Will Twilio refund the abuse?

Twilio has a fraud team that reviews abuse cases. Open a ticket within 24 hours, share the rotation timeline, and they often credit the SMS pumping fraud charges.

Should I use API keys instead of the auth token?

Yes for production. Twilio API keys (SK.../...) scope to specific resources and can be revoked individually without rotating the master account credentials.

Critical: act in the next 60 seconds

Twilio auth token leaked? Roll it now — SMS fraud is fast

Your Twilio auth token may be exposed. Here is the fastest possible recovery — three steps, no theory.

Step 01
Twilio Console → Account → API keys & tokens → in the "Auth tokens" panel, click "Show" on the secondary, then "Promote secondary token".
Step 02
Update your env vars to the new primary, then "Generate new secondary token".
Step 03
Pull SMS logs for the last 24 hours. Look for outbound messages to premium-rate numbers (international codes you don’t serve).

Step 01 — Revoke

Kill the leaked credential first

Console → Account → API keys & tokens → "Live" tab → Auth tokens. The "Promote secondary" pattern lets you rotate without downtime: promote secondary → update env → generate new secondary.

Open Twilio credentials

Step 02 — Rotate

Update the new key in the right place

Server-side env vars only — never in client code, never with NEXT_PUBLIC_.

Twilio server client

import twilio from 'twilio';
const client = twilio(
  process.env.TWILIO_ACCOUNT_SID!,
  process.env.TWILIO_AUTH_TOKEN!,  // never NEXT_PUBLIC_
);

Step 03 — Scan

Confirm nothing else leaked alongside it

Scan to find every messaging or telephony secret in your bundle.

How this usually leaks

01Used in a client component for browser-side SMS verification.
02Stored in a config file deployed publicly.
03.env committed to source control.

FAQ

Frequently asked questions

Will Twilio refund the abuse?: Twilio has a fraud team that reviews abuse cases. Open a ticket within 24 hours, share the rotation timeline, and they often credit the SMS pumping fraud charges.
Should I use API keys instead of the auth token?: Yes for production. Twilio API keys (SK.../...) scope to specific resources and can be revoked individually without rotating the master account credentials.

Deeper dive

Long-term fixes for this leak class

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

See what else leaked in the same deploy

Free scan. 70+ checks. Results in 60 seconds.