Skip to contentSkip to navigationSkip to topbar
Twilio Docs
On this page

Validating Twilio Authy Callbacks

(warning)

Warning

As of November 2022, Twilio no longer provides support for Authy SMS/Voice-only customers. Customers who were also using Authy TOTP or Push prior to March 1, 2023 are still supported. The Authy API is now closed to new customers and will be fully deprecated in the future.

For new development, we encourage you to use the Verify v2 API.

Existing customers will not be impacted at this time until Authy API has reached End of Life. For more information about migration, see Migrating from Authy to Verify for SMS(link takes you to an external page).

When using Webhooks with push authentications, Twilio will send a callback to your application's exposed URL when a user interacts with your ApprovalRequest. While testing, you can accept all incoming webhooks, but in production, you'll need to verify the authenticity of incoming requests.

Twilio sends an HTTP Header X-Authy-Signature with every outgoing request to your application. X-Authy-Signature is a HMAC signature of the full message body sent from Twilio hashed with your Application API Key (from Authy in the Twilio Console(link takes you to an external page)).

You can find complete code snippets here(link takes you to an external page) on Github.

Verify a Twilio Authy Callback

verify-a-twilio-authy-callback page anchor

Checking the authenticity of the X-Authy-Signature HTTP Header is a 6 step process.

  • Create a string using the Webhook URL without any parameters
Create a Webhook URL StringLink to code sample: Create a Webhook URL String
1
const qs = require('qs');

2
const crypto = require('crypto');

3


4
/**

5
 * @param {http} req This is an HTTP request from the Express middleware

6
 * @param {!string} apiKey  Account Security API key

7
 * @return {Boolean} True if verified

8
 */

9
function verifyCallback(req, apiKey) {

10
  const url = req.protocol + '://' + req.get('host') + req.originalUrl;

11
  const method = req.method;

12
  const params = req.body;	// needs `npm i body-parser` on Express 4

13


14
  // Sort the params

15
  const sortedParams = qs

16
    .stringify(params, { arrayFormat: 'brackets' })

17
    .split('&')

18
    .sort(sortByPropertyOnly)

19
    .join('&')

20
    .replace(/%20/g, '+');

21


22
  // Read the nonce from the request

23
  const nonce = req.headers['x-authy-signature-nonce'];

24


25
  // concatinate all together and separate by '|'

26
  const data = nonce + '|' + method + '|' + url + '|' + sortedParams;

27


28
  // compute the signature

29
  const computedSig = crypto

30
    .createHmac('sha256', apiKey)

31
    .update(data)

32
    .digest('base64');

33


34
  const sig = req.headers['x-authy-signature'];

35


36
  // compare the message signature with your calculated signature

37
  return sig === computedSig;

38
}

39


40
/**

41
 * Sort by property only.

42
 *  Normal JS sort parses the entire string so a stringified array value like 'events=zzzz'

43
 *  would be moved after 'events=aaaa'.

44
 *

45
 *  For this approach, we split tokenize the string around the '=' value and only sort alphabetically

46
 *  by the property.

47
 *

48
 * @param {string} x

49
 * @param {string} y

50
 * @return {number}

51
 */

52
function sortByPropertyOnly(x, y) {

53
  const xx = x.split('=')[0];

54
  const yy = y.split('=')[0];

55


56
  if (xx < yy) {

57
    return -1;

58
  }

59
  if (xx > yy) {

60
    return 1;

61
  }

62
  return 0;

63
}
  • Flatten the received JSON body and sort this list in case-sensitive order and convert them to URL format
Sort the ParametersLink to code sample: Sort the Parameters
1
const qs = require('qs');

2
const crypto = require('crypto');

3


4
/**

5
 * @param {http} req This is an HTTP request from the Express middleware

6
 * @param {!string} apiKey  Account Security API key

7
 * @return {Boolean} True if verified

8
 */

9
function verifyCallback(req, apiKey) {

10
  const url = req.protocol + '://' + req.get('host') + req.originalUrl;

11
  const method = req.method;

12
  const params = req.body;	// needs `npm i body-parser` on Express 4

13


14
  // Sort the params

15
  const sortedParams = qs

16
    .stringify(params, { arrayFormat: 'brackets' })

