Fix guide · high · twilio_account_sid

Twilio Account SID in client code

Why it matters

The SID alone isn't a secret, but it's half of the auth pair (the other half is the auth token). If your auth token has ever been in client code — or in a public commit — the leaked SID points attackers at exactly which account to abuse.

How to fix it

1. Audit for the auth token — search your bundle and your git history for the corresponding auth token. If found, rotate.
2. Use API keys (API Keys docs) scoped to the minimum required permissions, instead of the master auth token.
3. Set a permissions policy restricting what the account can do.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.