STIR/SHAKEN Explained

1. What is STIR/SHAKEN?

STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) are two complementary standards that together create a framework for cryptographically signing caller ID information at the originating carrier and verifying it at the terminating carrier.

The problem they solve: VoIP made it trivially easy to spoof caller ID. Bad actors could set any number they wanted as their caller ID, enabling robocalling, fraud, and social engineering attacks. STIR/SHAKEN creates a chain of trust so terminating carriers can verify whether the calling number was legitimately assigned to the originating carrier.

The FCC mandated STIR/SHAKEN implementation for US voice carriers in 2021 under TRACED Act requirements. Non-compliant carriers face call labeling and blocking. International adoption is following, with OFCOM in the UK and CRTC in Canada implementing similar frameworks.

2. How it works technically

The STIR/SHAKEN flow has three components:

Authentication Service (originating carrier)

When a call originates, the originating carrier's Authentication Service verifies whether the caller is authorized to use the claimed calling number, then generates a PASSporT (Personal Assertion Token) — a JSON Web Token (JWT) signed with the carrier's private key. This token is inserted into the SIP INVITE as an Identity header.

Verification Service (terminating carrier)

The terminating carrier's Verification Service extracts the Identity header, retrieves the originating carrier's public certificate from a certificate repository, and validates the JWT signature. If valid, it confirms the calling number was authenticated by the originating carrier.

Certificate Repository

A public infrastructure (STI-CR) where carriers publish their public certificates. The certificate URL is embedded in the PASSporT token so verifying parties know where to retrieve it.

3. Attestation levels — A, B, and C

The attest field in the PASSporT indicates how confident the originating carrier is that the caller is authorized to use the claimed number:

From an engineering perspective: if your calls are being labeled as spam or dropped, check your attestation level. Most legitimate business VoIP deployments should be getting A or B attestation from their carrier.

4. Common failure modes

5. STIR/SHAKEN in SIP headers

Three SIP headers are involved in STIR/SHAKEN:

Identity — Contains the signed PASSporT JWT. The info parameter points to the certificate URL. The alg parameter specifies the signing algorithm (ES256 for ECDSA). The ppt parameter specifies the PASSporT profile (shaken for STIR/SHAKEN).

From — Contains the calling number that must match the orig.tn field in the PASSporT.

P-Asserted-Identity (PAI) — Used in some implementations alongside or instead of From for the calling number assertion.

6. Diagnosing failures from a trace

When a STIR/SHAKEN failure is suspected:

1. Check for the Identity header — Is it present in the outbound INVITE? If not, your originating carrier isn't signing the call.
2. Decode the JWT — The Identity header value before the semicolon is a base64-encoded JWT. Decode it at jwt.io to inspect the attestation level, timestamp, and number claims.
3. Check the iat timestamp — The iat (issued at) field must be within a few seconds of the current time. Calls with stale timestamps fail verification. Clock sync issues between carriers can cause this.
4. Verify the certificate URL is reachable — Curl the URL in the info parameter. If it returns an error, the verifying carrier can't validate the signature.
5. Compare From header to PASSporT orig.tn — These must match. If an intermediary modified the From header, the signature will fail.

7. Implementation checklist

• Confirm your SIP trunk provider supports STIR/SHAKEN and what attestation level they provide
• Ensure your numbers are registered in your carrier's STIR/SHAKEN system
• If hosting your own authentication service, obtain an STI certificate from an authorized CA
• Verify your certificate is published and reachable at the URL embedded in your PASSporT tokens
• Monitor clock sync — NTP drift can cause iat timestamp failures
• Test outbound calls and decode the Identity header to confirm A attestation
• For forwarded calls, ensure your platform preserves or re-signs the Identity header appropriately
• Register with the FCC Robocall Mitigation Database if you're a US voice service provider

8. Analyze your trace automatically

Paste your SIP trace into SIPSymposium for an instant AI-powered analysis. Get specific findings, severity rankings, and actionable recommendations in seconds.

Frequently asked questions

What is STIR/SHAKEN?

STIR/SHAKEN is a framework for cryptographically signing caller ID on VoIP calls. The originating carrier signs a PASSporT token (a JWT) asserting that the calling number is authorized, inserts it in the SIP Identity header, and the terminating carrier verifies the signature. It was mandated by the FCC in 2021 under the TRACED Act to combat caller ID spoofing.

What are STIR/SHAKEN attestation levels A, B, and C?

Attestation A (Full) means the carrier verified the caller is authorized to use the calling number — highest trust. Attestation B (Partial) means the carrier authenticated the device but not the specific number. Attestation C (Gateway) means the carrier is just passing the call through and cannot make any assertion about the number — most likely to be flagged as spam.

Why are my calls being flagged as spam despite STIR/SHAKEN?

Calls get flagged as spam when they receive C attestation (gateway only), when the PASSporT signature fails verification, when the iat timestamp in the token is stale, or when the certificate URL is unreachable. Check your carrier portal to confirm you are receiving A or B attestation and that your SBC is not modifying the From header after signing.