What is the Auth Token?
Twilio uses two credentials to determine which account an API request is coming from. The “Account SID”, which acts as a username, and the “Auth Token” which acts as a password.
If another user gets access to your Auth Token, and he or she knows your Account SID, they will have the ability to use the Twilio API as if they were you. That means they can make calls or send messages coming from your phone numbers, download your account logs, and change the URL settings of your Twilio phone numbers. Keep your Auth Token private, and if you share your code publicly make sure to remove your Auth Token.
Where is my Auth Token?
You can find the Auth Token in the Console dashboard hidden behind a bunch of dots. Click on these dots to reveal your AuthToken. Click on the lock icon to hide it again.
If you think that your Auth Token may have been compromised, you should change your auth token. To do this without incurring downtime, you can generate a second token, update your apps to use the second token, and then retire (or delete) the other one. More detailed instructions are below:
1. Login to your Twilio account and go to your account settings page.
2. In the API Credentials section, click the link for “Request a Secondary Token”.
3. A pop-up dialog will ask you to enter your password and hit the “Request Token” confirmation button.
4. You can toggle the lock icon to copy the new secondary token. Now you can update your apps to use this token instead of the old one. (If you decide you don’t need the second token and want to keep using the primary one, you can just delete the second one by clicking the “Delete this Token” link on the secondary token).
5. After you have verified everything is working on your end, click on the “Promote to Primary” link to make the secondary token the primary one, thereby deleting the old primary token. As before, a dialog will pop-up asking you to acknowledge the consequences and to enter your password to confirm. After you complete the action, you will now only have one token – the new primary token.
And, you’re done. Keep this token safe and secure.