I'm trying to reconcile Twilio's advice and security best practices.
I initially wrote the app using SID and auth-token.
https://www.twilio.com/docs/usage/rest-api-best-practices says:
"we recommend the use of API Keys"
So I'm converting the python helper rest client to initialize using api key/secret
and since this is a webhook auth, following this security practice: https://www.twilio.com/docs/usage/security#validating-requests
However, this only seems to support auth_token
Does this mean there is no way to use API keys in a webhook app?
It seems silly to bother with API key secrets in app config if I'm also having to set the auth_token secret as well.
Twilio employee here
Looks like you've spotted an inconsistency in our guidance. You are correct: if your app receives incoming webhooks from Twilio and you want to validate the signature of those incoming requests, you cannot use API keys to do so - you must use your account's Auth Token.
I just fixed the first doc you linked to so it reflects that guidance. Thank you for raising this with us and my apologies for the inconsistency in our docs!