Twilio to LiveKit SIP: "invalid credentials were provided"

Inbound calls from Twilio are reaching my SIP trunk but failing with callStatus: SCS_ERROR and error: "invalid credentials were provided".

Trunk ID is ST_bH4htraiYfGH on LiveKit Cloud (free tier). SIP domain is 369cwv1qnuh.sip.livekit.cloud. Username is medspai-sip. Dispatch rule is SDR_VBHvaM2D567V (direct, room named by SIP TO user-part). Trunk has numbers: [] to accept any number.

TwiML format:

<Response>
  <Dial>
    <Sip username="medspai-sip" password="[redacted]">
      sip:call-+12819005317@369cwv1qnuh.sip.livekit.cloud
    </Sip>
  </Dial>
</Response>

I wrote a diagnostic script that reads the trunk via listSipInboundTrunk and confirmed the stored username matches my .env exactly. The trunk was recreated with --force to ensure clean state. SIP INVITE reaches LiveKit and gets a 200 OK but then errors on auth.

I also tried LiveKit’s connectTwilioCall() WebSocket approach but got “twilio call is not enabled for this project” which I assume is a Cloud free tier limitation.

What could be causing the credential rejection? Is there something specific about how Twilio passes SIP auth credentials that requires a different trunk configuration?

ST_bH4htraiYfGH is an inbound trunk so you should not need to specify auth for that trunk, which is only required for outbound, Create and configure a Twilio SIP trunk | LiveKit Documentation, I suspect that error is coming from Twilio? I suggest taking a look at that trunk configuration and comparing it with https://docs.livekit.io/telephony/start/sip-trunk-setup/#inbound-trunk-setup.

I do see a couple of failed sessions on your account, made around the same time you posted this question, but they have the error “failed joining room: cannot create LiveKit participant: no room name“, so you probably want to take a look at your dispatch rule also: Dispatch rule | LiveKit Documentation