Upcoming security changes: Enforcing HTTP Basic Authentication for Voice and Messaging Media

Effective July 31, 2023, Twilio will enforce HTTP Basic Authentication for Programmable Voice and Programmable Messaging Media. With this change:

• Existing accounts that currently have HTTP Basic Authentication enabled will no longer have the option to disable it.
• Existing accounts that currently have HTTP Basic Authentication disabled will maintain this setting (authentication disabled).
• Newly-created main accounts will have HTTP Basic Authentication enabled without the option to disable it.
• Newly-created subaccounts of existing accounts will inherit this setting from the main account, and HTTP Basic Authentication will be disabled or enabled (without the option to disable it) accordingly.

Later this year, we plan to roll out more security measures, including enforcing HTTP Basic Authentication on existing accounts. In the meantime, Twilio highly recommends updating your application in advance for retrieving Programmable Voice and Programmable Messaging media in an authenticated manner to avoid service disruption in the future. We will provide further updates with effective dates and actions you should take concerning media access.

For more information, see Protect Media Access with HTTP Basic Authentication for Programmable Messaging and Protect Media Access with HTTP Basic Authentication for Programmable Voice. You can also read more about Security for general use of Twilio services.