SUPPORT.TWILIO.COM END OF LIFE NOTICE: This site, support.twilio.com, is scheduled to go End of Life on February 27, 2024. All Twilio Support content has been migrated to help.twilio.com, where you can continue to find helpful Support articles, API docs, and Twilio blog content, and escalate your issues to our Support team. We encourage you to update your bookmarks and begin using the new site today for all your Twilio Support needs.

Restrict Twilio API Keys by HTTP Referrer or Domain

Overview

Securing your Twilio account and API credentials is essential to protect your communications and prevent unauthorized access. A common question from developers and administrators is whether Twilio API Keys can be restricted to specific HTTP referrers or domains, similar to how some web APIs allow domain-based access controls.

Twilio does not currently support restricting API Keys by HTTP Referrer or specific domain (URL). This means you cannot configure an API Key to only accept requests originating from a particular website or domain.

 

Environment

legacy Twilio Console

 

What You Need To Know

  • Twilio does not support domain-based (HTTP Referrer) restrictions for API Keys.
  • Use Restricted API Keys to limit access to only the necessary Twilio resources.
  • Always follow security best practices to protect your Twilio account.
  • Refer to our different Twilio Editions for Public Key Client Validation offering.

For more information, visit the Twilio Security Documentation or reach out to Twilio Support for further assistance.

 

Frequently Asked Questions

What Security Options Are Available for Twilio API Keys?

While domain-based restrictions are not available, Twilio offers several robust security features to help you protect your account:

1. Restricted API Keys

Twilio provides Restricted API Keys, which allow you to limit each key’s access to specific Twilio API resources and actions. This is the most granular way to control what an API Key can do within your account.

  • Principle of Least Privilege: Assign only the permissions necessary for each key.
  • Resource and Action Scoping: Specify which Twilio products and endpoints a key can access (e.g., only Messaging, only Voice, etc.).
  • Automatic Denial: Any API call made with a Restricted API Key outside of its allowed permissions will be denied.

Learn more: Twilio Restricted API Keys Documentation.

 

2. Best Practices for API Key Security

  • Rotate Credentials Regularly: Periodically regenerate API Keys and Auth Tokens.
  • Store Credentials Securely: Never expose API credentials in client-side code or public repositories.
  • Move API Calls Server-Side: Always make API requests from your backend, not from browsers or client apps, to prevent credential exposure.
  • Use Geo-Permissions: Restrict your account’s geographic permissions to only the countries you need.

Example: Securing Your Twilio Integration

Follow below steps to improve your Twilio account security:

  • Rotating all API credentials
  • Moving API calls to the server-side
  • Enabling geo-blocking for allowed countries only
  • Using Restricted API Keys for granular access control

These steps are recommended for all Twilio users to minimize risk and protect sensitive operations.

 

Can I use environment variables to store my API Keys?

Yes, storing credentials in environment variables is a best practice for keeping them out of your codebase.

 

What should I do if I suspect my API Key has been compromised

Immediately revoke the compromised key in the Twilio Console, rotate your credentials, and review your account activity for unauthorized actions.

Have more questions? Submit a request
We can’t wait to see what you build.
Powered by Zendesk