# Prevent blocked numbers from calling your application You may wish to block certain numbers from contacting or spamming your application's phone number. Creating a block list and using a Function that compares the incoming number to its contents will allow you to decide whether to [Reject](/docs/voice/twiml/reject) an incoming call, or [Redirect](/docs/voice/twiml/redirect) it to your actual application. The following examples will show a couple of approaches to this problem. To get started, use the following directions to create two new Functions that will form the base of this application: `/filter-calls` and `/welcome`. ## Create and host a Function Before you run any of the examples on this page, create a Function and paste the example code into it. You can create a Function in the Twilio Console or by using the [Serverless Toolkit](/docs/labs/serverless-toolkit). ## Console If you prefer a UI-driven approach, complete these steps in the Twilio Console: 1. Log in to the [Twilio Console](https://1console.twilio.com) and navigate to **Develop > Functions & Assets**. If you're using the *legacy* Console, open the [**Functions** tab](https://www.twilio.com/console/functions/overview). 2. Functions are contained within **Services**. Click **[Create Service](https://www.twilio.com/console/functions/overview/services)** to create a new **[Service](/docs/serverless/functions-assets/functions/create-service)**. 3. Click **Add +** and select **Add Function** from the dropdown. 4. The Console creates a new [protected](/docs/serverless/functions-assets/visibility) Function that you can rename. The filename becomes the URL path of the Function. 5. Copy one of the example code snippets from this page and paste the code into your newly created Function. You can switch examples by using the dropdown menu in the code rail. 6. Click **Save**. 7. Click **Deploy All** to build and deploy the Function. After deployment, you can access your Function at `https://--.twil.io/`\ For example: `test-function-3548.twil.io/hello-world`. ## Serverless Toolkit The [Serverless Toolkit](/docs/labs/serverless-toolkit) lets you develop locally, deploy projects, and perform other tasks through the [Twilio CLI](/docs/twilio-cli/quickstart). 1. From the CLI, run `twilio serverless:init --empty` to bootstrap your local environment. 2. Go to your new project directory using `cd `. 3. In the `/functions` directory, create a JavaScript file whose name reflects the purpose of the Function. For example, `sms-reply.protected.js` for a [protected](/docs/serverless/functions-assets/visibility) Function intended to handle incoming SMS. 4. Add the code example of your choice to the file and save it. Note that a Function can only export a single handler. You need to create separate files to run or deploy multiple examples at once. After you save the Function code, you can test it locally (and optionally tunnel requests to it using a tool like [ngrok](https://ngrok.com/)), or deploy it. ### Run your Function in local development Run `twilio serverless:start` from your CLI to start the project locally. The Function(s) in your project are accessible from `http://localhost:3000/sms-reply` * If you want to test a Function as a [Twilio webhook](/docs/usage/webhooks/getting-started-twilio-webhooks), run: `twilio phone-numbers:update --sms-url "http://localhost:3000/sms-reply"`\ This automatically generates an ngrok tunnel from Twilio to your locally running Function, so you can start sending texts to it. You can apply the same process but with the `voice-url` flag instead to test with [Twilio Voice](/docs/voice). * If your code does *not* connect to Twilio Voice or Messages as a webhook, start your dev server and start an ngrok tunnel in the same command with the `ngrok` flag. For example: `twilio serverless:start --ngrok=""` ### Deploy your Function To deploy your Function and have access to live url(s), run `twilio serverless:deploy` from your CLI. This deploys your Function(s) to Twilio under a development Environment by default, where they can be accessed from: `https://--dev.twil.io/` For example: `https://incoming-sms-examples-3421-dev.twil.io/sms-reply` You can now invoke your Function with HTTP requests, configure it as the [webhook](/docs/usage/webhooks/getting-started-twilio-webhooks) for a Twilio phone number, call it from a Twilio Studio [**Run Function** Widget](/docs/studio/widget-library/run-function), and more. ## Block calls using a hard-coded list To introduce the logic and TwiML involved without extra complications, this example code for `/filter-calls` includes a sample block list hard-coded into its body. The Function compares the incoming phone number, provided as `From` when this Function is connected to your Twilio phone number as a webhook, to the contents of the block list. The resulting Boolean is then used to determine whether the result should be a rejection, or a redirect