Protect your Function with JSON Web Token

(warning)

Runtime handler version requirement

This example uses headers and cookies, which are only accessible when your Function is running @twilio/runtime-handler version 1.2.0 or later. Consult the Runtime Handler guide to learn more about the latest version and how to update.

When protecting your public Functions and any sensitive data that they can expose, from unwanted requests and bad actors, it is important to consider some form of authentication to validate that only intended users are making requests. In this example, we'll be covering one of the most common forms of authentication: Bearer Authentication using JSON Web Token (JWT).

If you want to learn an alternative approach, you can also see this example of using Basic Auth.

Let's create a Function that will only accept requests with valid JWTs, and reject all other traffic.

Create and host a Function

Before you run any of the examples on this page, create a Function and paste the example code into it. You can create a Function in the Twilio Console or by using the Serverless Toolkit.

ConsoleServerless Toolkit

If you prefer a UI-driven approach, complete these steps in the Twilio Console:

Log in to the Twilio Console and navigate to Develop > Functions & Assets. If you're using the legacy Console, open the Functions tab.
Functions are contained within Services. Click Create Service to create a new Service.
Click Add + and select Add Function from the dropdown.
The Console creates a new protected Function that you can rename. The filename becomes the URL path of the Function.
Copy one of the example code snippets from this page and paste the code into your newly created Function. You can switch examples by using the dropdown menu in the code rail.
Click Save.
Click Deploy All to build and deploy the Function. After deployment, you can access your Function at https://<service-name>-<random-characters>-<optional-domain-suffix>.twil.io/<function-path>
For example: test-function-3548.twil.io/hello-world.

You can now invoke your Function with HTTP requests, configure it as the webhook for a Twilio phone number, call it from a Twilio Studio Run Function Widget, and more.

Configure your Function to require Bearer Authentication

First, create a new auth Service and add two Public Functions using the directions above. These will be named:

/jwt
/bearer

Replace the default contents of each Function with the JWT generation code (Generate a JSON Web Token for Function Authentication) for /jwt, and the JWT validation snippet (Authenticate Function requests using Bearer Authorization and JWT) for /bearer respectively. Save both Functions once they contain the new code.

Generate a JSON Web Token for Function Authentication

1const jwt = require('jsonwebtoken');
2
3// Hardcoded credentials for this example
4const creds = {
5  username: 'twilio',
6  password: 'ahoy',
7};
8// Hardcoded secret for this example. In a real app, you would
9// generate this and store it securely as an environment variable
10// and access it via context.SECRET or similar
11const secret = 'secret_key';
12
13// Function to generate a JWT token
14exports.handler = (context, event, callback) => {
15  // Retrieve the username and password from the request
16  const { username, password } = event;
17  // Prepare a new Twilio response
18  const response = new Twilio.Response();
19
20  // If the provided credentials are invalid, return 401 Unauthorized.
21  // In a real app you would check the credentials against your database.
22  if (username !== creds.username || password !== creds.password) {
23    response
24      .setBody('Username or password is incorrect')
25      .setStatusCode(401);
26
27    return callback(null, response);
28  }
29
30  // Create a new signed JWT for the user that will expire in 1 day.
31  // To understand more about JWT and what sub, iss, and these
32  // other options are, see https://jwt.io/
33  const token = jwt.sign(
34    {
35      sub: username,
36      iss: 'twil.io',
37      org: 'twilio',
38      perms: ['read'],
39    },
40    secret,
41    { expiresIn: '1d' }
42  );
43
44  // Set the token as the access_token header and return the response
45  response.setBody('OK').appendHeader('access_token', token);
46
47  return callback(null, response);
48};

Authenticate Function requests using Bearer Authorization and JWT

1const jwt = require('jsonwebtoken');
2
3const employeeSalaries = [
4  {
5    username: 'jdoe',
6    salary: '$2000.00',
7  },
8  {
9    username: 'mturner',
10    salary: '$2500.00',
11  },
12];
13const secret = 'secret_key'; // keep this in env variables
14
15// Function that exposes sensitive information and requires
16// a valid JWT token to be present in the request header to access.
17exports.handler = (context, event, callback) => {
18  // Grab the auth token from the request header
19  const authHeader = event.request.headers.authorization;
20  // Prepare a new Twilio response
21  const response = new Twilio.Response();
22  // Reject requests that don't have an Authorization header
23  if (!authHeader) return callback(null, setUnauthorized(response));
24
25  // The auth type and token are separated by a space, split them
26  const [authType, authToken] = authHeader.split(' ');
27  // If the auth type is not Bearer, return a 401 Unauthorized response
28  if (authType.toLowerCase() !== 'bearer')
29    return callback(null, setUnauthorized(response));
30
31  try {
32    // Verify the token against the secret. If the token is invalid,
33    // jwt.verify will throw an error and we'll proceed to the catch block
34    jwt.verify(authToken, secret);
35    // At this point, the request has been validated and you could do
36    // whatever you want with the request.
37    // For this example, we'll just return the employee salaries
38    return callback(null, employeeSalaries);
39  } catch (e) {
40    // If an error was thrown, the token is invalid and we should
41    // return a 401 Unauthorized response
42    return callback(null, setUnauthorized(response));
43  }
44};
45
46// Helper method to format the response as a 401 Unauthorized response
47// with the appropriate headers and values
48const setUnauthorized = (response) => {
49  response
50    .setBody('Unauthorized')
51    .setStatusCode(401)
52    .appendHeader(
53      'WWW-Authenticate',
54      'Bearer realm="Access to read salaries"'
55    );
56
57  return response;
58};

(information)

Info

Remember to change the visibility of your new Function to be Public. By default, the Console UI will create new Functions as Protected, which will prevent access to your Function except by Twilio requests.

