What Is STIR/SHAKEN?
STIR/SHAKEN is a call authentication framework designed to combat caller ID spoofing, a common technique used in illegal robocalls. The name stands for:
• STIR – Secure Telephone Identity Revisited
• SHAKEN – Signature-based Handling of Asserted information using toKENs
Together, these standards allow phone carriers to digitally sign and verify the caller ID information in SIP-based phone calls. The goal is simple: if recipients and service providers can trust the displayed caller ID, they can make better decisions about whether to answer, filter, or block a call.
STIR/SHAKEN doesn’t block calls itself, but it creates a trust layer for the identity of each caller, which downstream systems (or users) can use to take action.
What Is STIR/SHAKEN Technology?
STIR/SHAKEN works by attaching a cryptographically signed token to SIP calls — specifically in the form of an Identity header that carries a PASSporT (Personal Assertion Token).
This process involves three main components:
• PASSporT: A signed JSON Web Token (JWT) that contains metadata like the caller’s number, the recipient’s number, timestamp, and attestation level.
• SIP Identity Header: The carrier attaches the signed PASSporT into a SIP INVITE request as the “Identity” header.
• Certificate Authority (CA): To sign the PASSporT, the originating service provider must hold a valid certificate issued by a recognized CA within the STIR/SHAKEN ecosystem.
By checking this signature and the certificate used to generate it, the receiving network can verify the authenticity of the call’s claimed origin — without needing to trust the calling device or user directly.
How Does STIR/SHAKEN Work in Practice?
Here’s a simplified version of how the process flows:
Outbound Call (Authentication Service):
1. A user places a call.
2. The originating carrier checks whether the caller has the right to use the calling number.
3. If it does, the carrier:
• Generates a PASSporT with attestation level A, B, or C.
• Signs it using its private key.
• Inserts it as an Identity header in the SIP INVITE.
4. The call is routed to the next hop (e.g., another carrier or the final destination).
Inbound Call (Verification Service):
1. The receiving carrier extracts the Identity header.
2. It retrieves the public certificate from the STI-CA system to verify the signature.
3. It compares metadata (caller, callee, timestamp) to ensure integrity.
4. If the PASSporT checks out, the call can be marked as verified (e.g., a green check mark on the user’s device). In reality this is just providing information to the Call Validation / Treatment (CVT) platform.
This system ensures that any tampering with the call identity along the way invalidates the signature, making spoofing much harder in verified networks.
Why STIR/SHAKEN Matters More Than Ever
Illegal robocalls and spoofed caller IDs continue to erode trust in voice communications. The STIR/SHAKEN framework is a critical step toward restoring that trust by verifying the identity of callers at the network level. Below are seven key facts every service provider should know.
1. STIR/SHAKEN Uses Caller ID Authentication to Fight Robocalls
STIR/SHAKEN is a substantial technology aimed at stopping "robocalling" by targeting the unverifiability of Caller ID. The hypothesis is that if call recipients could really know who was calling, we could better judge whether we wanted to answer the call.
2. The FCC and Canadian CRTC Mandate STIR/SHAKEN Compliance
In November 2018, US Federal Communications Commission (FCC) sent letters to major Telephone Providers, including AT&T, Verizon, and Comcast, asking them to implement STIR/SHAKEN in 2019.
In Canada, the CRTC has required many providers to implement STIR/SHAKEN telephony validation within 2019.
3. Major Carriers Began Implementing STIR/SHAKEN
Some of the major telephone providers have hinted they would have STIR/SHAKEN operating in their networks before summer, 2019. The goal is to provide a special display on telephone calls.
Display examples courtesy Richard Shockey, Shockey Consulting.
4. STIR/SHAKEN Does Not Block Calls - It Enables Smarter Blocking
STIR/SHAKEN does not block any telephone calls. But when it is fully implemented, customers and Voice service providers may choose to block calls that do not come from a verifiable Caller ID. If you can't tell who's calling, you probably don't want to talk to them.
5. STIR/SHAKEN Adds a Cryptographically Signed Identity Header to SIP Calls
STIR/SHAKEN adds a new cryptographically-signed header to the SIP header of telephone call. Many SBCs block unknown headers, but the new Identity header should be allowed to pass through the network unchanged to allow the recipient to validate the call.
The Identity header will be computed by the "Authentication Service" function, and then added to the SIP message. The Identity header is expected to transit the network unchanged to the final recipient, who will verify it with the "Verification Service" function. The Identity header includes both the original calling party number, called party number, and also an indication of the confidence that the originator has in the validity of the caller ID -- i.e., the "attestation level". A "fully attested" call is one for which the Voice service provider has absolute confidence that the caller has the right to make a call from that telephone number.
