Access Tokens are short-lived, JWT-formatted tokens used to authenticate Twilio client-side SDKs, including:
Note: Access Tokens are not the same as Capability Tokens (Twilio Client 1.x, TaskRouter), NTS Tokens (STUN/TURN), or the Auth Token (REST API).
Addressing the Most Common Error Codes
The most common error codes for Access Tokens are due to incorrect account data or timestamp issues:
- Error 20103 Invalid Access Token issuer/subject
- Error 20107 Invalid Access Token signature
- Error 20151 Authentication Failed
- Error 20105 Access Token not yet valid
- Error 20157 Expiration Time Exceeds Maximum Time Allowed
Authentication Failures and Invalid Tokens
Authentication failures and invalid token errors are usually due to one or more of these components being incorrect or used in the wrong combination:
- Account SID
- API Key
- API Secret
Common Mistakes
- The Account SID must be from your Live Credentials. Test Credentials are not supported in Access Tokens.
- Access Tokens are bound to the Account SID specified and cannot be shared across accounts or subaccounts.
- Access Token must be passed as a simple string, not a JSON object.
Tip: Be sure to use a Twilio Helper Library to generate your tokens and verify you're passing the correct values in the right order for the method signature.
Expired Tokens
Timestamp and expiration issues are usually due to one of the following:
- TTL is greater than 24 hours
- Server system clock is skewed
- Token is not yet valid or already expired
Ensure your server clock hasn't drifted and verify the validity period of the token.
For more insight, inspect your decoded token payload and compare with the details below.
Verify the Access Token Structure
You can decode a token at http://jwt.io/ and verify its structure. The payload
section describes the authorization granted. Timestamps are in Unix epoch format.
Example Payload:
{
"jti": "SKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-1450471147",
"iss": "SKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"sub": "ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"nbf": 1450471147,
"exp": 1450474747,
"grants": {
"identity": "user@example.com",
"chat": {
"service_sid": "ISxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
}
}
Token Property | Twilio Implementation | Notes |
---|---|---|
|
Account SID of the account or subaccount to authenticate |
|
|
API Key whose Secret signs the token |
|
|
API Key concatenated with a random string |
|
|
Timestamp on which the token was issued |
|
|
Timestamp when token becomes valid for use |
|
|
Timestamp on which the token will expire |
|
|
List of permissions granted to the token (varies by product) |
|
All Potential Error Codes
- Error 20101 Invalid Access Token
- Error 20102 Invalid Access Token header
- Error 20103 Invalid Access Token issuer/subject
- Warning 20104 Access Token expired or expiration date invalid
- Error 20105 Access Token not yet valid
- Error 20106 Invalid Access Token grants
- Error 20107 Invalid Access Token signature
- Error 20151 Authentication Failed
- Error 20152 Invalid Header
- Error 20153 Invalid Issuer Or Subject
- Error 20154 Invalid Claim Set
- Error 20155 Expiration Time In The Future
- Error 20156 Expired or Invalid Expiration in Token
- Error 20157 Expiration Time Exceeds Maximum Time Allowed
- Error 20159 Invalid Signature
- Error 20160 Invalid Token