lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Twilio

Twiliosaas4 credentials

Credentials4 documented
01

Account SID / Auth Token

twilio / account-sid-auth-token

Twilio accounts use an Account SID and Auth Token to authenticate API requests. Twilio recommends storing TWILIO_ACCOUNT_SID and TWILIO_AUTH_TOKEN in environment variables and using API keys for production access where possible.

generated on installsecretAPI key

Looks like

example
example

Twilio Account SID; the paired Auth Token is the secret credential

ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN
http header
Authorization

HTTP Basic authentication using Account SID and Auth Token

config file

.env files, application config, deployment manifests, local shell profiles

secret store

CI/CD variables, cloud secret managers, hosted app settings

source code

Twilio SDK initialization code, examples, tests, committed configs

logs

HTTP client debug logs, stack traces, CI logs, and request dumps

Notes

Account SID alone is an identifier, but it commonly appears beside the Auth Token. A leaked Auth Token can compromise the Twilio account and should be rotated through Console or the Auth Token API.

02

API Key SID / Secret

twilio / api-key-secret

Twilio API keys authenticate REST API requests and can be Main, Standard, or Restricted. Twilio API Key resources have SIDs beginning with SK and a secret value shown when the key is created.

generated on installsecretAPI key

Looks like

example
example

Twilio API Key SID; the paired API Secret is the secret credential

SKXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
TWILIO_API_KEY, TWILIO_API_SECRET, TWILIO_ACCOUNT_SID
http header
Authorization

HTTP Basic authentication using API Key SID and API Secret

config file

.env files, SDK config, deployment manifests, serverless variables

secret store

CI/CD variables, cloud secret managers, hosted app settings

source code

SDK initialization, access-token minting code, committed examples

logs

key creation output, application debug logs, CI logs

http response

API key creation responses include the key SID and secret at creation time

Notes

API key secrets are shown only at creation time in normal workflows. Deleting an API key revokes API authentication and invalidates access tokens generated with that key's secret.

03

Access Token Signing Secret

twilio / access-token-signing-secret

Twilio client access tokens are JWTs signed with a Twilio API Key Secret. The API Key SID identifies the key and the API Secret signs tokens for Voice, Video, Conversations, Sync, and other client SDKs.

generated on installsecretsecret value

Looks like

example
example

Twilio API Key SID used as JWT issuer; the paired API Secret signs access tokens

SKXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
TWILIO_API_KEY, TWILIO_API_SECRET, TWILIO_ACCOUNT_SID
source code

access-token minting endpoints, serverless functions, SDK examples

config file

.env files, serverless config, deployment manifests

secret store

CI/CD variables, cloud secret managers, hosted app settings

logs

token generation debug logs and CI output

Notes

Exposure of the API Secret allows minting Twilio client access tokens according to the code and grants used by the application.

04

Webhook Signature Auth Token

twilio / webhook-signing-auth-token

Twilio uses the account Auth Token to validate request signatures on incoming Twilio webhooks. Applications that verify X-Twilio-Signature need access to the same Auth Token used for API authentication.

generated on installsecretsecret value

Location

environment
TWILIO_AUTH_TOKEN
http header
X-Twilio-Signature

incoming webhook signature verified using the Auth Token; the token itself is not sent

config file

webhook verifier config, .env files, deployment manifests

secret store

CI/CD variables, cloud secret managers, hosted app settings

source code

webhook validation middleware, tests, examples

Notes

The signing secret is the same Auth Token used by the account. Rotate it carefully because rotation affects both REST API authentication and webhook validation.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.