Next, notice that the code snippets require the jsonwebtoken dependency. Be sure to add this as a Dependency to your Service.

Once all Functions have been saved and your Dependencies have been set, deploy the Function by clicking on Deploy All in the Console UI.

Verify that Bearer Authentication is working

We can check that authentication is working first by sending an unauthenticated request to our deployed Function. You can get the URL of your Function by clicking the Copy URL button next to the Function.

Then, using your client of choice, make a GET or POST request to your Function. It should return a 401 Unauthorized since the request contains no valid Authorization header.

curl -i -L -X POST 'https://auth-4173-dev.twil.io/bearer'

Result:

1$ curl -i -L -X POST 'https://auth-4173-dev.twil.io/bearer' -i
2
3HTTP/2 401
4date: Tue, 03 Aug 2021 23:01:55 GMT
5content-type: application/octet-stream
6content-length: 12
7www-authenticate: Bearer realm="Access to read salaries"
8x-shenanigans: none
9
10Unauthorized

Great! Requests are successfully being blocked from non-authenticated requests.

To make an authenticated request and get back a 200 OK, we'll need to first generate a valid JWT by calling /jwt. We can then include that token in the Authorization header of our request to /bearer.

To get a valid JWT, we'll need to submit a valid username and password to the /jwt Function. Right now, these are hardcoded in the Function as twilio and ahoy respectively. The JWT generator Function is expecting the username and password to be passed in the body of the request, so you'll need to create a POST request with a JSON body composed of those values. Using cURL, that would look like this:

1curl -i -L -X POST 'https://auth-4173-dev.twil.io/jwt' \
2-H 'Content-Type: application/json' \
3--data-raw '{
4    "username": "twilio",
5    "password": "ahoy"
6}'

and the response would be:

1$ curl -i -L -X POST 'https://auth-4173-dev.twil.io/jwt' \
2-H 'Content-Type: application/json' \
3--data-raw '{
4    "username": "twilio",
5    "password": "ahoy"
6}'
7
8HTTP/2 200
9date: Tue, 03 Aug 2021 23:16:35 GMT
10content-type: application/octet-stream
11content-length: 2
12access_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0d2lsaW8iLCJpc3MiOiJ0d2lsLmlvIiwib3JnIjoidHdpbGlvIiwicGVybXMiOlsicmVhZCJdLCJpYXQiOjE2MjgwMzI1OTUsImV4cCI6MTYyODExODk5NX0.uZzHuN5PpK6qM5wCu01_S8lkFPDpIcxQJq6A7sDr6gc
13x-shenanigans: none
14x-content-type-options: nosniff
15x-xss-protection: 1; mode=block
16
17OK

The header access_token contains the valid JWT that was just generated for us. Go ahead and try your request to /bearer again, but this time including the Authorization header including this JWT:

1curl -i -L -X POST 'https://auth-4173-dev.twil.io/bearer' \
2-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0d2lsaW8iLCJpc3MiOiJ0d2lsLmlvIiwib3JnIjoidHdpbGlvIiwicGVybXMiOlsicmVhZCJdLCJpYXQiOjE2MjgwMzA3ODIsImV4cCI6MTYyODExNzE4Mn0.gBusSFmlRt_o3H3E2UB4GGxjbZJLOOS0bKFXTxAgnlw'

the response should be:

1$ curl -i -L -X POST 'https://auth-4173-dev.twil.io/bearer' \
2-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0d2lsaW8iLCJpc3MiOiJ0d2lsLmlvIiwib3JnIjoidHdpbGlvIiwicGVybXMiOlsicmVhZCJdLCJpYXQiOjE2MjgwMzA3ODIsImV4cCI6MTYyODExNzE4Mn0.gBusSFmlRt_o3H3E2UB4GGxjbZJLOOS0bKFXTxAgnlw'
3
4HTTP/2 200
5date: Tue, 03 Aug 2021 23:20:10 GMT
6content-type: application/json
7content-length: 84
8x-shenanigans: none
9x-content-type-options: nosniff
10x-xss-protection: 1; mode=block
11
12[{"username":"jdoe","salary":"$2000.00"},{"username":"mturner","salary":"$2500.00"}]

At this point, Bearer Authentication is working for your Function!

To make this example your own, you could experiment with the following:

Refactor the common 'secret_key' into an Environment Variable so that it is stored securely and only needs to be changed in one place.
Use Environment Variables to store the approved credentials, or even create a database of approved usernames and passwords to support multiple users.
Instead of using a hardcoded array of data, retrieve values from a database.