0

I am using Twilio Voice API to make calls. The flow is that a user initiates an action on my site, we then send a request to Twilio API via the twilio object in the ruby gem. This object contains the

'from' number , 'to' number , 'url'

The 'url' is my API end point, which looks something like this

.../api/v1/users/here

From here, I route the request to one of my controllers' actions to serve up a twiml to play.

My question is: How can I ensure that ONLY TWILIO is able to ping this api endpoint?

a) Is there some kind of identifier in Twilio's request that I can use to validate source?

b) I am using Grape gem to set up the api endpoint. Can I do something with the grape gem for this purpose?

RPV
  • 397
  • 1
  • 5
  • 16

2 Answers2

3

Twilio evangelist here.

Twilio has a special header we send called X-Twilio-Signature that allows you to validate that the webhook request is only coming from Twilio.

The Ruby helper library includes a piece of middleware that you can plug in to check for this header and perform the validation. Check out this blog post for more info:

https://www.twilio.com/blog/2014/09/securing-your-ruby-webhooks-with-rack-middleware.html

Hope that helps

Devin Rader
  • 10,260
  • 1
  • 20
  • 32
0

A simple way to do this is with an API token. Pick a nice, random string and set up your Twilio URL to include ?token=abcd1234, then on your server, verify that the token is present. Anyone else hitting your endpoint won't have it, so you know it must be Twilio.

Kristján
  • 18,165
  • 5
  • 50
  • 62