Twilio
Twiliosaas4 credentials
Account SID / Auth Token
twilio / account-sid-auth-token
Twilio accounts use an Account SID and Auth Token to authenticate API requests. Twilio recommends storing TWILIO_ACCOUNT_SID and TWILIO_AUTH_TOKEN in environment variables and using API keys for production access where possible.
Looks like
exampleACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKENAuthorizationHTTP Basic authentication using Account SID and Auth Token
.env files, application config, deployment manifests, local shell profiles
CI/CD variables, cloud secret managers, hosted app settings
Twilio SDK initialization code, examples, tests, committed configs
HTTP client debug logs, stack traces, CI logs, and request dumps
Notes
Account SID alone is an identifier, but it commonly appears beside the Auth Token. A leaked Auth Token can compromise the Twilio account and should be rotated through Console or the Auth Token API.
API Key SID / Secret
twilio / api-key-secret
Twilio API keys authenticate REST API requests and can be Main, Standard, or Restricted. Twilio API Key resources have SIDs beginning with SK and a secret value shown when the key is created.
Looks like
exampleSKXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
TWILIO_API_KEY, TWILIO_API_SECRET, TWILIO_ACCOUNT_SIDAuthorizationHTTP Basic authentication using API Key SID and API Secret
.env files, SDK config, deployment manifests, serverless variables
CI/CD variables, cloud secret managers, hosted app settings
SDK initialization, access-token minting code, committed examples
key creation output, application debug logs, CI logs
API key creation responses include the key SID and secret at creation time
Notes
API key secrets are shown only at creation time in normal workflows. Deleting an API key revokes API authentication and invalidates access tokens generated with that key's secret.
Access Token Signing Secret
twilio / access-token-signing-secret
Twilio client access tokens are JWTs signed with a Twilio API Key Secret. The API Key SID identifies the key and the API Secret signs tokens for Voice, Video, Conversations, Sync, and other client SDKs.
Looks like
exampleSKXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
TWILIO_API_KEY, TWILIO_API_SECRET, TWILIO_ACCOUNT_SIDaccess-token minting endpoints, serverless functions, SDK examples
.env files, serverless config, deployment manifests
CI/CD variables, cloud secret managers, hosted app settings
token generation debug logs and CI output
Notes
Exposure of the API Secret allows minting Twilio client access tokens according to the code and grants used by the application.
Webhook Signature Auth Token
twilio / webhook-signing-auth-token
Twilio uses the account Auth Token to validate request signatures on incoming Twilio webhooks. Applications that verify X-Twilio-Signature need access to the same Auth Token used for API authentication.
Location
TWILIO_AUTH_TOKENX-Twilio-Signatureincoming webhook signature verified using the Auth Token; the token itself is not sent
webhook verifier config, .env files, deployment manifests
CI/CD variables, cloud secret managers, hosted app settings
webhook validation middleware, tests, examples
Notes
The signing secret is the same Auth Token used by the account. Rotate it carefully because rotation affects both REST API authentication and webhook validation.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.