Announcing the Webhook Plugin: Validate your webhooks with the new webhook plugin for the Twilio CLI
Time to read: 4 minutes
At Twilio, we heavily use webhooks throughout all of our products, but developing and testing webhooks comes with some challenges. First, you need to make your application running on localhost public, then you have to configure the webhook with your public URL, and then you have to trigger those webhooks by manually texting or calling your Twilio Phone Number. This can be cumbersome and slows down your inner devloop.
To address these challenges, Twilio Labs created the Webhook plugin for the Twilio CLI, to test your webhooks with the following benefits:
- works with locally and publicly hosted applications,
- works with Twilio Functions, Twilio Studio, TwiML Bins, and custom developed applications,
- no need to configure the webhook URL in Twilio,
- you don't have to text or call to trigger the webhook, so you're not spending time or Twilio credit.
The webhook plugin will emulate Twilio webhook requests and send them to a local or public URL of your choosing. Let's give it a try.
Provision a Twilio webhook application
Before you can test a Twilio application by emulating webhook requests, you’ll need to have one up and running. If you already have an application with a webhook endpoint, or your own custom app that handles webhooks, you can skip this section and use your existing application.
You can find a lot of samples on Twilio CodeExchange, but to deploy Twilio apps in an instant, you can filter them down to samples with "Quick Deploy", like the SMS Auto-response sample.
First, make sure you have a Twilio Account and a Twilio Phone Number. Sign up with Twilio for free and get $20 trial credit. Then, follow these instructions to buy a Twilio Phone Number if you haven't already.
Next, open the SMS Auto-response sample in a new browser tab, select your Twilio Phone Number, and deploy the application. Once the application is deployed, click on the "Go to live application" button. At the bottom of the page, under Troubleshooting, you'll find the webhook URL for this application. Copy and paste this webhook URL somewhere so you can use it later. The URL should look something like https://hello-messaging-1111-xxxxxx.twil.io/hello-messaging.
Congratulations, you now have a Twilio application that will respond with "Hello World" when you text your Twilio Phone Number! 🎉
Install the webhook plugin for the Twilio CLI
First, install the Twilio CLI and log in to your Twilio account if you haven't done so already. Then, in your terminal, run the following command to install the Webhook plugin:
You list the available commands in the plugin and get documentation for the commands using the --help
argument:
You can also read the documentation in the GitHub Repository README.md file.
Now that the Twilio CLI and Webhook plugin is installed, let's test out the webhook of your Twilio application.
Test your webhook from the Twilio CLI
First, configure the environment variable TWILIO_AUTH_TOKEN
environment variable with the Auth Token you can find in the Account Info pane of the Console Dashboard page.
Then, execute the following command to emulate an SMS webhook request:
If you're using the SMS Auto-response sample from earlier, you will see the following output:
This is the TwiML that the sample responds with. This TwiML tells Twilio to respond with "Hello World" to incoming text messages.
The emulated request uses a set of default parameters. To override these parameters, you can use the --data-urlencode
or -d
argument passing in key-value pairs.
If your webhook handler expects HTTP requests using the GET method, you can emulate the webhook requests using the --method
or -X
argument.
By default, the twilio webhook:invoke
command emulates an SMS webhook request, but you can emulate a voice webhook request by passing in the --type
argument.
Test secured and unsecured webhooks
For Twilio to send HTTP requests to a webhook URL, that webhook URL has to be publicly available, but this also makes it available to all of the internet. You can secure your webhook by validating the X-Twilio-Signature
header that Twilio sends as part of the webhook requests. Twilio uses your Auth Token to generate the signature, so you can generate the same signature and compare them. If they are the same, the request originates from Twilio, and if not, you should reject the request. This technique is also used for TwiML Bins and Twilio Functions that are set to protected.
To test secured webhooks, you have to pass in the Auth Token (as argument or environment variable), like you did previously. This Auth Token will be used to generate the X-Twilio-Signature
header which will be part of the emulated webhook request.
For unsecured webhook URLs, you can still pass in the Auth Token, but you don't have to. To not generate the signature header, you can pass in the --no-signature
argument and then you also don't need to provide the Auth Token:
The SMS Auto-response sample will respond as follows because the Twilio Function is set to protected:
However, if you change the visibility of the Twilio Function to public, meaning no signature validation, then you'll get the previous TwiML response again:
Next steps
With the webhook plugin you can test and develop your Twilio webhooks, without needing to make your application public, configuring your webhook URL, and then manually triggering the webhook event.
This tool speeds up your inner devloop, so you can develop webhooks faster.
The webhook plugin is an open-source project on GitHub, so feel free to submit any issues, send pull requests, and star it.
Another Twilio Labs project that can increase your productivity is the Twilio Dev Phone. Learn how to test your Twilio applications using the Twilio Dev Phone here, without having to switch to your physical phone.
Niels Swimberghe is a Belgian American software engineer and technical content creator at Twilio. Get in touch with Niels on Twitter @RealSwimburger and follow Niels’ personal blog on .NET, Azure, and web development at swimburger.net.
Related Posts
Related Resources
Twilio Docs
From APIs to SDKs to sample apps
API reference documentation, SDKs, helper libraries, quickstarts, and tutorials for your language and platform.
Resource Center
The latest ebooks, industry reports, and webinars
Learn from customer engagement experts to improve your own communication.
Ahoy
Twilio's developer community hub
Best practices, code samples, and inspiration to build communications and digital engagement experiences.