Platform and Integration

Security and Encryption

Since Twilio's platform handles sensitive end-user information, utmost care is taken to safeguard this information at all times. Twilio implements multiple layers of security between the Customer system and Twilio's system. Twilio is a SOC2 compliant organization.

  • Secure Communication Channel: All communication between the Customer’s system and Twilio's system takes place over HTTPS (TLS version 1.2 or above).
  • IP Address Listing: Customer system’s IP addresses are allowed by the firewall before any API calls can be made to Twilio's production environment.
  • API Request Validation: Customer is assigned a Merchant ID, an optional submerchant ID and an API Secret. The Secret is an alphanumeric string and is shared with the Customer during the onboarding process. Customer must send the API Secret in the header for all API requests. Twilio processes the request only if it comes with a valid API Secret. Please contact the Customer Success team at [email protected] to know the validity of the API Secret as the Customer Success team will issue a new one prior to the expiry of the current value.


Key NameDescriptionNotes
ClientAccessKeyKey that identifies that the request is originating from a valid customer. Shared with Customer at onboarding.Up to 256 characters.
EVURL Encryption KeyKey used by customer to encrypt the payload in the EVURL. Shared with Customer at onboarding.Up to 256 characters.
Cipher SaltSalt to decrypt the payload. Twilio recommends that the customer send a dynamic cipher salt for additional security.Dependent on AES Encryption Algorithm used.
API SecretKey to use in the request header of all APIs. Shared with Customer during onboarding.Up to 128 characters.


Want different encryption?

Supported encryption algorithms are AES/CTR/NoPadding, AES/CBC/PKCS5Padding, AES/GCM/NoPadding.