17
    .split('&')

18
    .sort(sortByPropertyOnly)

19
    .join('&')

20
    .replace(/%20/g, '+');

21


22
  // Read the nonce from the request

23
  const nonce = req.headers['x-authy-signature-nonce'];

24


25
  // concatinate all together and separate by '|'

26
  const data = nonce + '|' + method + '|' + url + '|' + sortedParams;

27


28
  // compute the signature

29
  const computedSig = crypto

30
    .createHmac('sha256', apiKey)

31
    .update(data)

32
    .digest('base64');

33


34
  const sig = req.headers['x-authy-signature'];

35


36
  // compare the message signature with your calculated signature

37
  return sig === computedSig;

38
}

39


40
/**

41
 * Sort by property only.

42
 *  Normal JS sort parses the entire string so a stringified array value like 'events=zzzz'

43
 *  would be moved after 'events=aaaa'.

44
 *

45
 *  For this approach, we split tokenize the string around the '=' value and only sort alphabetically

46
 *  by the property.

47
 *

48
 * @param {string} x

49
 * @param {string} y

50
 * @return {number}

51
 */

52
function sortByPropertyOnly(x, y) {

53
  const xx = x.split('=')[0];

54
  const yy = y.split('=')[0];

55


56
  if (xx < yy) {

57
    return -1;

58
  }

59
  if (xx > yy) {

60
    return 1;

61
  }

62
  return 0;

63
}
  • Grab the nonce from the X-Authy-Signature HTTP Header
Get the NonceLink to code sample: Get the Nonce
1
const qs = require('qs');

2
const crypto = require('crypto');

3


4
/**

5
 * @param {http} req This is an HTTP request from the Express middleware

6
 * @param {!string} apiKey  Account Security API key

7
 * @return {Boolean} True if verified

8
 */

9
function verifyCallback(req, apiKey) {

10
  const url = req.protocol + '://' + req.get('host') + req.originalUrl;

11
  const method = req.method;

12
  const params = req.body;	// needs `npm i body-parser` on Express 4

13


14
  // Sort the params

15
  const sortedParams = qs

16
    .stringify(params, { arrayFormat: 'brackets' })

17
    .split('&')

18
    .sort(sortByPropertyOnly)

19
    .join('&')

20
    .replace(/%20/g, '+');

21


22
  // Read the nonce from the request

23
  const nonce = req.headers['x-authy-signature-nonce'];

24


25
  // concatinate all together and separate by '|'

26
  const data = nonce + '|' + method + '|' + url + '|' + sortedParams;

27


28
  // compute the signature

29
  const computedSig = crypto

30
    .createHmac('sha256', apiKey)

31
    .update(data)

32
    .digest('base64');

33


34
  const sig = req.headers['x-authy-signature'];

35


36
  // compare the message signature with your calculated signature

37
  return sig === computedSig;

38
}

39


40
/**

41
 * Sort by property only.

42
 *  Normal JS sort parses the entire string so a stringified array value like 'events=zzzz'

43
 *  would be moved after 'events=aaaa'.

44
 *

45
 *  For this approach, we split tokenize the string around the '=' value and only sort alphabetically

46
 *  by the property.

47
 *

48
 * @param {string} x

49
 * @param {string} y

50
 * @return {number}

51
 */

52
function sortByPropertyOnly(x, y) {

53
  const xx = x.split('=')[0];

54
  const yy = y.split('=')[0];

55


56
  if (xx < yy) {

57
    return -1;

58
  }

59
  if (xx > yy) {

60
    return 1;

61
  }

62
  return 0;

63
}
  • Join the nonce, HTTP method ('POST'), and the sorted parameters together with the vertical pipe, ('|') character
Join the Nonce, Method, and ParamsLink to code sample: Join the Nonce, Method, and Params
1
const qs = require('qs');

2
const crypto = require('crypto');

3


4
/**

5
 * @param {http} req This is an HTTP request from the Express middleware

6
 * @param {!string} apiKey  Account Security API key

7
 * @return {Boolean} True if verified

8
 */

9
function verifyCallback(req, apiKey) {

10
  const url = req.protocol + '://' + req.get('host') + req.originalUrl;

11
  const method = req.method;

