Twilio may store media associated with Programmable Voice services, such as call or conference recordings. Twilio will keep that media around until you delete the recordings.
Protect Media Access By Enabling HTTP Basic Authentication
In order to protect your recording media files, you can enforce authentication to access them by enabling HTTP basic authentication on your Twilio Account on the Voice Settings page in the Console. This setting requires your Twilio Account SID and Auth Token or API Key and secret for all requests for Recording media files.
Requiring HTTP authentication for stored media is now considered industry best practice, and Twilio highly recommends protecting your media from any public access, especially if it contains sensitive data (PII, PCI, PHI, etc).
In order to enable HTTP Basic Authentication for Programmable Voice:
- Access the General Voice Settings page in Console.
- Scroll to the "Enforce HTTP Auth on Media URLs" section, and then select Enable.
- Scroll to the bottom of the Settings page and click Save.
Once HTTP Basic authentication is enabled, the Twilio Account Sid and Auth Token, or API Key and secret are required for accessing, fetching and downloading call and conference recordings media files stored at Twilio regardless of when it was created.