How to use RequestValidator with API Key?

Question

I'm trying to reconcile Twilio's advice and security best practices.

I initially wrote the app using SID and auth-token.

https://www.twilio.com/docs/usage/rest-api-best-practices says:

"we recommend the use of API Keys"

So I'm converting the python helper rest client to initialize using api key/secret

and since this is a webhook auth, following this security practice: https://www.twilio.com/docs/usage/security#validating-requests

Using: https://www.twilio.com/docs/usage/tutorials/how-to-secure-your-flask-app-by-validating-incoming-twilio-requests

However, this only seems to support auth_token

Does this mean there is no way to use API keys in a webhook app?

It seems silly to bother with API key secrets in app config if I'm also having to set the auth_token secret as well.

Answer 1

Twilio employee here

Looks like you've spotted an inconsistency in our guidance. You are correct: if your app receives incoming webhooks from Twilio and you want to validate the signature of those incoming requests, you cannot use API keys to do so - you must use your account's Auth Token.

I just fixed the first doc you linked to so it reflects that guidance. Thank you for raising this with us and my apologies for the inconsistency in our docs!