API keys are the preferred way to authenticate with Twilio's REST APIs. With API keys, you control which users and applications have access to your Twilio Account's API resources, and you can revoke access at your discretion.
If your Twilio application uses one of the client-side SDKs, then you need to use API keys to create Access Tokens.
Twilio API credentials are a Region-specific resource. If your Account uses Twilio Regions, refer to Manage Regional API Credentials.
API keys are a powerful and flexible way to manage access to Twilio resources.
While you can use your Account SID and Auth Token as your API credentials for local testing, using them in production is risky. If a bad actor gains access to your Account SID and Auth Token, then your Twilio Account is compromised. This could cost you money and harm your business's reputation.
Instead, you can create individual API keys for specific purposes and for specific individuals. You have complete control of the lifecycle of the API credentials for your Twilio Account. For example, you can issue separate API keys to different developers or different subsystems within your application. If a key is compromised or no longer used, then you can revoke it to prevent unauthorized access.
You can further reduce security risks by using Restricted API keys to provide minimum and specific levels of access.
The API key types are: Main, Standard, and Restricted (public beta, Key resource v1 only). The following table describes each type.
| Key type | Access permissions | Create in Console | Create with REST API |
|---|---|---|---|
| Main | Full access to all Twilio API resources. Equivalent to using your Account SID and Auth Token for API requests. | Yes | No |
| Standard | Access to all Twilio API resources, except for API key and Account resources. | Yes | Yes |
| Restricted | Customized, fine-grained access to specific Twilio API resources. Learn more about Restricted API keys. | Yes | Yes (v1 only) |