SUPPORT.TWILIO.COM END OF LIFE NOTICE: This site,, is scheduled to go End of Life on February 27, 2024. All Twilio Support content has been migrated to, where you can continue to find helpful Support articles, API docs, and Twilio blog content, and escalate your issues to our Support team. We encourage you to update your bookmarks and begin using the new site today for all your Twilio Support needs.

Protect Media Access with HTTP Basic Authentication for Programmable Messaging

Twilio stores all media sent and received with our Programmable Messaging services, such as an image that is attached with MediaUrl property, and is associated with a MMS, WhatsApp, Facebook, or Google Business message for example. Twilio will keep that media around until you delete it.

Protect Media Access By Enabling HTTP Basic Authentication

In order to protect media files associated with Programmable Messaging, you can enforce authentication to access them by enabling HTTP Basic Authentication in your Twilio Account on the Messaging Settings page in the Console. This setting requires your Twilio Account SID and Auth Token or API Key for all requests for media files.


Requiring HTTP authentication for stored media is now considered industry best practice.  Twilio highly recommends enabling HTTP Basic Authentication for your media, especially if it contains sensitive data.


In order enable HTTP Basic Authentication for your account, please follow the steps below:

  1. Access the General SMS Settings page in Console.
  2. Scroll to the "Enforce HTTP Auth on Media URLs" section, and then select Enable.
  3. Click Save.

Once HTTP Basic Authentication is enabled, the Twilio Account Sid and Auth Token or API Key will be required for accessing, fetching and downloading any new Programmable Messaging media files created going forward. Requests to fetch your media will redirect you to a secure URL that is only valid for 4 hours. When the url expires after 4 hours, you would need to fetch again the media and retrieve a new short-lived URL that will be available for another 4 hours.


Note: Existing Programmable Messaging media that was processed before HTTP Basic Authentication  was enabled, will continue to be accessible via the old public URL without authentication required. The domain of the unsecured media URL is and secured media URL is 

Have more questions? Submit a request
Powered by Zendesk