
6  const incomingNumber = event.From;
7
8  // Open the contents of the private Asset containing the blocklist
9  const blockListJson = Runtime.getAssets()['/blocklist.json'].open();
10  // Parse the string, such as "["+14075550100", "+18025550100"]", to an array
11  const blockList = JSON.parse(blockListJson);
12
13  const isBlocked = blockList.length > 0 && blockList.includes(incomingNumber);
14
15  if (isBlocked) {
16    twiml.reject();
17  } else {
18    // If the number is not blocked, redirect call to the webhook that
19    // handles allowed callers
20    twiml.redirect('/welcome');
21  }
22
23  return callback(null, twiml);
24};

(warning)

Warning

Ensure that you write the Asset name as '/blocklist.json' and not 'blocklist.json'; the leading slash is necessary, as described in the Runtime.getAssets documentation.