[travelton]

This is neat! But I have to expose the PDF to the internet for Twilio to pick up the file and send it?

https://www.twilio.com/docs/api/fax/quickstart#send-a-fax

[j_s]

https://www.twilio.com/docs/api/security#validating-requests

Twilio cryptographically signs its requests

Not sure on the specifics of a GET vs the normal POST callbacks but they definitely are aware this is an issue.

[viggity]

I'd be surprised if it wasn't similar to (or exactly like) their POST auth. They concatenate the URL, the post variables (alphabetically sorted) and your twilio account id and hash it with your auth key. They put that hash into an auth header on the post.

I had to dig into it because we had a reverse proxy in front of our app and the hash generated by their client .net library was understandably different than what they sent because the domains were ultimately different.

[caust1c]

Certainly you can attach a token and firewall all but twilio's servers if you're serious about using this service.

I don't see the problem with it.