STIR/SHAKEN Compliance for VoIP Carriers
STIR/SHAKEN voip is no longer optional for carriers operating in North America—it’s a regulatory and operational imperative. The rise of spoofed caller IDs and fraudulent robocalls has eroded consumer trust in voice communication, prompting regulators and industry stakeholders to adopt call authentication frameworks. STIR (Secure Telephony Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) were developed to restore integrity to the Public Switched Telephone Network (PSTN) by enabling cryptographic verification of caller ID information. For VoIP carriers, compliance isn’t just about avoiding FCC fines; it’s about maintaining interconnectivity, preserving call completion rates, and protecting brand reputation. As termination partners and Tier 1 carriers enforce stricter authentication policies, non-compliant providers face call blocking, reduced answer seizure ratios (ASR), and diminished revenue. This guide breaks down the technical, operational, and regulatory dimensions of STIR/SHAKEN voip implementation, providing actionable insights for service providers navigating this critical transformation. From understanding attestation levels to integrating with certification authorities (CAs) and ensuring proper SIP header signing, this resource equips VoIP operators with the knowledge to remain compliant and competitive.
Table of Contents
- What is STIR/SHAKEN?
- Why STIR/SHAKEN Matters for VoIP Carriers
- How STIR/SHAKEN Works: Technical Overview
- Attestation Levels Explained
- Implementing STIR/SHAKEN in Your Network
- Choosing a STIR/SHAKEN Certification Authority
- Impact on Call Routing and Pricing
- Common STIR/SHAKEN Compliance Mistakes
- The Future of Call Authentication Beyond STIR/SHAKEN
- Frequently Asked Questions
What is STIR/SHAKEN?
STIR/SHAKEN is a framework of technical standards and protocols designed to authenticate caller ID information in VoIP and IP-based telephony networks. STIR refers to the Internet Engineering Task Force (IETF) standards (RFC 8224, RFC 8588) that define how to digitally sign and verify SIP headers using public key infrastructure (PKI). SHAKEN is the service provider implementation framework developed by the Alliance for Telecommunications Industry Solutions (ATIS) that specifies how carriers deploy STIR within their networks, including interactions with trusted certification authorities (CAs) and the handling of identity tokens. Together, they form a layered defense against caller ID spoofing, a primary enabler of robocall scams.
The system works by attaching a digital signature to outbound calls originating from a service provider’s network. This signature, carried in the SIP Identity header, contains information about the calling number, the called number, and the level of attestation. When the call reaches the terminating provider, the signature is validated using certificates issued by an accredited CA. If the signature checks out, the call is marked as “verified” or “authenticated,” increasing the likelihood it will be delivered and answered. If the signature is missing or invalid, the call may be flagged, labeled, or blocked based on the receiving carrier’s policy.
Unlike legacy systems that rely on unverified CLI (Calling Line Identification) or NCLI (Number Not Available), STIR/SHAKEN introduces cryptographic trust into the signaling path. This is particularly critical in VoIP environments where SIP trunks can be easily manipulated to spoof legitimate numbers. By ensuring that only authorized providers can sign calls for numbers they control, STIR/SHAKEN closes a major vulnerability exploited by bad actors. For more on the broader regulatory landscape, see our VoIP Regulatory Compliance Hub.
Why STIR/SHAKEN Matters for VoIP Carriers
For VoIP carriers, STIR/SHAKEN compliance is now a core business requirement, not just a technical checkbox. Non-compliant providers face immediate operational consequences, including call rejection from major termination partners such as Lumen, Tata Communications, and Bandwidth. Tier 1 carriers have implemented aggressive call filtering policies, and calls without a valid Identity header are increasingly routed to low-priority trunks or dropped entirely. This directly impacts ASR, ACD (Average Call Duration), and PDD (Post Dial Delay), all of which influence revenue and customer satisfaction.
Robocall prevention is the driving force behind STIR/SHAKEN adoption. The FCC estimates that U.S. consumers received over 50 billion robocalls in 2023, many of which used spoofed numbers to impersonate banks, government agencies, or local businesses. Carriers that fail to authenticate their traffic are seen as enablers of fraud, leading to regulatory scrutiny and reputational damage. The FCC’s TRACED Act mandates full STIR/SHAKEN deployment for interconnected VoIP providers, with penalties of up to $10,000 per violation. Even if a carrier operates internationally, any traffic terminating in the U.S. or Canada must comply with local authentication rules.
From a wholesale perspective, STIR/SHAKEN compliance affects route pricing and availability. Verified routes—those with full A-level attestation—command premium rates and higher delivery success. For example, a compliant U.S. toll-free route may be priced at $0.012/min, while a non-compliant alternative could be $0.006/min but suffer a 40% blocking rate. This makes low-cost, non-compliant routes economically unsustainable. Carriers looking to Buy VoIP Routes should prioritize providers with documented STIR/SHAKEN support and transparent attestation reporting.
