API Keys are the preferred way to authenticate with Twilio's REST APIs. With API Keys, you control which applications and/or people have access to your Twilio Account's API resources, and you can revoke access at your discretion.
If your Twilio application uses one of the client-side SDKs, you need to use API Keys in order to create Access Tokens.
You can use your Account SID and Auth Token as your API credentials for local testing, but using them in production is risky. If a bad actor gains access to your Account SID and Auth Token, your Twilio Account is compromised. This could cost you money and harm your business's reputation.
Instead, you can create API Keys for your applications and software developers. This gives you complete control of the lifecycle of your Twilio Accounts' API credentials. If an API Key is compromised or no longer used, you can delete the API Key to protect your Twilio Account from unauthorized access.
In addition, you can scope access for an API Key using Restricted API Keys. This allows you to reduce security risks by providing minimum and specific levels of access for your applications and API credentials.
There are three types of API Keys: Main, Standard and Restricted (Public Beta).
Main API Keys provide the most permissions. They give you the same level of access as using your Account SID and Auth Token in API requests.
Standard API Keys give you access to all of the functionality in Twilio's APIs, _except_the following API Resources:
Restricted API Keys (Public Beta) allow you to provide fine-grained access to specific Twilio API Resources.
If your Account uses Twilio Regions, read the Global Infrastructure docs to learn how to manage regional API credentials.
Create API Keys in the Twilio Console by following the steps below.
Not sure how to use the API Key and Secret? Check out the Make an HTTP Request to Twilio page.
To create API Keys via API, you must use your Account SID and Auth Token or a Main API Key as your credentials. You can also use a Restricted API Key to create API keys as long as it has the permission for /twilio/iam/api-keys/create.
The code sample below shows a POST request to a Twilio Account's Key Resource, which is how you create API Keys via API.
1// Download the helper library from https://www.twilio.com/docs/node/install2const twilio = require("twilio"); // Or, for ESM: import twilio from "twilio";34// Find your Account SID and Auth Token at twilio.com/console5// and set the environment variables. See http://twil.io/secure6const accountSid = process.env.TWILIO_ACCOUNT_SID;7const authToken = process.env.TWILIO_AUTH_TOKEN;8const client = twilio(accountSid, authToken);910async function createNewKey() {11const newKey = await client.newKeys.create({12friendlyName: "Mario's API Key",13});1415console.log(newKey.sid);16}1718createNewKey();
1{2"sid": "SKaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",3"friendly_name": "Mario's API Key",4"date_created": "Mon, 13 Jun 2016 22:50:08 +0000",5"date_updated": "Mon, 13 Jun 2016 22:50:08 +0000",6"secret": "foobar"7}
Below is a sample response to this POST request. The response contains a sid property and a secret property. Store the secret in a secure location, because you won't be able to retrieve it again.
1{2"sid": "SKXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",3"friendly_name": "Mario's API Key",4"date_created": "Mon, 13 Jun 2016 22:50:08 +0000",5"date_updated": "Mon, 13 Jun 2016 22:50:08 +0000",6"secret": "someLongAlphanumericString"7}
The Key Resource's sid and the secret are used as the credentials when making requests to Twilio's APIs.
If you ever no longer use an API Key or if a Key has been compromised, you can revoke the Key's permissions by deleting the API Key. You can do this in the Twilio Console or programmatically with Twilio's REST API.
Follow the directions below to delete an API Key from within the Twilio Console.
To delete API Keys via API, you must use your Account SID and Auth Token or a Main API Key as your credentials. You can also use a Restricted API Key to delete API keys as long as it has the permission for /twilio/iam/api-keys/delete.
The code sample below shows a DELETE request to a specific Key Resource's URI, which is how you delete API Keys via API.
You need the Key Resource's SID to complete this action. The Key's SID is returned in the response when you create the Key and can be found in the Twilio Console, or by reading your Account's Key Resources.
1// Download the helper library from https://www.twilio.com/docs/node/install2const twilio = require("twilio"); // Or, for ESM: import twilio from "twilio";34// Find your Account SID and Auth Token at twilio.com/console5// and set the environment variables. See http://twil.io/secure6const accountSid = process.env.TWILIO_ACCOUNT_SID;7const authToken = process.env.TWILIO_AUTH_TOKEN;8const client = twilio(accountSid, authToken);910async function deleteKey() {11await client.keys("SKXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX").remove();12}1314deleteKey();
If you plan on using a client-side SDK with Twilio, you need to create Access Tokens. Learn more on the Access Tokens page.
Learn how to safely store your API Keys in environment variables in the "How to Set Environment Variables" Blog post.
Read the "Guide to Basic API Security Best Practices" Blog post.
Find the docs you need so you can start building!