Please excuse our look. We're just getting started here.

Want to learn more about Twilio Forums? Check out our FAQ page here.

How to prevent abuse of Functions/Runtime?

edited August 2021 in Twilio Community


What's the appropriate way to prevent runtime endpoints from abuse when being called by an untrusted source (i.e., an iOS or Android app)? The tutorial ( ) has you expose your function as unprotected - but wouldn't this allow a malicious actor to call that endpoint many thousands of times to run up your bills and/or spam numbers? There's nothing obvious in the docs about rate limiting clients.


  • shelbyz
    shelbyz ✭✭✭

    You may want to look at making those functions protected which means that the caller is responsible for building a X-Twilio-Signature header to be provided before the function is executed.

    It does not mean however that some actor could not sniff network traffic and see a valid request and replay it repeatedly, but it should cut down on an actor finding an endpoint and making discovery/overloading requests.

  • Pudlo
    edited August 2021

    @shelbyz If I'm to sign a X-Twilio-Signature wouldn't that mean building in the AuthToken to the distributed app unless every possible query (including all possible parameters) is known in advance? That seems inadvisable.

If this is an emergency, please contact Twilio Support. This is not an official Support channel.
Have an urgent question?
Please contact Twilio Support. This is not an official Support channel.
Contact Support