twilio-security-hardening
Installation
SKILL.md
Overview
Security hardening is an ongoing concern — not a one-time setup. This skill covers account-level security decisions and application-level protection patterns that prevent credential leaks, fraud, and compliance violations.
Lifecycle: Choose numbers (twilio-numbers-senders) → Register (twilio-compliance-onboarding) → Follow traffic rules (twilio-compliance-traffic) → Secure everything (this skill)
Credential Management
API Keys vs Auth Tokens
| Credential | Scope | Revocable | Use when |
|---|---|---|---|
| Auth Token | Full account access | Only by rotating (invalidates all token-based integrations and webhook signature validation — API keys unaffected) | Avoid in production — use API keys instead |
| API Key + Secret | Scoped, revocable individually | Yes — revoke one without affecting others | Production applications, CI/CD, server-side code |
| Access Tokens | Short-lived, client-specific | Expire automatically | Client-side SDKs (Voice, Video, Conversations) |
Critical gotcha: Rotating your Auth Token invalidates all integrations authenticating with AccountSID:AuthToken and breaks webhook signature validation — it does NOT affect API keys (SK-prefixed), which are independent. Use API keys from the start so you rarely need to rotate the Auth Token.