https://vapi.ai/ logo
Join Discord
Powered by
Why do you send the Twilio auth token in the body ...
# support
j
v
You're right to be concerned about security. While I can't explain why this design choice was made, I can suggest using the 
server
object configuration to avoid sending sensitive credentials in the request body:
Copy code
javascript
curl -X PATCH 'https://api.vapi.ai/assistant/{assistant_id}' \
-H 'Authorization: Bearer YOUR_API_KEY' \
-H 'Content-Type: application/json' \
-d '{
  "server": {
    "url": "https://your-server-url.com",
    "secret": "your-secret-key",
    "headers": {
      "custom-header": "header-value"
    }
  }
}'
This approach uses custom headers for authentication instead of including credentials in the body. Sources: - [Discord conversation about custom headers](https://discord.com/channels/1211482211119796234/1341692740454584331) - [Vapi changelog](https://docs.vapi.ai/changelog/2024/10/13)
j
@Vapi Support Bot given how the Twilio auth token is being returned in the body of multiple api requests and server messages what do you estimate the chances are that Vapi is storing this in plaintext in their database? 🤔
@Vapi Support Bot also why is the llm attached to the docs lying to me about this, I can literally list every twilio sid and auth token just by calling a GET on the phone number endpoint https://cdn.discordapp.com/attachments/1366981785254236220/1367162024613908611/image.png?ex=6813945b&is=681242db&hm=8176c1046b1c6b1a169dcfa4e359c6fe505ff4c273dbc12b38588bbbfba313aa&
v
I cannot determine whether Vapi stores Twilio auth tokens in plaintext in their database as this information isn't available in the documentation. As a security precaution, I recommend regenerating your Twilio Auth Token and using the 
server
object configuration to avoid sending sensitive credentials in request bodies:
Copy code
javascript
"server": {
  "url": "https://your-server-url.com",
  "secret": "your-secret-key",
  "headers": {
    "custom-header": "header-value"
  }
}
This approach uses custom headers for authentication instead of including credentials in the body. Source: - [Discord conversation about security concerns](https://discord.com/channels/1211482211119796234/1336716627915309116)
j
with all the reports going around lately of people getting bills in the tens of thousands of dollars inexplicably attributed to their Twilio accounts I would hope Vapi will sort this out ASAP
@Sahil @Shubham Bajaj FYI
s
Hey, we don't have anything in connection or in relation to people's Twilio bills. That's definitely for sure - like thousands of people are using VAPI, usually people leak their secrets and then put the blame on us, which we have observed in the past.
j
the twilio auth token gives full access to someone's twilio account
I can call the /phone-number endpoint and get a list of all the account sids and auth tokens associated with every phone number imported from twilio
in the body of the response
s
@John George When you call the phone number endpoint, you are doing it using your own token, I believe, not with the others until unless someone else gives you access to it.
@John George I really appreciate your bringing this topic up. I will see on our fode where we are sending the Twilio tokens in plain text. If you have a call ID where you have observe this, it will be really helpful for me to get it resolved
j
@nikhil @jordan can you please look into this issue
this is a little ridiculous that i have to explain why this is bad
for any organisation I have access to if someone else has used their twilio account to import a number I can steal their credentials
if any logging is happening of the body of your api endpoint requests involving phone numbers these credentials could inadvertently be leaked
log into any twilio account and the first thing you see under the auth token is https://www.twilio.com/en-us/blog/protect-phishing-auth-token-fraud
s
I am not asking you to explain to me why this is bad or wrong. I was just letting you know.
j
and you've got an endpoint that can literally allow someone to list multiple auth tokens in the body of the response
well this is the textbook definition of a critical security vulnerability
s
@John George What you are trying to convey is critical - like someone added in to their org as an freelance org developer can access to their credentials, even for the production one. Completely agreed with you on this.
update
spoke with @John George about this and will inform the team.
7 Views
PreviousNext
Powered by