12
  const params = req.body;	// needs `npm i body-parser` on Express 4

13


14
  // Sort the params

15
  const sortedParams = qs

16
    .stringify(params, { arrayFormat: 'brackets' })

17
    .split('&')

18
    .sort(sortByPropertyOnly)

19
    .join('&')

20
    .replace(/%20/g, '+');

21


22
  // Read the nonce from the request

23
  const nonce = req.headers['x-authy-signature-nonce'];

24


25
  // concatinate all together and separate by '|'

26
  const data = nonce + '|' + method + '|' + url + '|' + sortedParams;

27


28
  // compute the signature

29
  const computedSig = crypto

30
    .createHmac('sha256', apiKey)

31
    .update(data)

32
    .digest('base64');

33


34
  const sig = req.headers['x-authy-signature'];

35


36
  // compare the message signature with your calculated signature

37
  return sig === computedSig;

38
}

39


40
/**

41
 * Sort by property only.

42
 *  Normal JS sort parses the entire string so a stringified array value like 'events=zzzz'

43
 *  would be moved after 'events=aaaa'.

44
 *

45
 *  For this approach, we split tokenize the string around the '=' value and only sort alphabetically

46
 *  by the property.

47
 *

48
 * @param {string} x

49
 * @param {string} y

50
 * @return {number}

51
 */

52
function sortByPropertyOnly(x, y) {

53
  const xx = x.split('=')[0];

54
  const yy = y.split('=')[0];

55


56
  if (xx < yy) {

57
    return -1;

58
  }

59
  if (xx > yy) {

60
    return 1;

61
  }

62
  return 0;

63
}
  • Use HMAC-SHA256 to hash the string using your Application API Key
Hash the Combined String with HMAC-SHA256Link to code sample: Hash the Combined String with HMAC-SHA256
1
const qs = require('qs');

2
const crypto = require('crypto');

3


4
/**

5
 * @param {http} req This is an HTTP request from the Express middleware

6
 * @param {!string} apiKey  Account Security API key

7
 * @return {Boolean} True if verified

8
 */

9
function verifyCallback(req, apiKey) {

10
  const url = req.protocol + '://' + req.get('host') + req.originalUrl;

11
  const method = req.method;

12
  const params = req.body;	// needs `npm i body-parser` on Express 4

13


14
  // Sort the params

15
  const sortedParams = qs

16
    .stringify(params, { arrayFormat: 'brackets' })

17
    .split('&')

18
    .sort(sortByPropertyOnly)

19
    .join('&')

20
    .replace(/%20/g, '+');

21


22
  // Read the nonce from the request

23
  const nonce = req.headers['x-authy-signature-nonce'];

24


25
  // concatinate all together and separate by '|'

26
  const data = nonce + '|' + method + '|' + url + '|' + sortedParams;

27


28
  // compute the signature

29
  const computedSig = crypto

30
    .createHmac('sha256', apiKey)

31
    .update(data)

32
    .digest('base64');

33


34
  const sig = req.headers['x-authy-signature'];

35


36
  // compare the message signature with your calculated signature

37
  return sig === computedSig;

38
}

39


40
/**

41
 * Sort by property only.

42
 *  Normal JS sort parses the entire string so a stringified array value like 'events=zzzz'

43
 *  would be moved after 'events=aaaa'.

44
 *

45
 *  For this approach, we split tokenize the string around the '=' value and only sort alphabetically

46
 *  by the property.

47
 *

48
 * @param {string} x

49
 * @param {string} y

50
 * @return {number}

51
 */

52
function sortByPropertyOnly(x, y) {

53
  const xx = x.split('=')[0];

54
  const yy = y.split('=')[0];

55


56
  if (xx < yy) {

57
    return -1;

58
  }

59
  if (xx > yy) {

60
    return 1;

61
  }

62
  return 0;

63
}
Encode the Digest with Base64Link to code sample: Encode the Digest with Base64
1
const qs = require('qs');

2
const crypto = require('crypto');

3


4
/**

5
 * @param {http} req This is an HTTP request from the Express middleware

6
 * @param {!string} apiKey  Account Security API key

7
 * @return {Boolean} True if verified

8
 */

9
function verifyCallback(req, apiKey) {

10
  const url = req.protocol + '://' + req.get('host') + req.originalUrl;

