SUPPORT.TWILIO.COM END OF LIFE NOTICE: This site,, is scheduled to go End of Life on February 27, 2024. All Twilio Support content has been migrated to, where you can continue to find helpful Support articles, API docs, and Twilio blog content, and escalate your issues to our Support team. We encourage you to update your bookmarks and begin using the new site today for all your Twilio Support needs.

How do Twilio cookies work?

When Twilio makes a request to your SMS Webhook URL and your web application server returns a cookie (a "Set-Cookie" HTTP response header), Twilio stores this cookie and associates it with the "From" and "To" number pair of the incoming SMS message.

Twilio will include the cookie that you set (as a "Cookie" HTTP request header) for subsequent requests to your web server associated with the same "From" and "To" phone number pair.

Please note that this behaviour applies to SMS Webhooks for incoming messages and may not reflect the behaviour of Webhooks associated with other Twilio Products. 

There are some limitations to Twilio cookies:

  • If you do not set an expiration on the cookie, the cookie will expire after 4 hours. This means if an incoming SMS message arrives 4 hours after the cookie was set, the expired cookie will not be included with the request.
  • If you want a cookie to expire earlier than 4 hours, you can specify a different expiration with the "Expires" or "Max-Age" attribute on the cookie. Longer expirations may be capped to 4 hours.
  • Cookies cannot be set on outgoing API calls and SMS messages. Twilio only accepts cookies when the outgoing proxy server makes a request to your server. It cannot accept cookies when you make a request to
  • The cookie is keyed by "From" and "To" phone numbers. This information may not be sufficient to distinguish a conversation for your use case. A cookie you set in response to one From-To pair will not be returned in webhooks related to a different From-To pair.
  • Cookies are not included in the signature algorithm used to verify that requests originate from Twilio. In order to avoid the possibility of a replay attack, cookies may only be trusted when sent to HTTPS addresses.
  • There are rare circumstances where cookies may not be sent or may not contain the latest specified value due to system degradation or race conditions between setting cookies and additional webhooks being triggered. It is recommended that you only use cookies to enhance performance of your system and not to build a hard dependency on the existence or up-to-dateness of cookies.
Have more questions? Submit a request
Powered by Zendesk