SUPPORT.TWILIO.COM END OF LIFE NOTICE: This site,, is scheduled to go End of Life on February 27, 2024. All Twilio Support content has been migrated to, where you can continue to find helpful Support articles, API docs, and Twilio blog content, and escalate your issues to our Support team. We encourage you to update your bookmarks and begin using the new site today for all your Twilio Support needs.

Prevent unauthorized access to your Programmable Voice Media with HTTP Basic Auth

Twilio may store media associated with Programmable Voice services, such as call or conference recordings. Twilio will keep that media around until you delete the recordings.

Protect Media Access By Enabling HTTP Basic Authentication

In order to protect your recording media files, you can enforce authentication to access them by enabling HTTP basic authentication on your Twilio Account on the Voice Settings page in the Console. This setting requires your Twilio Account SID and Auth Token or API Key and secret for all requests for Recording media files.

Requiring HTTP authentication for stored media is now considered industry best practice, and Twilio highly recommends protecting your media from any public access, especially if it contains sensitive data (PII, PCI, PHI, etc).

In order to enable HTTP Basic Authentication for Programmable Voice:

  1. Access the General Voice Settings page in Console.
  2. Scroll to the "Enforce HTTP Auth on Media URLs" section, and then select Enable.
  3. Scroll to the bottom of the Settings page and click Save.

Once HTTP Basic authentication is enabled, the Twilio Account Sid and Auth Token, or API Key and secret are required for accessing, fetching and downloading call and conference recordings media files stored at Twilio regardless of when it was created.

Have more questions? Submit a request
Powered by Zendesk