11
  const method = req.method;

12
  const params = req.body;	// needs `npm i body-parser` on Express 4

13


14
  // Sort the params

15
  const sortedParams = qs

16
    .stringify(params, { arrayFormat: 'brackets' })

17
    .split('&')

18
    .sort(sortByPropertyOnly)

19
    .join('&')

20
    .replace(/%20/g, '+');

21


22
  // Read the nonce from the request

23
  const nonce = req.headers['x-authy-signature-nonce'];

24


25
  // concatinate all together and separate by '|'

26
  const data = nonce + '|' + method + '|' + url + '|' + sortedParams;

27


28
  // compute the signature

29
  const computedSig = crypto

30
    .createHmac('sha256', apiKey)

31
    .update(data)

32
    .digest('base64');

33


34
  const sig = req.headers['x-authy-signature'];

35


36
  // compare the message signature with your calculated signature

37
  return sig === computedSig;

38
}

39


40
/**

41
 * Sort by property only.

42
 *  Normal JS sort parses the entire string so a stringified array value like 'events=zzzz'

43
 *  would be moved after 'events=aaaa'.

44
 *

45
 *  For this approach, we split tokenize the string around the '=' value and only sort alphabetically

46
 *  by the property.

47
 *

48
 * @param {string} x

49
 * @param {string} y

50
 * @return {number}

51
 */

52
function sortByPropertyOnly(x, y) {

53
  const xx = x.split('=')[0];

54
  const yy = y.split('=')[0];

55


56
  if (xx < yy) {

57
    return -1;

58
  }

59
  if (xx > yy) {

60
    return 1;

61
  }

62
  return 0;

63
}

Here is every step summarized so you can get an idea of the whole process.

Verify an Incoming Two-factor Authentication WebhookLink to code sample: Verify an Incoming Two-factor Authentication Webhook
1
const qs = require('qs');

2
const crypto = require('crypto');

3


4
/**

5
 * @param {http} req This is an HTTP request from the Express middleware

6
 * @param {!string} apiKey  Account Security API key

7
 * @return {Boolean} True if verified

8
 */

9
function verifyCallback(req, apiKey) {

10
  const url = req.protocol + '://' + req.get('host') + req.originalUrl;

11
  const method = req.method;

12
  const params = req.body;	// needs `npm i body-parser` on Express 4

13


14
  // Sort the params

15
  const sortedParams = qs

16
    .stringify(params, { arrayFormat: 'brackets' })

17
    .split('&')

18
    .sort(sortByPropertyOnly)

19
    .join('&')

20
    .replace(/%20/g, '+');

21


22
  // Read the nonce from the request

23
  const nonce = req.headers['x-authy-signature-nonce'];

24


25
  // concatinate all together and separate by '|'

26
  const data = nonce + '|' + method + '|' + url + '|' + sortedParams;

27


28
  // compute the signature

29
  const computedSig = crypto

30
    .createHmac('sha256', apiKey)

31
    .update(data)

32
    .digest('base64');

33


34
  const sig = req.headers['x-authy-signature'];

35


36
  // compare the message signature with your calculated signature

37
  return sig === computedSig;

38
}

39


40
/**

41
 * Sort by property only.

42
 *  Normal JS sort parses the entire string so a stringified array value like 'events=zzzz'

43
 *  would be moved after 'events=aaaa'.

44
 *

45
 *  For this approach, we split tokenize the string around the '=' value and only sort alphabetically

46
 *  by the property.

47
 *

48
 * @param {string} x

49
 * @param {string} y

50
 * @return {number}

51
 */

52
function sortByPropertyOnly(x, y) {

53
  const xx = x.split('=')[0];

54
  const yy = y.split('=')[0];

55


56
  if (xx < yy) {

57
    return -1;

58
  }

59
  if (xx > yy) {

60
    return 1;

61
  }

62
  return 0;

63
}

Once you have encoded the digest, you can compare the resulting string with the X-Authy-Signature HTTP Header. If they match, the incoming request is from Twilio. If there is a mismatch, you should reject the request as fraudulent.

Need some help?

Terms of service
Privacy Policy

Copyright © 2024 Twilio Inc.