Use API key in Twilio to improve security

[woj-tek]

⚠️ Please verify that this feature request has NOT been suggested before.

• I checked and didn't find similar feature request

🏷️ Feature Request Type

Other

🔖 Feature description

(This is a followup to #1860 (comment))

I would like to add/ask option to log-in via API Key instead of using master AccountSID and AuthToken. See https://www.twilio.com/docs/usage/requests-to-twilio#creating-or-updating-resources-with-the-post-method

Basically one can either use const client = require('twilio')(accountSid, authToken); or const client = require('twilio')(apiKey, apiSecret, { accountSid: accountSid });, where the second one is more secure and thus recomended.

Answering @CommanderStorm questions:

• please also go into detail what you mean by "more secure and thus recommended"

As stated in the documentation: https://www.twilio.com/docs/iam/keys/api-key:

Main API Keys have the same access as Standard Keys, and can also manage API Keys, Account Configuration, and Subaccounts. Main API Keys give you the same level of access as if you were using account API Credentials.
For example, you might issue separate API Keys to different developers or to different subsystems within your application. If a key is compromised or no longer used, you can easily delete it to prevent unauthorized access!

It's not as easy as with main AuthToken/Main API key, which gives you almost unlimited access to the accont

The problem with the notification providers is, that they are for the most part untested/untestable. => Screenshots are needed to verify that this change works.

There seems to be test credentials (https://www.twilio.com/docs/iam/test-credentials) though most likely still requiring any Twilio account.

✔️ Solution

Use const client = require('twilio')(apiKey, apiSecret, { accountSid: accountSid }); if api key is provided.

❓ Alternatives

No response

📝 Additional Context

No response