SUPPORT.TWILIO.COM END OF LIFE NOTICE: This site,, is scheduled to go End of Life on February 27, 2024. All Twilio Support content has been migrated to, where you can continue to find helpful Support articles, API docs, and Twilio blog content, and escalate your issues to our Support team. We encourage you to update your bookmarks and begin using the new site today for all your Twilio Support needs.

Twilio Signature Validation Program Examples for JSON Content

Simple example programs for validating Twilio HTTP requests to your server when receiving JSON body content.

To validate the signature, your application will receive an HTTP POST request from a Twilio server that includes the headers:

  • Content-Type heading: "content-type":"application/json"
  • A signature heading, for example: "x-twilio-signature":"p9asdljeafoijawljfeiaelfjsa="
  • The URL request query that includes the parameter: bodySHA256.

Sample URL request query with the parameter, bodySHA256:


The bodySHA256 value, is a calculated, hexadecimal representation of the SHA-256 hash of the request body. The value confirms that the body of the message, the JSON data, remains unchanged.

Notice: For my test, I setup a Twilio Studio flow that would send my application, JSON data in the Request Body.


In the above Studio flow, update the Make HTTP Request widget parameters:

  • Request URL, update with your application URL.
  • Set Content Type to Application/JSON.
  • Enter valid JSON in the Request Body.

Here's a CURL sample to make an HTTP API request to execute the above flow.

curl -X POST \
--data-urlencode "To=+16505552222" \
--data-urlencode "From=+16505551111" \

The above CURL command will make a POST request, with the required Studio flow parameters:

  • Line 1 update with your Studio flow id that starts with FN.
  • Line 2 and 3, update with your To and From parameters. I used dummy values in my tests.
  • Line 4 update with your Account SID and Auth Token.

Your Server Side Application

You will need a web server to receive the HTTP request, and a program that captures the Twilio HTTP request signature header ("x-twilio-signature") and the request query string parameter: bodySHA256.

Given the Twilio HTTP request signature header value and the bodySHA256 parameter value, you can use the following sample PHP program to validate the Twilio HTTP request signature header value:

Sample PHP program to validate the Twilio HTTP request signature header:

	echo "+++ Start.\xA";
	require __DIR__ . '/../twilio-php-main/src/Twilio/autoload.php';
	use Twilio\Security\RequestValidator;
	$validator = new RequestValidator(getenv('MASTER_AUTH_TOKEN'));
	$signature = 'p9asdljeafoijawljfeiaelfjsa=';
	$url = '';
	$postVars = array();

	if ($validator-&amp;amp;amp;gt;validate($signature, $url, $postVars)) {
		echo "Confirmed to have come from Twilio.\xA";
	else {
	     echo "NOT VALID.\xA";
	echo "+++ Exit.\xA";

Sample Ruby program to validate the Twilio HTTP request signature header:

puts "+++ Start."
require 'twilio-ruby'
auth_token = ENV["MASTER_AUTH_TOKEN"]
validator =
url = ''
params = {}
# The X-Twilio-Signature header attached to the request
twilio_signature = 'p9asdljeafoijawljfeiaelfjsa='
puts validator.validate(url, params, twilio_signature)
puts "+++ Exit."

Additional Resources

Have more questions? Submit a request
Powered by Zendesk