Twilio Signature Validation Program Examples for JSON Content

Simple example programs for validating Twilio HTTP requests to your server when receiving JSON body content.

To validate the signature, your application will receive an HTTP POST request from a Twilio server that includes the headers:

  • Content-Type heading: "content-type":"application/json"
  • A signature heading, for example: "x-twilio-signature":"p9asdljeafoijawljfeiaelfjsa="
  • The URL request query that includes the parameter: bodySHA256.

Sample URL request query with the parameter, bodySHA256:


/studiojson?bodySHA256=6fef97f58f52b65813274c14a53cdf1d77d45089e1e368d4b3c350f8d4e09a79

The bodySHA256 value, is a calculated, hexadecimal representation of the SHA-256 hash of the request body. The value confirms that the body of the message, the JSON data, remains unchanged.

Notice: For my test, I setup a Twilio Studio flow that would send my application, JSON data in the Request Body.

mceclip0.png

In the above Studio flow, update the Make HTTP Request widget parameters:

  • Request URL, update with your application URL.
  • Set Content Type to Application/JSON.
  • Enter valid JSON in the Request Body.

Here's a CURL sample to make an HTTP API request to execute the above flow.

curl -X POST https://studio.twilio.com/v2/Flows/FWXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \
--data-urlencode "To=+16505552222" \
--data-urlencode "From=+16505551111" \
-u 'ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:my-auth-token'

The above CURL command will make a POST request, with the required Studio flow parameters:

  • Line 1 update with your Studio flow id that starts with FN.
  • Line 2 and 3, update with your To and From parameters. I used dummy values in my tests.
  • Line 4 update with your Account SID and Auth Token.

Your Server Side Application

You will need a web server to receive the HTTP request, and a program that captures the Twilio HTTP request signature header ("x-twilio-signature") and the request query string parameter: bodySHA256.

Given the Twilio HTTP request signature header value and the bodySHA256 parameter value, you can use the following sample PHP program to validate the Twilio HTTP request signature header value:

Sample PHP program to validate the Twilio HTTP request signature header:

<?php
	echo "+++ Start.\xA";
	require __DIR__ . '/../twilio-php-main/src/Twilio/autoload.php';
	use Twilio\Security\RequestValidator;
	
	$validator = new RequestValidator(getenv('MASTER_AUTH_TOKEN'));
	$signature = 'p9asdljeafoijawljfeiaelfjsa=';
	$url = 'http://example.com/studiojson?bodySHA256=12345fd62d0edbf5034ee40ec14c210d230f87642535e25461e123465c545057';
	$postVars = array();

	if ($validator-&amp;amp;amp;gt;validate($signature, $url, $postVars)) {
		echo "Confirmed to have come from Twilio.\xA";
	} 
	else {
	     echo "NOT VALID.\xA";
	}
	echo "+++ Exit.\xA";
?>

Sample Ruby program to validate the Twilio HTTP request signature header:

puts "+++ Start."
require 'twilio-ruby'
auth_token = ENV["MASTER_AUTH_TOKEN"]
validator = Twilio::Security::RequestValidator.new(auth_token)
url = 'http://example.com/studiojson?bodySHA256=12345fd62d0edbf5034ee40ec14c210d230f87642535e25461e123465c545057'
params = {}
# The X-Twilio-Signature header attached to the request
twilio_signature = 'p9asdljeafoijawljfeiaelfjsa='
puts validator.validate(url, params, twilio_signature)
puts "+++ Exit."

Additional Resources

Have more questions? Submit a request
Powered by Zendesk