Ensure Your Network is STIR/SHAKEN Ready
Join the VoIP Wholesale Forum to access compliance checklists, CA integration guides, and peer-reviewed best practices for call authentication.
Register FreeHow STIR/SHAKEN Works: Technical Overview
At the protocol level, STIR/SHAKEN operates by modifying SIP signaling to include cryptographic signatures. When a call is initiated from a registered user agent (e.g., an IP phone or SIP trunk), the originating service provider’s Session Border Controller (SBC) or application server (such as FreeSWITCH or VOS3000) generates a JSON Web Token (JWT) containing the calling number (From header), called number (To header), and attestation level. This token is signed using a private key issued by an accredited CA and inserted into the SIP Identity header.
The JWT structure includes several critical fields: orig (the calling number), dest (the called number), attest (the attestation level), and i_at (issue timestamp). The signature is verified by the terminating provider using the originating carrier’s public certificate, which is retrieved from a certificate repository via HTTPS. If the signature validates and the number is within the carrier’s authorized range, the call is marked as authenticated. The verification result is often passed to downstream systems via SIP headers like Privacy or P-Asserted-Identity.
Integration with existing VoIP platforms requires careful configuration. For example, in FreeSWITCH, STIR/SHAKEN signing can be implemented using the mod_stir_shaken module, which interfaces with OpenSSL for JWT generation. In Asterisk, developers use external scripts or dialplan logic to sign outbound INVITEs. Platforms like PortaBilling and Oasis can automate certificate rotation and logging for audit purposes. Real-time monitoring of NER (Network Effectiveness Rating) and MOS (Mean Opinion Score) should include STIR/SHAKEN validation metrics to detect failures early.
It’s important to note that STIR/SHAKEN only authenticates the caller ID, not the media stream. RTP and SRTP encryption must be handled separately. Additionally, the framework does not prevent all fraud—only spoofing of originating numbers. Callers can still make legitimate calls with fraudulent intent, but the ability to impersonate trusted numbers is significantly reduced.
Attestation Levels Explained
STIR/SHAKEN defines three attestation levels—A, B, and C—each representing a different degree of confidence in the caller’s identity. These levels are encoded in the JWT and influence how terminating carriers handle the call. Understanding and correctly applying attestation is critical for maximizing call completion.
- Full Attestation (A-Level): The provider has verified the customer’s authority to use the calling number. This applies to calls from subscribers with registered numbers, such as business PRI lines or residential VoIP accounts. A-level calls are most trusted and least likely to be blocked.
- Partial Attestation (B-Level): The provider knows the calling party is a customer but cannot confirm ownership of the number. This is common in call center environments or hosted PBX systems where users may configure outbound caller IDs. B-level calls are generally accepted but may trigger warnings.
- Gateway Attestation (C-Level): The call entered the provider’s network from an external source, such as an international gateway or third-party SIP trunk. The provider can only attest that the call was received, not the legitimacy of the number. C-level calls face the highest scrutiny and are frequently labeled as “spam likely.”
Choosing the correct attestation level requires accurate customer provisioning data. For example, if a customer has a DID (Direct Inward Dialing) number registered to their account, A-level should be used. If they are using a non-DID number (e.g., a toll-free number not in their portfolio), B-level is appropriate. Mislabeling—such as assigning A-level to a spoofed number—can result in penalties from the FCC or de-peering by trusted partners.
Carriers should implement automated systems to classify calls based on customer type, number ownership, and routing path. For instance, traffic from a known enterprise customer with a static IP and authenticated SIP registration should default to A-level. International inbound traffic via a SIP trunk from an unverified provider should be marked C-level. Logging attestation decisions in CDRs (Call Detail Records) is essential for audits and troubleshooting.
Implementing STIR/SHAKEN in Your Network
Deploying STIR/SHAKEN requires coordination across multiple technical domains: identity management, certificate handling, SIP stack integration, and real-time monitoring. The first step is registering with a FCC-accredited STIR/SHAKEN certification authority (CA) such as iconectiv, Neustar, or Syniverse. The CA verifies your carrier credentials, assigns a unique Service Provider Code (SPC), and issues a signing certificate. This certificate must be installed on your signing servers—typically SBCs or application platforms like VOS3000 or FreeSWITCH.
Next, configure your SIP infrastructure to generate and sign JWTs for outbound calls. This involves mapping calling numbers to attestation levels based on customer data. For example, in a VOS3000 environment, administrators can define attestation rules in the routing profile, linking DID ranges to A, B, or C levels. The system automatically inserts the Identity header during call setup. It’s critical to ensure clock synchronization (via NTP) across all nodes, as JWTs include timestamps and will fail validation if clocks are skewed by more than 300 seconds.
