Twilio Studio workflows make requests to Twilio REST APIs on behalf of your Twilio account. To achieve this, Studio auto-generates an API Key in your account during your very first Flow Execution. This API Key is named "Studio API Key" and is visible to you in Twilio Console.
During Flow Execution, if a Studio widget needs to make a request to a Twilio API, such as sending an SMS via the Send Message widget, Studio uses the Studio API Key to authenticate that API request.
Because the Studio API Key is automatically generated, you never need to provide your Twilio Auth Token to Studio. If the Studio API Key is deleted from your account, Studio will automatically generate a new one during Flow Execution to ensure no loss of functionality in your Studio Flows.
When Studio generates the API Key, Twilio Enterprise customers who use Audit Events will see log entries for the API Key and its related Account Credential.
Example Audit Events:
account-api-keys.created - Friendly Name: Studio API Keyaccount-credentials.created - Friendly Name: Studio API Key; Type: Twilio Signing KeyStudio supports the following event types:
flow.createdflow.deletedflow.updatedAs part of the Audit Events, Studio sends the following fields:
flow.created, flow.deleted, or flow.updated)On August 8, 2022, the Studio engineering team completed migration of active Flow events and related data to a new data store to better support our customers as their usage grows. A side effect of this migration was the auto-creation of brand new API Keys for all existing Studio customers during their first Execution in the new data store.
Consequently, you may notice two Studio API Keys in your account's API Key list. The older Studio API Key will no longer be used, and if you wish, you may delete it from your list in Twilio Console.
The creation of new Studio API Keys was not related to the recent customer account compromise.