Twilio
Collaborationsystem_type: "twilio"PQC-seal Twilio credentials and proxy SMS, voice, and Verify API calls with signed webhook validation.
Overview#
The Twilio connector seals Account SID and Auth Token in QuantaVault and proxies Twilio REST API calls for SMS, voice, and the Verify product. Inbound Twilio webhook signatures (X-Twilio-Signature) are verified against the sealed Auth Token before forwarding.
https://api.quantaseal.io/api/v2/proxy/outboundAuth header:
X-API-Key: qs_live_...Prerequisites#
- 1A Twilio account with an active phone number
- 2Account SID and Auth Token from the Twilio Console
- 3A QuantaSeal API key
Configuration#
Follow these steps to connect Twilio to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.
- 1
In the Twilio Console, copy your Account SID and Auth Token.
- 2
Seal credentials: POST /api/v2/vault/seal with credential_type: basic_auth and values: {username: ACCOUNT_SID, password: AUTH_TOKEN}.
- 3
Create the integration: POST /api/v2/integrations with system_type: twilio.
Authentication Types#
Twilio uses HTTP Basic auth (Account SID as username, Auth Token as password). Store as basic_auth in QuantaVault. The Auth Token also doubles as the webhook signing secret - store it separately as webhook_secret for inbound webhook verification.
All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.
Available Operations#
QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.
| Operation | Description |
|---|---|
send_sms | Send an SMS message via Twilio. |
make_call | Initiate an outbound voice call. |
create_verification | Start a Verify OTP flow. |
check_verification | Verify an OTP code. |
list_messages | List sent/received messages. |
Code Example#
Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.
curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
-H "X-API-Key: qs_live_your_key_here" \
-H "Content-Type: application/json" \
-d '{
"integration_id": "int_01HZ9X2K4MNPQRTWILIO000001",
"operation": "send_sms",
"payload": {
"to": "+61412345678",
"from": "+61498765432",
"body": "Your QuantaSeal verification code is: 847291. Do not share this code."
}
}'
# Response - HybridCryptoEnvelope
{
"success": true,
"encrypted": {
"ciphertext_kem": "<base64 - 1088 bytes ML-KEM-768>",
"ciphertext_data": "<base64 - AES-256-GCM encrypted Twilio message SID>",
"nonce": "<base64 - 12 bytes>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-KEM-768"
},
"signature": {
"pqc_signature": "<base64 - ~3309 bytes ML-DSA-65>",
"hmac_signature": "<base64 - 64 bytes HMAC-SHA-512>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-DSA-65+HMAC-SHA-512"
},
"audit_event_id": "aud_01HZ9XABCDEF"
}client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.Troubleshooting#
20003 - Authentication Error
The Account SID or Auth Token in the vault entry is incorrect. Note that Twilio has separate live and test credentials - ensure you are using the correct set.
21608 - Unverified number in trial account
Twilio trial accounts can only send to verified numbers. Upgrade to a paid account or add the recipient number to your verified caller IDs.