Platform and Integration

Security and Encryption

Since Twilio's platform handles sensitive end-user information, utmost care is taken to safeguard this information at all times. Twilio implements multiple layers of security between the Customer system and Twilio's system. Twilio is a SOC2 compliant organization.

Secure Communication Channel: All communication between the Customer's system and Twilio's system takes place over HTTPS (TLS version 1.2 or above).
IP Address Listing: Customer system's IP addresses are allowed by the firewall before any API calls can be made to Twilio's production environment.
API Request Validation: Customer is assigned a Merchant ID, an optional submerchant ID and an API Secret. The Secret is an alphanumeric string and is shared with the Customer during the onboarding process. Customer must send the API Secret in the header for all API requests. Twilio processes the request only if it comes with a valid API Secret. Please contact Twilio Support through the Console or Help Center to know the validity of the API Secret as the Support team will issue a new one prior to the expiry of the current value.

Credentials

Key Name	Description	Notes
ClientAccessKey	Key that identifies that the request is originating from a valid customer. Shared with Customer at onboarding.	Up to 256 characters.
EVURL Encryption Key	Key used by customer to encrypt the payload in the EVURL. Shared with Customer at onboarding.	Up to 256 characters.
Cipher Salt	Salt to decrypt the payload. Twilio recommends that the customer send a dynamic cipher salt for additional security.	Dependent on AES Encryption Algorithm used.
API Secret	Key to use in the request header of all APIs. Shared with Customer during onboarding.	Up to 128 characters.

(information)

Want different encryption?

Supported encryption algorithms are AES/CTR/NoPadding, AES/CBC/PKCS5Padding, AES/GCM/NoPadding.