Is an access token an API key?

Question

Access Tokens are short-lived tokens that you use to authenticate Twilio Client SDKs like Voice , Conversations, Sync and Video, and Twilio Live.

Table of Contents Show

Anatomy of an Access Token
How to create Access Tokens
Step 1: Find your Account SID
Step 2: Create an API Key and Secret
Step 3: Generate an Access Token
Is access token same as API key?
What is access token in API?
What is an example of an API key?
What is difference between API key and JWT token?

You create them on your server to verify a user’s identity and grant access to client API features. All tokens have a limited lifetime, configurable up to 24 hours. However, a best practice is to generate Access Tokens for the shortest amount of time feasible for your application.

Anatomy of an Access Token

Each Access Token is a JSON Web Token (JWT), an encoded JSON object with three parts: the header, the payload, and the signature. The following is an example Access Token generated for Conversations.

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImN0eSI6InR3aWxpby1mcGE7dj0xIn0.eyJqdGkiOiJTS3h4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4LTE0NTA0NzExNDciLCJpc3MiOiJTS3h4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4Iiwic3ViIjoiQUN4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eCIsIm5iZiI6MTQ1MDQ3MTE0NywiZXhwIjoxNDUwNDc0NzQ3LCJncmFudHMiOnsiaWRlbnRpdHkiOiJ1c2VyQGV4YW1wbGUuY29tIiwiaXBfbWVzc2FnaW5nIjp7InNlcnZpY2Vfc2lkIjoiSVN4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eCIsImVuZHBvaW50X2lkIjoiSGlwRmxvd1NsYWNrRG9ja1JDOnVzZXJAZXhhbXBsZS5jb206c29tZWlvc2RldmljZSJ9fX0.IHx8KeH1acIfwnd8EIin3QBGPbfnF-yVnSFp5NpQJi0

If you inspect it with the debugger at jwt.io, you can further explore its content.

Header

{
  "typ": "JWT",
  "alg": "HS256",
  "cty": "twilio-fpa;v=1" 
}

The header section encodes the format of the token:

typ is the type of token. Its value must be "JWT".
alg is the algorithm used to encode the token. Its value must be "HS256".
cty is the content-type and encodes the version of the Access Token. Its value must be "twilio-fpa;v=1".

Payload

{
  "jti": "SKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-1450471147",
  "iss": "SKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "sub": "ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "iat": 1450471147,
  "nbf": 1450471147,
  "exp": 1450474747,
  "grants": {
    "identity": "user_name",
    "chat": {
      "service_sid": "ISxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    }
  }
}

The payload section describes the authorization granted:

jti is a unique identifier for the token. Your application can choose this identifier. The default helper library implementation includes the SID of the API key used to generate the token, and a unique random string.
iss is the issuer — the API key containing the secret used to sign the token.
sub is the SID of the Twilio Account to which access is scoped.
iat is the timestamp at which the token was issued.
nbf is an optional timestamp, before which the token will NOT be accepted.
exp is the timestamp at which the token will expire. Tokens have a maximum age of 24 hours.
grants is the list of permissions that the token grants. Grant properties and values will depend on the Twilio product and the needs of your specific use case.(See the Grants section below for more information.)

Signature

The signature section is a signed hash that serves to prove the authenticity of the token. It is the result of hashing the JWT header and payload together with your API key secret, which should only be known to your application and Twilio.

How to create Access Tokens

Twilio Access Tokens are based on the JSON Web Token standard.

You can use one of Twilio's Helper Libraries to create Access Tokens quickly and programmatically.

Step 1: Find your Account SID

Every Access Token requires your Account SID, which you can find in your Twilio Console. This is how the AccessToken will tie a user's activity to a specific Twilio account.

Step 2: Create an API Key and Secret

Next, you need to create an API key. You can create API keys from the Twilio Console or with the REST API.

When you create the API key, you’ll be shown the key’s secret, which is used to sign the Access Token. For security, you will only be shown the secret at this time, so you need to store it with the key’s SID in a secure location for the next step.

Step 3: Generate an Access Token

Now use the information gathered in steps 1 and 2 to generate an Access Token using a Twilio Helper Library.

When creating an Access Token, you must provide:

Your Twilio Account SID
The API key SID and API key secret from step 2

You can also optionally provide any of the following JWT configuration values.

