twilio-iam-auth-setup
$
npx mdskill add openai/plugins/twilio-iam-auth-setupSet up and manage Twilio authentication credentials for secure API access
- Simplify Twilio authentication setup for developers and production systems
- Uses Twilio Console and API to create Auth Tokens, API keys, and Access Tokens
- Recommends secure practices like credential rotation and restricted access
- Provides credentials and instructions for immediate API integration
SKILL.md
.github/skills/twilio-iam-auth-setupView on GitHub ↗
---
name: twilio-iam-auth-setup
description: >
Set up and manage Twilio authentication credentials: Auth Tokens, API keys
(Standard, Main, Restricted), Access Tokens for client-side SDKs, and
credential rotation. Use this skill as a prerequisite foundation before
making any Twilio API calls.
---
## Overview
Twilio supports multiple authentication methods. For most developers: use Auth Token for local prototyping, then move to API Keys in production.
| Method | Use for | Security |
|--------|---------|----------|
| Account SID + Auth Token | Local prototyping, initial testing | Full account access — avoid in production |
| Account SID + API Key (Standard) + Secret | All production code | Recommended — revocable, no access to /Accounts or /Keys |
| Account SID + API Key (Restricted) + Secret | Fine-grained production access | Best — limit to specific resources only |
| Account SID + API Key (Main) + Secret | Account management automation | Full access like Auth Token, but revocable |
**For beginners / vibe-coders:** Start with Auth Token to get your first API call working, then create a Standard API Key before deploying anything. The key difference: if an API Key leaks, you revoke just that key. If your Auth Token leaks, your entire account is exposed until you rotate it.
---
## Prerequisites
- Twilio account — see `twilio-account-setup` if you don't have one
- Access to the [Twilio Console](https://console.twilio.com)
---
## Quickstart
Find your Account SID and Auth Token in the Console dashboard.
**Python**
```python
import os
from twilio.rest import Client
client = Client(os.environ["TWILIO_ACCOUNT_SID"], os.environ["TWILIO_AUTH_TOKEN"])
```
**Node.js**
```node
const client = require("twilio")(
process.env.TWILIO_ACCOUNT_SID,
process.env.TWILIO_AUTH_TOKEN
);
```
**Never commit Auth Token to version control or use in production.**
---
## Key Patterns
### API Keys (production)
**Create:** Console > Account > API keys & tokens > Create API key
| Key type | Access | Use case |
|----------|--------|----------|
| **Standard** | All resources except /Accounts and /Keys endpoints | Default for production apps |
| **Restricted** | Only the specific resources you grant | Multi-tenant apps, microservices, least-privilege |
| **Main** | Full account access (like Auth Token) | Account management automation (Console-only creation) |
After creation, copy the **API Key SID** (`SK...`) and **Secret** — the secret is shown only once.
**Python**
```python
client = Client(
os.environ["TWILIO_API_KEY"], # SK...
os.environ["TWILIO_API_SECRET"],
os.environ["TWILIO_ACCOUNT_SID"] # required as third argument
)
```
**Node.js**
```node
const client = require("twilio")(
process.env.TWILIO_API_KEY,
process.env.TWILIO_API_SECRET,
{ accountSid: process.env.TWILIO_ACCOUNT_SID }
);
```
### Restricted API Keys
Restricted keys grant access only to specific Twilio API resources you define. Use them for least-privilege access in production.
**Create via the v1 IAM API** (not the v2010 /Keys.json endpoint — see CANNOT section):
**Python**
```python
key = client.iam.v1.api_key.create(
account_sid=os.environ["TWILIO_ACCOUNT_SID"],
friendly_name="messaging-only-key",
key_type="restricted",
policy={
"allow": [
"/2010-04-01/Accounts/{AccountSid}/Messages*"
]
}
)
# Store key.sid and key.secret securely — secret shown only once
```
**Example permission patterns:**
| Permission | Grants access to |
|-----------|-----------------|
| `/2010-04-01/Accounts/{AccountSid}/Messages*` | Send and read messages |
| `/2010-04-01/Accounts/{AccountSid}/Calls*` | Make and manage calls |
| `/v2/Services/*/Verifications*` | Verify API only |
**Docs:** [Restricted API keys](https://www.twilio.com/docs/iam/api-keys/restricted-api-keys)
### Test Credentials
Make API calls without charges or sending real messages. Find at Console > Account > API keys & tokens > Test credentials.
