I'm considering using Twilio's Authy as a one time password authentication solution for my app. I've combed through their docs and I understand how to register a new user with a phone number, and then how to verify that they indeed own that phone.
My question is, once a user has been authenticated, how am I supposed to keep them authenticated in my app? Does Twilio handle any sort of JWT or token generation? Or is Twilio only there to assert that a particular user owns a particular phone number, and it's on me (the developer, or another service like Firebase) to spin up a token associated with that user to use for all future requests?
Twilio developer evangelist here.
You're right that Authy is able to verify that the user is the user that you registered with Authy. It does not do anything to keep a user authenticated in your application though, it's really there to give you a yes or no answer as to whether you trust the user has the device they initially registered with.
As you surmise, it is either up to you or another service to provide a token that you can continue to authenticate requests with. This blog post is a little old (as it uses plain Twilio SMS rather than Authy) but gives you an idea where you could start building that authentication for passwordless login in an application (in this case in PHP).