SUPPORT.TWILIO.COM END OF LIFE NOTICE: This site, support.twilio.com, is scheduled to go End of Life on February 27, 2024. All Twilio Support content has been migrated to help.twilio.com, where you can continue to find helpful Support articles, API docs, and Twilio blog content, and escalate your issues to our Support team. We encourage you to update your bookmarks and begin using the new site today for all your Twilio Support needs.

What’s the Difference Between an Access Token and Device Token for Twilio Voice / Video SDKs?

Question

  • How does the "AccessToken" generated by the Twilio helper library (e.g. Python), which contains the identity and VoiceGrant, differ from the "device token" mentioned in your documentation?
  • What is the difference between a Twilio access token and a device token?

 

Product

  • Programmable Voice
  • Programmable Video

 

Answer

When building real-time communication apps with Twilio—such as Voice or Video—developers often encounter two distinct types of tokens. While they sound similar, they serve entirely different roles in the ecosystem: one acts as your identity card, while the other acts as your mailing address.
 

The Access Token: Your Identity Card

An Access Token is a short-lived credential used to authenticate a client-side application to Twilio. Because it is insecure to store your Twilio Account SID and Auth Token directly in a mobile or web app, you use your backend server to generate these tokens.

  • Role: It tells Twilio who the user is and what they are allowed to do (e.g., "This user is 'Alice' and she can join Video Room 'Room A'").
  • Format: It is a JSON Web Token (JWT) signed with your API Secret.
  • Security: These tokens should be ephemeral, usually expiring within an hour or less.
     

The Device Token: Your Mailing Address

A Device Token (often called a Push Token) is generated by the mobile operating system—specifically APNs for iOS or FCM for Android. It has nothing to do with Twilio’s internal authentication; instead, it is unique to the physical hardware and the specific app installation.

  • Role: It allows Twilio to find a specific physical device when the app is in the background or closed.
  • Lifecycle: These tokens are long-lived but can change if a user reinstalls the app or restores their phone from a backup.
     

How They Work Together: The Registration Process

For a user to receive an incoming call while their phone is in their pocket, the Twilio SDK must "register" the user. This is the moment where the Access Token and Device Token meet.

When you call the .register() method in the SDK, you are essentially telling Twilio:

"I am Alice (verified by my Access Token), and you can reach me at this specific phone (identified by my Device Token)."

Twilio then creates a "Binding" in its cloud. If someone calls Alice, Twilio looks up her binding and sends a push notification to that specific device token.
 

SDK Reference: The .register() Method

Each Twilio Voice SDK provides a specific method to bind these two tokens. Below are the direct links to the documentation for the registration process:

Platform Method Documentation
iOS (Swift/Obj-C) TwilioVoice.register(accessToken:deviceToken:completion:)
Android (Java/Kotlin) Voice.register(accessToken:fcmToken:registrationListener:)
React Native TwilioVoice.register(accessToken) *

Notes:

  • 'fcmToken' in the android method refers to the device token.
  • In the React Native SDK, the device token is often handled via a separate native configuration step or passed through a specific configuration object during the registration call, depending on whether you are using the community-driven or official wrapper.
     

Summary Table

Feature Access Token Device Token
Source Your Backend Server Apple (APNs) or Google (FCM)
Authentication Authenticates the User Identity No Authentication value
Utility Required to make/receive calls Required to wake up a backgrounded app
Privacy Contains User Identity (Claims) Opaque string unique to hardware

 

 

Have more questions? Submit a request
We can’t wait to see what you build.
Powered by Zendesk