Twilio uses two credentials to determine which project an API request is coming from: The Account SID, which acts as a username, and the Auth Token which acts as a password.
If another user gets access to your Auth Token, and he or she knows your Account SID, they will have the ability to use the Twilio API as if they were you. That means they can make calls or send messages coming from your phone numbers, download your logs, and change the URL settings of your Twilio phone numbers. Keep your Auth Token private, and if you share your code publicly make sure to remove your Auth Token.
Where is my Auth Token?
You can find the Auth Token in the Console dashboard hidden behind a bunch of dots. Click on these dots to reveal your AuthToken. Click on the eye icon to hide it again.
If you think that your Auth Token may have been compromised, you should change your auth token. To do this without incurring downtime, you can generate a second token, update your apps to use the second token, and then retire (or delete) the other one. More detailed instructions are below:
- Login to your Twilio project at www.twilio.com/console.
- Click Settings.
- Scroll down to the "API Credentials" section, and then click the link for Request a Secondary Token.
- In the pop-up dialog, click Request Token.
- You can toggle the eye icon to copy the new secondary token. Now you can update your apps to use this token instead of the old one. (If you decide you don’t need the second token and want to keep using the primary one, you can just delete the second one by clicking Delete this Token next to the secondary token).
- After you have verified everything is working on your end, click Promote to Primary to make the secondary token the primary one, thereby deleting the old primary token. As before, a dialog will pop-up asking you to acknowledge the consequences and confirm. After you complete the action, you will now only have one token – the new primary token. Your previous token will be removed from your project, and will no longer work. Keep your new token safe and secure!