Skip to contentSkip to navigationSkip to topbar
On this page

Secure Playback of Recordings from Custom Storage


(warning)

Public beta

Flex Insights (also known as Historical Reporting) is currently available as a public beta release and the information contained in the Flex Insights documentation is subject to change. This means that some features are not yet implemented and others may be changed before the product is declared as generally available. Public beta products are not covered by a Twilio SLA.

Any reference to "Historical Reporting", "Flex Insights API", "Flex Insights Historical Reporting", or "Flex Insights Historical Reporting API" in the Flex Insights documentation refers to Flex Insights.

You can manage user access to call recordings from Flex Insights on your own terms.

If you store call recordings outside of Twilio, you can use this feature to:

  • Create a custom authorization of users
  • Log user access to individual recordings
  • Decrypt Twilio recordings encrypted by your public key (using your private key)

You can use the url_provider attribute when attaching Custom Media. Flex Insights Player sends a request to the URL to ask for the actual link to the recording. Your service at the provided URL can then perform any authorization operations before providing the link. The link itself has to carry any authorization information, such as a time-limited token, single-use token, etc.

You can point the Player to a standard service such as AWS S3. Or, you can point the Player to a custom service that may perform additional operations before streaming the actual audio. For example, decryption of the audio.

(information)

Info

Waveform (blue, green, red, and orange bars) is not available in the Conversation Screen for recordings that are stored externally. This means users will not see when an agent or customer is speaking while playing back recordings.


Flex Insights Player Request to Your Service

flex-insights-player-request-to-your-service page anchor

When you open a recording from Flex Insights, the Player calls the API URL you provided as the value of the url_provider attribute. The Player adds the Flex JWE token in the authorization header. The token is Base64 encoded.

Example request:

1
GET /sec_rec?recording_sid=RExxxxxxxxxxxxxxxxxxxxxxx HTTP/1.1
2
Host: your_domain
3
Connection: keep-alive
4
Pragma: no-cache
5
Cache-Control: no-cache
6
Authorization: Basic dG9rZW46ZXlKNmFYQWlPaUpFUlVZaUxDSnJhV1FpT2lKVFFWTmZVek1==
7
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36
8
Accept: */*
9
Origin: https://flex.twilio.com
10
Sec-Fetch-Site: cross-site
11
Sec-Fetch-Mode: cors
12
Sec-Fetch-Dest: empty
13
Accept-Encoding: gzip, deflate, br
14
Accept-Language: en-US,en;q=0.9,cs;q=0.8

Handle the Request from Player in Your Service

handle-the-request-from-player-in-your-service page anchor

To enable playback, your API service has to:

  1. Validate the Flex JWE token provided by the Player in the authorization header. The validation ensures that the user has a valid Flex session.
  2. Return the 'media_url' link to the audio file of the recording. The Player uses this link to retrieve the actual recording.
(warning)

Warning

In the following example, we are using a Twilio function to validate a token. Please note that you cannot host your authentication function using Twilio Serverless due to its max header limitations.

Validate the Flex JWE Token

validate-the-flex-jwe-token page anchor

The Flex JWE token is sent in the following format:

1
Basic ${Buffer.from(`token:${flexJWE}`).toString('base64')}
2

The Flex JWE token is Base64 encoded. Your service has to decode the token, then use the Twilio Flex Token Validator(link takes you to an external page) in a Twilio Function or in any NodeJS application. Alternatively you can use the Twilio API to validate the token.

Example of token validation in Python:

1
header_raw = request.headers.get('Authorization')
2
header_decoded = b64decode(header_raw.split()[1]).decode()
3
token = header_decoded.split(':')[1]
4
5
url = "https://iam.twilio.com/v1/Accounts/{}/Tokens/validate".
6
format(TWILIO_ACCOUNT_SID)
7
headers = {
8
"content-type": "application/json",
9
"cache-control": "no-cache",
10
"Authorization": header_raw
11
}
12
payload = {"token": token}
13
response = requests.post(url, data=json.dumps(payload), headers=headers)

The validated token result contains the following data:

1
{
2
"valid": true,
3
"code": 0,
4
"message": null,
5
"expiration": "2018-09-24T23:22:44.240Z",
6
"realm_user_id": "user@example.com",
7
"identity": "user_40example_2Dcom",
8
"roles":[
9
"agent"
10
],
11
"worker_sid": "WKxxx"
12
}

While listening to a recording, open the Developer Tools > Network tab in your browser. Confirm that your browser requested both the 'url_provider' and the 'media_url'.

Secure_troubleshooting.

Need some help?

Terms of service

Copyright © 2024 Twilio Inc.