Read the X-Twilio-Signature header from the incoming HTTP request.
Reconstruct the signed string: start with the full request URL (including scheme, host, path, and any query parameters); for POST requests, sort all POST body parameters alphabetically by key and concatenate each key immediately followed by its value (no delimiters) onto the URL string.
Compute HMAC-SHA1 of that string using your Twilio account AuthToken as the HMAC key; Base64-encode the resulting 20-byte digest.
Compare your computed Base64 string to the X-Twilio-Signature header value using a constant-time comparison function to prevent timing attacks.
If they match, the request is authentic; respond with TwiML. If they do not match, return HTTP 403.
Known gotchas
Twilio signs requests with HMAC-SHA1 (not SHA-256) — using the wrong algorithm will always produce a mismatch.
SSL termination proxies and load balancers that change http to https in the URL will break signature validation; reconstruct the URL as Twilio sent it, not as your app server sees it.
Use the official Twilio helper library's RequestValidator rather than a hand-rolled implementation — edge cases around empty parameters, array parameter ordering, and URL normalisation cause frequent validation failures.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp