OAuth apps
OAuth 2.0 is an industry-standard authorization protocol that lets applications securely access Twilio APIs on your behalf, without sharing your Account SID and Auth Token or other long-lived API keys. Instead of using static credentials, your application exchanges a Client ID and Client Secret (or a user's approval) for a short-lived access token, which it then uses to make API calls. OAuth apps are how you set this up in Twilio — they keep your account credentials safe and give you fine-grained control over what each application can do.
Key benefits of using OAuth apps:
- Short-lived access tokens — OAuth credentials generate tokens with a limited lifespan, reducing the risk of credential leaks.
- Scoped access — Each token is restricted to a specific set of APIs, so an app only has access to what it needs.
OAuth apps can be created at both the account level and the organization level. See the links below to learn more about each:
Twilio supports two OAuth 2.0 grant types: Client Credentials and Authorization Code. Choose the one that fits how your application accesses Twilio APIs.
The Client Credentials grant (RFC 6749, Section 4.4) is designed for machine-to-machine (server-to-server) interactions, where an application authenticates as itself rather than on behalf of a user. This is the right choice for backend services, scheduled jobs, and internal tools.
How it works:
- Create an OAuth app in the Twilio Console. Twilio generates a Client ID and Client Secret.
- Your application sends these credentials to the Twilio OAuth token endpoint to request an access token.
- Your application uses the access token to authenticate calls to Twilio APIs.
- After the access token expires, use the Client ID and Client Secret to generate a new access token.