Fix guide · critical · twilio_auth_token

Twilio Auth Token in client code

Why it matters

Paired with the Account SID (often also leaked nearby — see twilio_account_sid), the auth token grants full SMS, voice, WhatsApp, and Verify abuse. Costs ramp fast: a single attacker can spend hundreds of dollars sending SMS in minutes.

How to fix it

1. Rotate the auth token at twilio.com/console → Account → API keys → Auth Token → Reset.
2. Switch to API keys (twilio.com/docs/iam/api-keys) scoped to specific resources instead of the master auth token.
3. Move all Twilio calls server-side: client → your API → Twilio. The auth token must never appear in browser-bundled code.
4. Set spending limits in your Twilio account as a safety net.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.