Another option for securing Twilio apps is to a) use HTTPS between your server and Twilio, which you always want to do anyway and then b) use a shared secret to validate that the HTTP client your app is talking to is actually Twilio.<p>I do this, partially because it was easy to implement and partially because independently developed message signing and verification can be... finnicky. I have no particular reason to not trust Twilio's generated signatures, but didn't want a sudden confusion about e.g. ordering parameters to wake me up at 3 AM when it broke the system. Or worse, <i>not</i> wake me up at 3 AM when it broke the system.