STIR/SHAKEN
STIR/SHAKEN is a SIP caller-ID authentication framework that cryptographically signs every outbound call with an attestation level. It is mandated by the FCC for all originating US carriers and is increasingly required worldwide to combat illegal robocalls.
How it works
STIR (Secure Telephony Identity Revisited, RFC 8224) defines how an originating carrier signs the calling number using a private key tied to the carrier's certificate. SHAKEN is the deployment profile that says where the signature lives in the SIP message and how the receiving carrier verifies it.
The signature is carried in the Identity SIP header. It contains a JWT signed with ES256, plus an info URL pointing to the carrier's public certificate. The terminating carrier fetches the cert, verifies the signature, and either passes the call through, displays a verified-caller indicator, or blocks/labels it as spam.
Attestation levels
- A (Full): originating carrier authenticated the customer and authorized them to use the calling number.
- B (Partial): carrier authenticated the customer but not the number.
- C (Gateway): carrier received the call from another carrier and is just passing it through — no end-customer relationship.
Calls signed B or C are aggressively flagged as 'Spam Likely' on most US mobile carriers. DIDHub signs all originating traffic A.
Why it matters
Without A-attestation, your outbound calls increasingly land as 'Scam Likely', 'Potential Spam', or are silently rejected. T-Mobile, AT&T, and Verizon use the attestation level (along with traffic patterns) as the primary signal for spam labeling.
For inbound calls the receiving party can verify the signature, which is what enables 'verified caller' indicators on iPhone and Android.
Example Identity header
Identity: eyJhbGciOiJFUzI1NiIsInR5cCI6InBhc3Nwb3J0IiwicHB0Ijoic2hha2VuIiwieDV1IjoiaHR0cHM6Ly9jZXJ0LmRpZGh1Yi5pby9zaGFrZW4uY3J0In0. eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyIxNTU1NzY1NDMyMSJdfSwiaWF0IjoxNzAwMDAwMDAwLCJvcmlnIjp7InRuIjoiMTU1NTEyMzQ1NjcifSwib3JpZ2lkIjoiYWJjMTIzIn0. <ECDSA-signature> ;info=<https://cert.didhub.io/shaken.crt>;alg=ES256;ppt=shaken
References
- RFC 8224 — Authenticated Identity Management in SIP
- RFC 8225 — PASSporT (Personal ASSertion Token)
- FCC Call Authentication Trust Anchor
Related terms
Ready to get a number?
Pick a DID in 130+ countries from $1.99/month. Activates instantly on most numbers.