**Python**
```python
client = Client(
os.environ["TWILIO_TEST_ACCOUNT_SID"],
os.environ["TWILIO_TEST_AUTH_TOKEN"]
)
```
**Node.js**
```node
const client = require("twilio")(
process.env.TWILIO_TEST_ACCOUNT_SID,
process.env.TWILIO_TEST_AUTH_TOKEN
);
```
Magic test numbers:
- `+15005550006` — valid, can receive messages
- `+15005550001` — invalid number (triggers error 21211)
- `+15005550007` — number that cannot receive SMS (triggers error 21612)
### Auth Token Rotation
Rotate your Auth Token if it's been exposed or as periodic security hygiene. Twilio uses a **secondary token promotion** model:
1. Console > Account > API keys & tokens > Request a secondary Auth Token
2. Update your application to use the secondary token
3. Once confirmed working, promote the secondary to primary
4. The old primary token is immediately invalidated
**Python**
```python
# Promote secondary Auth Token to primary via API
from twilio.rest import Client
client = Client(os.environ["TWILIO_ACCOUNT_SID"], os.environ["TWILIO_AUTH_TOKEN"])
account = client.api.accounts(os.environ["TWILIO_ACCOUNT_SID"]).update(
auth_token_promotion="promote"
)
```
**Important:** Auth Token rotation invalidates all active sessions using that token. Plan the switchover to minimize downtime.
**API Keys cannot be rotated** — if an API Key is compromised, delete it and create a new one:
- Console > Account > API keys & tokens > select key > Delete
- Or via API: `client.keys(key_sid).delete()`
**Docs:** [Auth Token REST API](https://www.twilio.com/docs/iam/api/authtoken)
### Access Tokens (client-side SDKs)
Short-lived JWTs for authenticating browser/mobile clients (Voice JS SDK, Conversations SDK, Video SDK). Generate server-side and pass to the client.
**Python**
```python
from twilio.jwt.access_token import AccessToken
from twilio.jwt.access_token.grants import VoiceGrant
token = AccessToken(
os.environ["TWILIO_ACCOUNT_SID"],
os.environ["TWILIO_API_KEY"],
os.environ["TWILIO_API_SECRET"],
identity="user-123",
ttl=3600
)
token.add_grant(VoiceGrant(outgoing_application_sid="APxxxx"))
print(token.to_jwt())
```
**Node.js**
```node
const { AccessToken } = require("twilio").jwt;
const { VoiceGrant } = AccessToken;
const token = new AccessToken(
process.env.TWILIO_ACCOUNT_SID,
process.env.TWILIO_API_KEY,
process.env.TWILIO_API_SECRET,
{ identity: "user-123", ttl: 3600 }
);
token.addGrant(new VoiceGrant({ outgoingApplicationSid: "APxxxx" }));
console.log(token.toJwt());
```
Available grant types: `VoiceGrant`, `VideoGrant`, `ChatGrant` (Conversations), `SyncGrant`
### Environment Variable Reference
```bash
TWILIO_ACCOUNT_SID=ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Option 1: Auth Token (testing only)
TWILIO_AUTH_TOKEN=your_auth_token
# Option 2: API Key (production)
TWILIO_API_KEY=SKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
TWILIO_API_SECRET=your_api_secret
# Test credentials
TWILIO_TEST_ACCOUNT_SID=ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
TWILIO_TEST_AUTH_TOKEN=your_test_auth_token
```
---
## CANNOT
- **Standard keys cannot access /Accounts or /Keys endpoints** — Returns error 20003 (401). Must use Auth Token or Main API Key for account management.
- **No restricted key creation via v2010 API** — The v2010 `/Keys.json` endpoint silently ignores `KeyType=restricted` and `Policy` parameters, creating a standard key instead. Use the v1 IAM API.