to the `/welcome` Function. The `/welcome` Function returns a welcome message to the user and primarily serves as an example of how you can still leverage Redirect verbs even within a Serverless project such as this. You're able to use the relative URL `'/welcome'` since the same [Service](/docs/serverless/functions-assets/functions/create-service) contains both Functions. To test this out, copy and paste both samples into their respective Functions, and add your personal phone number to the block list in [E.164](/docs/glossary/what-e164) format. Save and deploy your Service, and use the following directions to set `/filter-calls` as the **A Call Comes In** webhook handler for your Twilio phone number. The application will immediately reject your calls. If you remove your number from the block list and re-deploy, you will instead get the welcome message. ```js title="Call filter logic" description="Sample code for /filter-calls" exports.handler = (context, event, callback) => { // Prepare a new Voice TwiML object that will control Twilio's response // to the incoming call const twiml = new Twilio.twiml.VoiceResponse(); // The incoming phone number is provided by Twilio as the `From` property const incomingNumber = event.From; // This is an example of a blocklist hard-coded into the Function const blockList = ['+14075550100', '+18025550100']; const isBlocked = blockList.length > 0 && blockList.includes(incomingNumber); if (isBlocked) { twiml.reject(); } else { // If the number is not blocked, redirect call to the webhook that // handles allowed callers twiml.redirect('/welcome'); } return callback(null, twiml); }; ``` ```js title="Welcome message" description="Sample code for /welcome" exports.handler = (context, event, callback) => { const twiml = new Twilio.twiml.VoiceResponse(); twiml.say("Hello, congratulations! You aren't blocked!"); return callback(null, twiml); }; ``` ## Set a Function as a webhook For your Function to react to incoming SMS or voice calls, it must be set as a [webhook](/docs/usage/webhooks) for your Twilio number. There are a variety of methods to set a Function as a webhook: ![Setting a Function as a Messaging webhook using the webhook dropdown option.](https://docs-resources.prod.twilio.com/bf4eae4ac40fe7d47003a93bca295d5c232e0b372358e73ceff931fee3ccdc4f.png) ## Store the block list as a private Asset To keep your block list separate from and independent of your Function's code, one recommendation is to store the list as JSON in a [private](/docs/serverless/functions-assets/visibility) [Asset](/docs/serverless/functions-assets/assets). Your Function will read and parse the contents of this file using methods provided by the [Runtime Client](/docs/serverless/functions-assets/client), and achieve the same functionality with more separation of concerns. First, create a new private Asset named `blocklist.json`, populate it with the sample contents (and your personal number like before, to verify the blocking works), and save the Asset. Ensure that this Asset is private in order to protect its contents and to enable helper methods such as [Runtime.getAssets](/docs/serverless/functions-assets/client#getassets), which can only retrieve private Assets. Next, update the existing `/filter-calls` Function with the highlighted changes. This new code replaces the hard-coded block list array with a synchronous read of `blocklist.json`, and a quick `JSON.parse` to convert the file contents to a usable array. Save your changes to the Function, and deploy your updated Service. Subsequent calls to your Twilio phone number will behave exactly as before! ```json title="Block list private Asset" description="Save as blocklist.json" ["+14075550100", "+18025550100"] ``` ```js title="Block incoming calls using a private Asset" description="Updates to /filter-calls" // !mark(10,11,8,9) exports.handler = (context, event, callback) => { // Prepare a new Voice TwiML object that will control Twilio's response // to the incoming call const twiml = new Twilio.twiml.VoiceResponse(); // The incoming phone number is provided by Twilio as the `From` property const incomingNumber = event.From; // Open the contents of the private Asset containing the blocklist const blockListJson = Runtime.getAssets()['/blocklist.json'].open(); // Parse the string, such as "["+14075550100", "+18025550100"]", to an array const blockList = JSON.parse(blockListJson); const isBlocked = blockList.length > 0 && blockList.includes(incomingNumber); if (isBlocked) { twiml.reject(); } else { // If the number is not blocked, redirect call to the webhook that // handles allowed callers twiml.redirect('/welcome'); } return callback(null, twiml); }; ``` > \[!WARNING] > > Ensure that you write the Asset name as `'/blocklist.json'` and not `'blocklist.json'`; the leading slash is necessary, as described in the [Runtime.getAssets documentation](/docs/serverless/functions-assets/client#getassets).