Testing is a crucial phase. Use tools like SIPp or Wireshark to capture INVITE messages and verify the presence and correctness of the Identity header. Validate the JWT using online decoders or command-line tools like jwt-cli. Partner with a test provider to make sample calls and confirm verification results. Monitor logs for signature failures, certificate expiration, or CA connectivity issues. Automated alerts should be set up for anomalies in signing success rates.
Finally, document your implementation for compliance audits. The FCC may request proof of STIR/SHAKEN deployment, including CA agreements, certificate details, and attestation logic. Regularly rotate signing keys and renew certificates before expiration. For carriers managing multiple brands or subsidiaries, each legal entity may require its own SPC and certificate.
Choosing a STIR/SHAKEN CA
Selecting the right certification authority (CA) is a strategic decision that affects reliability, cost, and integration complexity. In North America, the FCC recognizes several accredited CAs, each with different service models, APIs, and pricing structures. The most widely used are iconectiv (via its Trusted Communications Platform), Neustar (now part of TransUnion), and Syniverse. Each offers RESTful APIs for certificate management, token validation, and attestation logging.
When evaluating a CA, consider uptime SLAs, API response times, and support for automated provisioning. For high-volume carriers, API rate limits and latency can impact call setup performance. For example, if a CA’s API takes over 200ms to respond, it could increase PDD and degrade MOS. Some providers offer on-premises signing appliances to reduce dependency on external APIs. Others provide hosted signing services, which simplify deployment but may introduce vendor lock-in.
Pricing models vary. Some CAs charge a flat monthly fee (e.g., $500/month for up to 10M calls), while others bill per signed call (e.g., $0.00001 per call). For a carrier handling 50M minutes per month at an average of 3 minutes per call, that’s 16.7M calls—making per-call pricing potentially expensive. Evaluate your traffic profile carefully. Additionally, ensure the CA supports your platform ecosystem. FreeSWITCH users may prefer a CA with open-source SDKs, while PortaBilling operators may want native integration modules.
Redundancy is another factor. Relying on a single CA creates a single point of failure. Consider multi-CA strategies or fallback mechanisms for certificate renewal. Some carriers use one CA for production and another for disaster recovery. Regularly audit your CA relationship for compliance updates and security patches.
| CA Provider | Signing Method | API Latency (avg) | Pricing Model | Platform Support |
|---|---|---|---|---|
| iconectiv | Hosted API | 120ms | $750/month (up to 20M calls) | FreeSWITCH, VOS3000, Oasis |
| Neustar | On-prem appliance | 45ms | $0.000012/call | Asterisk, PortaBilling |
| Syniverse | Hybrid (API + edge) | 90ms | $500/month + $0.000008/call | All major platforms |
Impact on Call Routing and Pricing
STIR/SHAKEN has fundamentally altered the economics of VoIP termination. Verified routes now dominate the wholesale market, with unauthenticated traffic facing increasing friction. Carriers that fail to sign calls see their routes devalued or delisted from major exchanges. For example, a U.S. domestic route with C-level attestation may be priced at $0.004/min but have a 60% delivery rate, whereas an A-level route at $0.009/min achieves 98% delivery. This makes the higher-priced route more cost-effective in terms of actual completed minutes.
Call routing engines must now factor in attestation level as a selection criterion. LCR (Least Cost Routing) algorithms should be updated to prioritize authenticated routes, even if they are slightly more expensive. A route with a lower rate but poor ASR due to blocking will underperform a pricier, compliant alternative. Real-time routing platforms like Oasis and VOS3000 support dynamic path selection based on STIR/SHAKEN status, allowing carriers to optimize for both cost and deliverability.
International traffic is especially affected. Calls from non-STIR/SHAKEN countries (e.g., India, Pakistan) often enter North America via gateway providers and are marked C-level. This increases the risk of labeling and blocking. To improve performance, carriers can partner with U.S.-based gateways that re-originate traffic with B- or C-level attestation. For instance, a call from India to New York may cost $0.008/min to terminate, but if routed through a compliant U.S. hub, it can be re-signed and delivered with higher success. This adds a small margin but preserves revenue.
Wholesale buyers should demand STIR/SHAKEN compliance reports from sellers. These should include average attestation levels, signing success rates, and blocking statistics. The Sell VoIP Routes marketplace on VoIP Wholesale Forum requires providers to disclose attestation capabilities, helping buyers make informed decisions.
Maximize Your Route Value with STIR/SHAKEN
List your authenticated VoIP routes on the VoIP Wholesale Forum and connect with buyers who prioritize compliance and high call completion.