- **Restricted keys cannot generate Access Tokens** — Only Standard and Main keys can create client SDK tokens.
- **No individual Access Token revocation** — Tokens are valid until expiration (max 24h). To revoke early, delete the API key that issued them.
- **Subaccount credentials cannot access parent or sibling resources** — Each subaccount has its own Auth Token and API Keys. Use the subaccount's own credentials to access its resources — never the parent account's credentials.
- **API Keys cannot be rotated** — No key rotation API exists. To replace a compromised key: create a new key, update your app, then delete the old key.
- **PKCV is an advanced feature for compliance-heavy industries** — Public Key Client Validation adds client-certificate-style auth. Incompatible with Flex, Studio, and TaskRouter. Once enforcement is enabled, Auth Token authentication is disabled (one-way door). See [PKCV docs](https://www.twilio.com/docs/iam/pkcv) — consider this only if your security team requires mutual TLS-equivalent authentication.
- **Test credentials work with only 4 endpoints** — Messages, Calls, IncomingPhoneNumbers, and Lookups. All other endpoints return 403.
- **API Key Secret shown only at creation** — Cannot be retrieved afterward. If lost, create a new key.
- **FriendlyName max 64 characters for keys** — 65+ characters returns error 70001.
- **Restricted keys limited to 100 permissions per key** — Exceeding this limit is rejected at creation.
- **Cannot create Main API Keys via REST API** — Console only
- **Cannot set Access Token TTL beyond 24 hours** — Maximum lifetime is 24h
- **Cannot use test credentials with real numbers** — Test credentials only work with test magic numbers
---
## Next Steps
- **Account setup and phone numbers:** `twilio-account-setup`
- **Security best practices (credential management, key rotation):** `twilio-security-hardening`
- **Restricted API keys (fine-grained permissions):** [Docs](https://www.twilio.com/docs/iam/api-keys/restricted-api-keys)
- **Auth Token rotation:** [REST API](https://www.twilio.com/docs/iam/api/authtoken)
More from openai/plugins
- accessibility-and-inclusive-visualizationMake data visualizations accessible and inclusive. Use when the user needs chart or diagram accessibility guidance, text alternatives for complex visuals, color and contrast review, keyboard support, reduced-motion behavior for animation or parallax, or an accessibility QA workflow for exported figures, UML-like diagrams, and dashboards.
- agent-browserBrowser automation CLI for AI agents. Use when the user needs to interact with websites, verify dev server output, test web apps, navigate pages, fill forms, click buttons, take screenshots, extract data, or automate any browser task. Also triggers when a dev server starts so you can verify it visually.
- agent-browser-verifyAutomated browser verification for dev servers. Triggers when a dev server starts to run a visual gut-check with agent-browser — verifies the page loads, checks for console errors, validates key UI elements, and reports pass/fail before continuing.
- agents-sdkBuild AI agents on Cloudflare Workers using the Agents SDK. Load when creating stateful agents, durable workflows, real-time WebSocket apps, scheduled tasks, MCP servers, or chat applications. Covers Agent class, state management, callable RPC, Workflows integration, and React hooks. Biases towards retrieval from Cloudflare docs over pre-trained knowledge.
- ai-elementsAI Elements component library guidance — pre-built React components for AI interfaces built on shadcn/ui. Use when building chat UIs, message displays, tool call rendering, streaming responses, reasoning panels, or any AI-native interface with the AI SDK.
- ai-gatewayVercel AI Gateway expert guidance. Use when configuring model routing, provider failover, cost tracking, or managing multiple AI providers through a unified API.
- ai-generation-persistenceAI generation persistence patterns — unique IDs, addressable URLs, database storage, and cost tracking for every LLM generation
- ai-sdkVercel AI SDK expert guidance. Use when building AI-powered features — chat interfaces, text generation, structured output, tool calling, agents, MCP integration, streaming, embeddings, reranking, image generation, or working with any LLM provider.
- aiq-deploy|
- aiq-research|