STIR/SHAKEN Signing Made Simple
Effortless call authentication with industry‑standard signing, zero‑touch management, and one‑click configuration.
How Signing Works
Receive Call Details
Your SIP proxy or API sends us the calling/called numbers and attestation level.
Cryptographic Signing
We create a JSON Web Token (JWT) signed with your ECDSA private key using the ES256 algorithm.
Return Identity Header
The signed Identity header is returned to your system, ready to be inserted into the SIP INVITE.
Under the Hood
- Uses ES256 (ECDSA with P‑256 curve and SHA‑256) for fast, secure signatures.
- JWT payload includes
attest,orig,dest,iat, andorigidas per ATIS‑1000074. - Certificate URL (
x5u) is embedded so verifiers can fetch your public key. - Optional intermediate CA URL supports full chain validation.
Management & Monitoring
Key & Certificate Lifecycle
- Upload your private key and certificate through the secure dashboard.
- View certificate details: subject, validity period, days until expiry.
- Automatic expiry warnings when less than 30 days remain.
- Update keys/certs at any time – old tokens remain valid until they expire.
Usage Insights
- Real‑time signing request logs with timestamps and status.
- Dashboard showing signing volume, latency, and error rates.
- API‑level metrics for integration health.
- Downloadable reports for compliance audits.
Configuration in Minutes
1. Upload Credentials
Paste your private key and certificate, or upload PEM files. Set your attestation level and token expiry.
2. Choose Integration
Use our REST API or SIP 302 redirect – both work with any SIP platform (Kamailio, FreeSWITCH, Asterisk, etc.).
3. Go Live
Your calls are now authenticated. Monitor everything from the dashboard – no ongoing maintenance required.
Flexible Integration
REST API
Simple HTTP POST with JSON payload. Ideal for custom applications and softswitches.
POST /api/stir-shaken/sign
{
"orig": {"tn": "14045266060"},
"dest": {"tn": ["18001234567"]},
"attest": "A"
}SIP 302 Redirect
Route the initial INVITE to us; we reply with a 302 containing the signed Identity header. No code changes needed.
INVITE sip:18001234567@provider.com
→ 302 Moved Temporarily
Identity: eyJhbGci...;info=...;alg=ES256;ppt=shakenSIP Gateway Routing
For maximum simplicity, route your outbound calls directly through our SIP gateway. We handle STIR/SHAKEN signing transparently, then forward the call to its final destination. No API integration or redirect logic required.
Point Your SIP Trunk
Configure your PBX or SBC to send outbound calls to our SIP gateway address.
Automatic Signing
We authenticate the call, attach the Identity header, and apply your configured attestation level.
Call Delivered
The signed call is forwarded to the destination carrier, fully STIR/SHAKEN compliant.
Example Configuration
Simply set your outbound SIP trunk to our gateway. For example, in FreeSWITCH:
<gateway name="stirshaken">
<param name="proxy" value="sip.stirshakengateway.com"/>
<param name="register" value="false"/>
</gateway>No additional headers or API calls needed. We'll sign every call that passes through.
Dynamic Attestation Override
For advanced use cases, you can override the default attestation level configured in your account on a per‑request basis. This gives you fine‑grained control when different call sources require different attestation levels.
Override via API Parameter
Include the attest field in your JSON request body. If omitted, the account’s default attestation level is used.
POST /api/stir-shaken/sign
{
"orig": {"tn": "14045266060"},
"dest": {"tn": ["18001234567"]},
"attest": "B" ← Overrides to partial attestation
}The same attest field is also supported in the /api/routing endpoint.
Override via HTTP Header
Pass the X-Attestation header with the desired level A, B, or C. The header takes precedence over a body parameter if both are present.
POST /api/stir-shaken/sign
X-Attestation: A ← Forces full attestation
{
"orig": {"tn": "14045266060"},
"dest": {"tn": ["18001234567"]}
}This header is also accepted by the /api/routing endpoint.