Twilio stores all media sent and received with our Programmable Messaging services, such as an image that is attached with MediaUrl property, and is associated with a MMS, WhatsApp, Facebook, or Google Business message for example. Twilio will keep that media around until you delete it.
Protect Media Access By Enabling HTTP Basic Authentication
In order to protect media files associated with Programmable Messaging, you can enforce authentication to access them by enabling HTTP Basic Authentication in your Twilio Account on the Messaging Settings page in the Console. This setting requires your Twilio Account SID and Auth Token or API Key for all requests for media files.
Requiring HTTP authentication for stored media is now considered industry best practice. Twilio highly recommends enabling HTTP Basic Authentication for your media, especially if it contains sensitive data.
In order enable HTTP Basic Authentication for your account, please follow the steps below:
- Access the General SMS Settings page in Console.
- Scroll to the "Enforce HTTP Auth on Media URLs" section, and then select Enable.
- Click Save.
Once HTTP Basic Authentication is enabled, the Twilio Account Sid and Auth Token or API Key will be required for accessing, fetching and downloading any new Programmable Messaging media files created going forward. Requests to fetch your media will redirect you to a secure URL that is only valid for 4 hours. When the url expires after 4 hours, you would need to fetch again the media and retrieve a new short-lived URL that will be available for another 4 hours.
Note: Existing Programmable Messaging media that was processed before HTTP Basic Authentication was enabled, will continue to be accessible via the old public URL without authentication required. The domain of the unsecured media URL is
s3-external-1.amazonaws.com and secured media URL is