Skip to contentSkip to navigationSkip to topbar
Page toolsOn this page
Looking for more inspiration?Visit the

OAuth apps


OAuth 2.0 is an industry-standard authorization protocol that lets applications securely access Twilio APIs on your behalf, without sharing your Account SID and Auth Token or other long-lived API keys. Instead of using static credentials, your application exchanges a Client ID and Client Secret (or a user's approval) for a short-lived access token, which it then uses to make API calls. OAuth apps are how you set this up in Twilio — they keep your account credentials safe and give you fine-grained control over what each application can do.

Key benefits of using OAuth apps:

  • Short-lived access tokens — OAuth credentials generate tokens with a limited lifespan, reducing the risk of credential leaks.
  • Scoped access — Each token is restricted to a specific set of APIs, so an app only has access to what it needs.

OAuth apps can be created at both the account level and the organization level. See the links below to learn more about each:


Types of OAuth apps

types-of-oauth-apps page anchor

Twilio supports two OAuth 2.0 grant types: Client Credentials and Authorization Code. Choose the one that fits how your application accesses Twilio APIs.

Client Credentials

client-credentials page anchor

The Client Credentials grant (RFC 6749, Section 4.4(link takes you to an external page)) is designed for machine-to-machine (server-to-server) interactions, where an application authenticates as itself rather than on behalf of a user. This is the right choice for backend services, scheduled jobs, and internal tools.

How it works:

  1. Create an OAuth app in the Twilio Console. Twilio generates a Client ID and Client Secret.
  2. Your application sends these credentials to the Twilio OAuth token endpoint to request an access token.
  3. Your application uses the access token to authenticate calls to Twilio APIs.
  4. After the access token expires, use the Client ID and Client Secret to generate a new access token.

The Authorization Code grant (RFC 6749, Section 4.1(link takes you to an external page)) is designed for applications that access Twilio APIs on behalf of a user. It's most commonly used in web applications where users explicitly approve the access. Because the user must authenticate and consent, this grant offers stronger security than Client Credentials.

How it works:

  1. Create an OAuth app with type Authorization Code to generate a Client ID, Client Secret, and Authorization URL.
  2. Paste the Authorization URL into your application, which redirects the user to Twilio to sign in and approve access.
  3. Twilio redirects the user back to your application with a one-time authorization code.
  4. Your application exchanges the authorization code for an access token at the Twilio OAuth token endpoint.
  5. Your application uses the access token to call Twilio APIs on the user's behalf.
  6. After the access token expires, use the refresh token to generate a new access token.