Twilio-X-Signature is a hashed value derived from a specific set of data.  They are almost always unique, unless the Auth Token, URL and parm payloads are identical.

To generate the signature:

  • Twilio Security Documentation
  • Using nodejs Twilio SDK to generate signature example code
  • Note on URL encoding:
    • When Twilio calculates the signature, their input data isn’t URL encoded, for example, ‘+’ is not replaced with %2B in the URL (see security documentation)
    • In form data, don’t replace space with the ‘+’ character.
  • Postman pre-request script
    const auth_token = "xxx"
    const crypto = (authToken, data) => {
        console.log(`Data: ${data}`);
        let signature = CryptoJs.HmacSHA1(
            CryptoJS.enc.Utf8.parse(data), authToken
        let base64 = CryptoJS.enc.Base64.stringify(signature);
        return base64
    function getSignature(authToken, url, params){
        var data=Object.keys(params)
            //sort parameters
            //concatenate them to a string
            .reduce((acc, key)=>acc+key+params[key],url);
                  getSignature(auth_token, request.url,;
  • Validate a Twilio Authy Callback