Register FreeCommon STIR/SHAKEN Compliance Mistakes
Even experienced carriers make errors during STIR/SHAKEN implementation. One of the most frequent is incorrect attestation level assignment. Assigning A-level to calls from unverified sources—such as SIP trunks with dynamic CLIs—violates FCC guidelines and can trigger penalties. Another common issue is certificate mismanagement. Signing certificates typically expire every 12 months, and failure to renew them results in unsigned calls and immediate blocking. Automated monitoring and renewal workflows are essential.
Time synchronization errors are another pitfall. JWTs include an i_at (issued at) timestamp, and most verification systems reject tokens if the clock difference exceeds 5 minutes. Carriers using virtualized environments or cloud instances must ensure all signing nodes sync with a reliable NTP server. A drift of just 6 minutes can cause widespread call failures.
Some providers assume that signing calls is enough, but they neglect downstream verification. Always test end-to-end call flow using services like Hiya or First Orion to confirm that calls are marked as “verified” on consumer devices. Also, ensure that your SBC or application server strips or regenerates the Identity header when re-originating calls, as duplicate or malformed headers can cause validation failures.
Finally, many carriers overlook documentation. The FCC requires proof of compliance, including CA agreements, signing logs, and attestation policies. Maintain detailed records and update them regularly. For new carriers, consult our guide on How to Become a Licensed VoIP Carrier for a full compliance checklist.
The Future of Call Authentication Beyond STIR/SHAKEN
While STIR/SHAKEN has significantly reduced spoofed robocalls, it is not a complete solution. It does not address voice phishing, scam content, or number recycling abuse. The industry is now moving toward next-generation frameworks like SHAKEN Call Analytics (SCA), which adds behavioral analysis to detect suspicious calling patterns. For example, a number making 1,000 calls per hour may be flagged even if it has A-level attestation.
Another emerging standard is Communication Provider Trust Authority (CPTA), which aims to extend call authentication to non-VoIP channels like RCS (Rich Communication Services) and OTT apps. CPTA would allow WhatsApp, Apple FaceTime, and Google Messages to participate in a unified trust ecosystem. This is critical as more voice traffic shifts to mobile apps.
AI-driven caller reputation scoring is also gaining traction. Platforms like Hiya and Nomorobo assign risk scores based on call volume, duration, complaint rates, and geographic anomalies. These scores can be passed via SIP extensions or out-of-band APIs to influence call handling. For example, a call with a high fraud score might trigger an IVR challenge before connection.
Carriers should prepare for these developments by building flexible, API-driven architectures. FreeSWITCH and PortaBilling environments can integrate with third-party reputation services using REST hooks. Monitoring forums like the VoIP Forum keeps operators informed about emerging threats and mitigation strategies. For deeper insights into fraud prevention, read our article on Robocall Prevention for VoIP Carriers.
Frequently Asked Questions
What is the difference between STIR and SHAKEN?
STIR refers to the IETF standards that define the cryptographic signing and verification of SIP headers using JWTs and PKI. SHAKEN is the ATIS-defined framework that specifies how service providers implement STIR in their networks, including interactions with certification authorities, attestation policies, and call handling rules. STIR is the protocol; SHAKEN is the operational model.
Do I need STIR/SHAKEN if I only terminate international calls?
If your traffic terminates in the U.S. or Canada, yes. Any interconnected VoIP provider sending calls to North America must comply with FCC and CRTC rules. International carriers that peer with U.S. gateways are responsible for signing calls at the point of entry. Failure to do so results in C-level attestation and higher blocking rates.
Can I use STIR/SHAKEN for toll-free numbers?
Yes. Toll-free numbers (e.g., 800, 888) can be authenticated under STIR/SHAKEN if the carrier has authority to use them. Attestation level depends on verification: A-level if the customer is authorized, B-level if the number is used but not verified. Ensure your CA supports toll-free number enrollment.
How often do STIR/SHAKEN certificates expire?
Signing certificates typically expire every 12 months. Some CAs offer 6-month or 24-month terms. Automated renewal processes are recommended to avoid service disruption. Monitor expiration dates and test certificate rollover procedures during maintenance windows.
Does STIR/SHAKEN encrypt call content?
No. STIR/SHAKEN only authenticates the caller ID in the SIP signaling layer. It does not encrypt voice media. To secure RTP streams, use SRTP with ZRTP or SDES key exchange. Media encryption is separate from call authentication and should be implemented as part of a comprehensive security strategy.
STIR/SHAKEN voip compliance is now a foundational requirement for sustainable VoIP operations. Carriers that invest in proper implementation gain improved call deliverability, stronger interconnect relationships, and protection from regulatory penalties. As the industry evolves, staying ahead of authentication standards will be key to maintaining trust and profitability. For ongoing support, join the VoIP Wholesale Forum and access expert resources on compliance, routing, and fraud prevention.