Vapi sends Twilio auth token in server messages
# supportr
Rublo
04/08/2025, 10:42 AMHey team, I've just realised that twilio auth token is included in every server messages.
Is this intended?
We just released to production and this is raising some security questions within my company.
Thanks in advance 🙏
v
Vapi Support Bot
04/08/2025, 10:43 AMHi there! 👋
I understand your concern about finding the Twilio auth token in server messages. While I can't definitively state whether this is intended behavior by Vapi, I can certainly help with the security implications and recommended actions.
Based on the information I've found, sending Twilio Account SID and Auth Token as plain text in payloads is definitely a security concern. According to documentation, this is not standard practice and poses risks to your account security.
## Security Implications
Including the Twilio auth token in server messages is a significant security concern because:
> "It's definitely a security concern to have sensitive credentials like your Twilio Account SID and Auth Token sent as plain text in payloads. These should be kept confidential to prevent unauthorized access to your Twilio account." [Source](https://discord.com/channels/1211482211119796234/1211483291191083018/threads/1336716627915309116)
## Recommended Actions
Here are some immediate steps you should consider:
1. Regenerate your Twilio Auth Token as a precaution to prevent potential misuse of the exposed token. Make sure to update all your applications with the new token. [Source](https://discord.com/channels/1211482211119796234/1211483291191083018/threads/1336716627915309116)
2. Review your webhook configurations to ensure you're not inadvertently passing credentials in the URL or request body. [Source](https://discord.com/channels/1211482211119796234/1211483291191083018/threads/1336716627915309116)
3. Consider using API keys with restricted permissions instead of full Twilio credentials for Vapi integration. This allows authentication without exposing primary account credentials. [Source](https://discord.com/channels/1211482211119796234/1211483291191083018/threads/1334941334368419850)
Vapi Support Bot
04/08/2025, 10:43 AM4. Ensure proper encryption - Twilio's standard practice is to use HTTP POST requests with SSL to ensure data is encrypted during transmission, and credentials should not be included in the payload. [Source](https://discord.com/channels/1211482211119796234/1211483291191083018/threads/1336716627915309116)
Is there anything specific about these security recommendations you'd like me to elaborate on?
Sources:
- [Discord Thread about Twilio Auth Token Security](https://discord.com/channels/1211482211119796234/1211483291191083018/threads/1336716627915309116)
- [Discord Thread about API Keys](https://discord.com/channels/1211482211119796234/1211483291191083018/threads/1334941334368419850)
s
Shubham Bajaj
04/08/2025, 7:42 PMHey Rublo, this is intended behavior as of now. Your request has been sent to the team, and eventually it will be converted into encrypted text, so don't have to worry. But in case you want to track the feature request, you can open a feature request by yourself as well.
You can raise an feature request for it over here: https://roadmap.vapi.ai
r
Rublo
04/09/2025, 8:04 AMThanks a lot for addressing this
s
Shubham Bajaj
04/10/2025, 11:36 PMMarking this ticket as Solved ✅