Webhook Relay
Sign up free

Verify Twilio Webhook Signatures

Twilio signs requests differently from most providers: it takes your exact webhook URL, appends every POST parameter sorted alphabetically (key immediately followed by value), and computes HMAC-SHA1 with your Auth Token, base64-encoded. The result is sent in X-Twilio-Signature. Enter the URL, the POST parameters and your Auth Token.

Paste the X-Twilio-Signature value above to compare

Everything runs in your browser — the payload and secret never leave this page. Want to verify a different provider? See the webhook signature verifier hub or the generic HMAC generator.

How Twilio signs webhooks

  1. Start with the full request URL exactly as configured (including https:// and any query string).
  2. Sort the POST parameters alphabetically by name and append each name immediately followed by its value.
  3. Compute HMAC-SHA1 of that string using your Auth Token as the key, base64-encoded.
  4. Compare to X-Twilio-Signature with a constant-time check.

Reference: Twilio signature documentation.

Verify Twilio signatures in code

Node.js
const twilio = require('twilio');

const valid = twilio.validateRequest(
  process.env.TWILIO_AUTH_TOKEN,
  req.headers['x-twilio-signature'],
  url,          // the exact URL Twilio requested
  req.body);    // parsed POST params
Python
from twilio.request_validator import RequestValidator

validator = RequestValidator(auth_token)
valid = validator.validate(
    url,                                  # the exact URL Twilio requested
    request.form,                         # POST params
    request.headers['X-Twilio-Signature'])

Frequently asked questions

Why is Twilio different from Stripe or GitHub?

Twilio signs the URL plus the sorted POST parameters (not the raw JSON body) with HMAC-SHA1. This tool covers that standard form-encoded callback scheme; JSON bodies and the newer public-key signatures work differently.

What key does Twilio use?

Your account Auth Token, found in the Twilio Console. Rotate it carefully — it signs every request from Twilio.

Verify other providers

StripeGitHubShopifySlackStandard Webhooks
HMAC GeneratorCloudEvents ValidatorWebhook Tester (Bin)

Receiving Twilio webhooks on a server behind a firewall or on localhost? Webhook Relay can forward them to your internal service and even verify or transform them before delivery.