Twilio Access Key

Bridgecrew Policy ID: BC_GIT_18
Severity: LOW

Twilio Access Key

Description

Twilio Access Tokens are short-lived tokens that you can use to authenticate Twilio Client SDKs like Voice, Conversations, Sync, and Video.

You create them on your server to verify a client’s identity and grant access to client API features. All tokens have a limited lifetime, configurable up to 24 hours. However, a best practice is to generate Access Tokens for the shortest amount of time feasible for your application.

Fix - Buildtime

Twilio

Step 1: Revoke the exposed secret.

The following method deletes an API Key. This revokes its authorization to authenticate to the REST API and invalidates all Access Tokens generated using its secret.

If the delete is successful, Twilio will return an HTTP 204 response with no body.

DELETE https://api.twilio.com/2010-04-01/Accounts/{AccountSid}/Keys/{Sid}.json

Step 2: Clean the git history.