A2P 10DLC Campaign Vetting Delays: We are experiencing delays while vetting 10DLC campaigns. Our third party is reviewing campaigns manually, and due to the high volume of requests, a queue has built up. Campaign reviews are expected to take longer. Twilio is working with the provider to help expedite this process. New details will be shared in our incident report as soon they become available.

Twilio Signature Validation Program Examples for JSON Content

Simple example programs for validating Twilio HTTP requests to your server when receiving JSON body content.

To validate the signature, your application will receive an HTTP POST request from a Twilio server that includes the headers:

  • Content-Type heading: "content-type":"application/json"
  • A signature heading, for example: "x-twilio-signature":"p9asdljeafoijawljfeiaelfjsa="
  • The URL request query that includes the parameter: bodySHA256.

Sample URL request query with the parameter, bodySHA256:


The bodySHA256 value, is a calculated, hexadecimal representation of the SHA-256 hash of the request body. The value confirms that the body of the message, the JSON data, remains unchanged.

Notice: For my test, I setup a Twilio Studio flow that would send my application, JSON data in the Request Body.


In the above Studio flow, update the Make HTTP Request widget parameters:

  • Request URL, update with your application URL.
  • Set Content Type to Application/JSON.
  • Enter valid JSON in the Request Body.

Here's a CURL sample to make an HTTP API request to execute the above flow.

curl -X POST https://studio.twilio.com/v2/Flows/FWXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \
--data-urlencode "To=+16505552222" \
--data-urlencode "From=+16505551111" \

The above CURL command will make a POST request, with the required Studio flow parameters:

  • Line 1 update with your Studio flow id that starts with FN.
  • Line 2 and 3, update with your To and From parameters. I used dummy values in my tests.
  • Line 4 update with your Account SID and Auth Token.

Your Server Side Application

You will need a web server to receive the HTTP request, and a program that captures the Twilio HTTP request signature header ("x-twilio-signature") and the request query string parameter: bodySHA256.

Given the Twilio HTTP request signature header value and the bodySHA256 parameter value, you can use the following sample PHP program to validate the Twilio HTTP request signature header value:

Sample PHP program to validate the Twilio HTTP request signature header:

	echo "+++ Start.\xA";
	require __DIR__ . '/../twilio-php-main/src/Twilio/autoload.php';
	use Twilio\Security\RequestValidator;
	$validator = new RequestValidator(getenv('MASTER_AUTH_TOKEN'));
	$signature = 'p9asdljeafoijawljfeiaelfjsa=';
	$url = 'http://example.com/studiojson?bodySHA256=12345fd62d0edbf5034ee40ec14c210d230f87642535e25461e123465c545057';
	$postVars = array();

	if ($validator-&amp;amp;amp;gt;validate($signature, $url, $postVars)) {
		echo "Confirmed to have come from Twilio.\xA";
	else {
	     echo "NOT VALID.\xA";
	echo "+++ Exit.\xA";

Sample Ruby program to validate the Twilio HTTP request signature header:

puts "+++ Start."
require 'twilio-ruby'
auth_token = ENV["MASTER_AUTH_TOKEN"]
validator = Twilio::Security::RequestValidator.new(auth_token)
url = 'http://example.com/studiojson?bodySHA256=12345fd62d0edbf5034ee40ec14c210d230f87642535e25461e123465c545057'
params = {}
# The X-Twilio-Signature header attached to the request
twilio_signature = 'p9asdljeafoijawljfeiaelfjsa='
puts validator.validate(url, params, twilio_signature)
puts "+++ Exit."

Additional Resources

Have more questions? Submit a request
Powered by Zendesk