Example SIP INVITE with STIR/SHAKEN "Identity" Header
INVITE sip:+12155551213@tel.example1.net SIP/2.0
Via: SIP/2.0/UDP 10.36.78.177:60012;branch=z9hG4bK-524287-1--- 77ba17085d60f141;rport
Max-Forwards: 69
Contact: <sip:+12155551212@69.241.19.12:50207;rinstance=9da3088f36cc528e>
To: <sip:+12155551213@tel.example1.net>
From: "Alice"<sip:+12155551212@tel.example2.net>;tag=614bdb40
Call-ID: 79048YzkxNDA5NTI1MzA0OWFjOTFkMmFlODhiNTI2OWQ1ZTI
P-Asserted-Identity: "Alice"<sip:+12155551212@tel.example2.net>,<tel:+12155551212>
CSeq: 2 INVITE
Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, CANCEL, BYE, REFER, INFO, MESSAGE, OPTIONS Content-Type: application/sdp
Date: Fri, 11 Jan 2019 19:23:38 GMT
Identity: eyJhbGciOiJFUzI1NiIsInR5cCI6InBhc3Nwb3J0IiwicHB0Ijoic2hha2VuIiwieDV1IjoiaHR0cDovL2NlcnQtYXV0aC5wb2Muc3lzLmNbWNhc3QubmV0L2V4YW1wbGUuY2VydCJ9eyJhdHRlc3QiOiJBIiwiZGVzdC6eyJ0biI6IisxMjE1NTU1MTIxMyJ9LCJpYXQiOiIxNDcxMzc1NDE4Iiwib3JpZyI6eyJ0biI64oCdKzEyMTU1NTUxMjEyIn0sIm9yaWdpZCI6IjEyM2U0NTY3LWU4OWItMTJkMy1hNDU2LTQyNjY1NTQ0MDAwMCJ9._28kAwRWnheXyA6nY4MvmK5JKHZH9hSYkWI4g75mnq9Tj2lW4WPm0PlvudoGaj7wM5XujZUTb_3MA4modoDtCA ;info=<http://cert.example2.net/example.cert>;alg=ES256
Content-Length: 153
v=0
o=- 13103070023943130 1 IN IP4 10.36.78.177
c=IN IP4 10.36.78.177
t=0 0
m=audio 54242 RTP/AVP 0
a=sendrecv
Example courtesy Martin Dolly, AT&T
6. Incorrect Attestation Levels Can Render STIR/SHAKEN Ineffective
It is possible for Voice service providers to wrongly "attest" ownership and validity of telephone numbers; they can produce Identity headers that they should not. If a Voice service provider is discovered to do this, then other service providers may choose not to trust anything signed by that "bad actor" Voice service provider. But doing this will require recipients to assess the quality of the Identity headers.
Because of this, the rules about deciding who can attest telephone calls are unresolved. The expectation in the US is that any company with the right to "own telephone numbers" -- i.e., they have an Operating Company Number, OCN -- will have the right to attest telephone calls.
7. Multi-Carrier Enterprises Face STIR/SHAKEN Implementation Challenges
Initially, the expectation is that service providers will Attest calls (i.e., including adding STIR/SHAKEN Identity headers) for telephone numbers directly assigned or ported to them. For example, if your number is ported to Comcast, and you both receive your calls through Comcast, and place your outbound calls through Comcast, then Comcast is in a perfect position to Attest your calls. But if you also need to place outbound called through another carrier, say, CenturyLink, then CenturyLink would not initially be able to Attest your calls. Your calls placed through Comcast may have the "Green Checkbox" of approval, but calls placed through CenturyLink would not. A method called Telephone Number - Proof of Possession, or TN-POP, is under development to accommodate this common and critical type of arrangement.
Understanding STIR/SHAKEN Attestation Levels
As part of the STIR/SHAKEN framework, attestation levels indicate how confident a service provider is that the caller is authorized to use the calling number. These levels are embedded in the signed PASSporT and help downstream carriers assess the trustworthiness of a call.
There are three STIR/SHAKEN attestation levels:
Full Attestation (Level A)
The provider fully verifies the caller and their right to use the calling number.
The caller is a known customer (or enterprise)
The provider assigned the number or validated number ownership
This is the highest confidence level
Example: A call from a SIP trunk belonging to an enterprise with a valid number assigned by the provider.
Partial Attestation (Level B)
The provider knows the caller, but cannot verify the caller's right to use that particular calling party phone number.
The caller is a known customer
The number being used may not belong to the customer, nor may they have a right to use that number.
Confidence level in the calling party number is moderate.
Example: A call from a SIP trunk that has been forwarded through the customer's PBX back to the originating service provider.
Gateway Attestation (Level C)
The provider is simply passing along the call and cannot verify the caller’s identity or right to use the number.
The caller is not authenticated
The provider is acting as a gateway
This is the lowest confidence level.
Example: A call received from another provider without any verification, such as calls traversing international routes.
Why It Matters
Carriers, analytics engines, and spam filters use attestation levels to help determine whether to trust, flag, or block a call. Repeated misuse of Level A by a provider (e.g., incorrectly signing calls as fully attested) can lead to distrust across the ecosystem — and even FCC enforcement actions.
In short, attestation is the backbone of STIR/SHAKEN trust. It’s not just about signing the call — it’s about signing it correctly.
Where STIR/SHAKEN Stands Today (2025 Update)
As of 2025, STIR/SHAKEN has been implemented by most major voice service providers in the United States and Canada, including many smaller and regional carriers. The FCC has enforced compliance deadlines and now requires even intermediate and gateway providers to support STIR/SHAKEN, particularly in IP-based networks.
Still, challenges remain in networks that rely on legacy TDM infrastructure, where STIR/SHAKEN cannot be fully applied. In such cases, out-of-band solutions are being explored to bring call verification to non-IP systems.