Parameter	Description	Example
`identity`	The identity to associate with the Access Token. Typically, this will be a username in your system. Voice tokens may only contain alpha-numeric and underscore characters.	`user_name`
`ttl`	Time to live for the token, in seconds.	`3600`
`nbf`	Token not before time, or the time before which the token will NOT be accepted. Values are in Epoch time.	`1615404972`
`region`	The intended Twilio Region for the token. Currently only supported for Voice tokens.	`us1`

Each Twilio product will also require at least one "grant", which will provide product-specific abilities to the user associated with an Access Token.

Programmable Voice access tokens limit the number of concurrent sessions for a given identity to ten. When the 11th instance of the identity is registered the oldest registration is removed.

Create an Access Token for Conversations

The Conversations SDK requires each Access Token to contain a ChatGrant. Each ChatGrant must contain the SID for your Conversation Service. Each Access Token will also contain an identity grant that associates an Access Token with a specific user.

You are viewing an outdated version of this SDK.

Create an Access Token for Voice

You are viewing an outdated version of this SDK.

The Voice SDKs require each Access Token to contain an identity grant and a VoiceGrant. The identity grant is what associates an Access Token with a specific user.

Each VoiceGrant contains the following parameters:

Parameter	Type	Description
incomingAllow	boolean	Indicates whether or not the endpoint associated with this Access Token is allowed to receive incoming calls as the identity included in the Access Token
outgoingApplicationSid	string	The SID of the TwiML App that Twilio will look to when making outgoing calls. (Note: This is required for using any of the Voice SDKs.)
outgoingApplicationParams	object	Request parameters to send to the TwiML Application for outgoing calls
pushCredentialSid	string	The SID of the Push Credential to use when registering to receive incoming call notifications (Mobile SDKs only)

The payload of a decoded Voice AccessToken will look something like the following:

{
  "jti": "SKxxxx...-1643993631",
  "grants": {
    "identity": "alice",
    "voice": {
      "incoming": {
        "allow": true
      },
      "outgoing": {
        "application_sid": "APxxxx..."
      },
      "push_credential_sid": "CRxxxx..."
    }
  },
  "iat": 1643993631,
  "exp": 1643997231,
  "iss": "SKxxxx...",
  "sub": "ACxxxx..."
}

Create an Access Token for Video

The Video SDKs require each Access Token to contain an identity grant and a VideoGrant.

The identity grant is what associates an Access Token with a specific user.

Each VideoGrant contains an optional room parameter for a specific Room name or SID, which indicates the holder of the Access Token may only connect to the indicated Room.

Learn more about Video Access Tokens on the User Identity & Access Tokens page.

You are viewing an outdated version of this SDK.

Create an Access Token for Sync

Sync requires your Access Token to contain an identity grant and a SyncGrant. The identity grant is what associates an Access Token with a specific user.

The SyncGrant requires a serviceSid parameter containing the SID for your Sync Service.

Learn more about Sync Access Tokens on the Issuing Sync Tokens page.

You are viewing an outdated version of this SDK.

Create an Access Token for Twilio Live (PlaybackGrant)

The Twilio Live SDKs require each Access Token to contain a PlaybackGrant, which is generated via the Twilio REST API.

The PlaybackGrant grants access to a single livestream, specified by the livestream’s PlayerStreamer SID. You can pass in an optional ttl when creating the PlaybackGrant via the REST API to control how long the PlaybackGrant is active. You can also optionally specify an accessControlAllowOrigin URL to restrict livestream playback to a specific domain. For more information, see the PlaybackGrant REST API documentation.

Learn more about Twilio Live Access Tokens in the Twilio Live Overview.

You are viewing an outdated version of this SDK.

Is access token same as API key?

The main distinction between these two is: API keys identify the calling project — the application or site — making the call to an API. Authentication tokens identify a user — the person — that is using the app or site.

What is access token in API?

What is an Access Token? A credential that can be used by an application to access an API. Access Tokens can be either an opaque string or a JSON Web Token (JWT) . They inform the API that the bearer of the token has been authorized: to access a particular service or services.

What is an example of an API key?

An API key is a token that a client provides when making API calls. The key can be sent in the query string: GET /something? api_key=abcdef12345.

What is difference between API key and JWT token?

Typically, the API key provides only application-level security, giving every user the same access; whereas the JWT token provides user-level access. A JWT token can contain information like its expiration date and a user identifier to determine the rights of the user across the entire ecosystem.

Web API key OAuth vs token API key generator