Skip to contentSkip to navigationSkip to topbar
Page tools
Looking for more inspiration?Visit the

OAuth apps FAQs


What are the regions supported?

what-are-the-regions-supported page anchor

We currently support this feature only in the US1 region.

Are there any costs associated with using this feature?

are-there-any-costs-associated-with-using-this-feature page anchor

OAuth apps are available to all accounts at no additional cost.

Which roles allow access to the OAuth apps feature?

which-roles-allow-access-to-the-oauth-apps-feature page anchor

Users with the Owner, Administrator, Developer or Account API Access Admin role can access account-level OAuth apps.

Users with the Organization Owner or Organization Admin role will be able to access Organization OAuth apps.

If I generate a new access token will the old token still work?

if-i-generate-a-new-access-token-will-the-old-token-still-work page anchor

Yes. If a new access token is generated, the previous access token will continue to work until it expires.

What happens when a user who has created an OAuth app is deleted or removed from the account?

what-happens-when-a-user-who-has-created-an-oauth-app-is-deleted-or-removed-from-the-account page anchor

There will be no impact on the OAuth app and the credentials will still work.

What should I do if my credentials are compromised?

what-should-i-do-if-my-credentials-are-compromised page anchor

Immediately rotate the secret with the grace period set to 0, or delete the app. This invalidates the previous credentials and access tokens.

Is this feature also available for subaccounts? Will the account OAuth app work for Subaccount?

is-this-feature-also-available-for-subaccounts-will-the-account-oauth-app-work-for-subaccount page anchor

Yes, this feature is available for subaccounts. Account-level OAuth apps only work for the account they were created in, not for its subaccounts. Create a separate OAuth app for each subaccount that needs an account-level OAuth app.

What is the difference between Client Credentials and Authorization Code grant types?

what-is-the-difference-between-client-credentials-and-authorization-code-grant-types page anchor

Use the Client Credentials grant type for server-to-server interactions where no user is present (such as backend services or scheduled jobs). The application authenticates using only its Client ID and Client Secret.

Use the Authorization Code grant type when your application needs to access Twilio APIs on behalf of a specific user. The user signs in to Twilio and explicitly approves access, which makes this flow more secure for user-facing applications.

See the OAuth apps overview for full details on both grant types.

How long are access tokens and refresh tokens valid? What happens when they expire?

how-long-are-access-tokens-and-refresh-tokens-valid-what-happens-when-they-expire page anchor

Access tokens are valid for the Token expiration time configured on your OAuth app (between 1 minute and 30 days, defaulting to 1 hour). Once an access token expires, API calls using it will return a 401 Unauthorized response.

To get a new access token, follow these steps:

  • For Client Credentials apps, send a new token request with your Client ID and Client Secret.
  • For Authorization Code apps, use the refresh token returned with the original access token to request a new one without prompting the user to re-authorize. See OAuth Token API for details.