STIR/SHAKEN Inbound Verification


David Preo


Configuration and testing guidelines

The deadline for service providers to comply with STIR/SHAKEN is June 30, 2021. As part of Bandwidth’s STIR/SHAKEN roadmap, we provide an Inbound Verification (VERSTAT) feature. With this feature, Bandwidth customers can receive STIR/SHAKEN verification results for inbound calls via SIP headers. This is an optional feature that can be enabled in the Bandwidth Dashboard at no additional charge. 

How Inbound Verification works

For STIR/SHAKEN attested calls, Bandwidth invokes an STI-Verification Service (STI-VS) function to verify inbound calls and then signals the results of the verification to our customers. Bandwidth passes the STIR/SHAKEN verification results in the SIP INVITE for the incoming call.

Note: The green box in the lower right corner of the diagram below shows this new capability. 

Inbound Verification toggle

Verified Inbound SIP header formats


No signaling change. The SIP INVITE header won't be changed from what you receive today.

On - Verification Status

The SIP INVITE will display VERSTAT in the P-Asserted-Identity, with possible values of TN-Validation-Passed, TN-Validation-Failed, or No-TN-Validation.

Note: If no VERSTAT value is present, then there was no Identity Header in the incoming SIP INVITE.


On - Enhanced Verification Status

The SIP INVITE will have a VERSTAT “Attestation-Indicator” and “Origination-ID” in the P-Asserted-Identity, like the example below. In addition, P-Attestation-Indicator and P-Origination-ID headers will be present. 

P-Origination-ID= b37efe53-564d-5095-b66d-720366cc1395

Enabling Inbound Verification

There are two options for Inbound Verification: 

  • Verification Status: Bandwidth provides the standard VERSTAT information. 
  • Enhanced Verification Status: Bandwidth provides VERSTAT, attestation level, and the origination ID for traceback. 

The Inbound Verification settings are configured per Location in the Bandwidth Dashboard. To enable this service:

  1. Log into the Bandwidth Dashboard.
  2. In the top right corner, click Account and select Locations.
  3. Scroll down to Origination Settings.
  4. Toggle the Inbound Verification Results button to On and select either Verification Status or Enhanced Verification Status


Once enabled, inbound STIR/SHAKEN calls that have been signed by the Originating Service Provider (OSP) with a SHAKEN Personal Assertion Token (PASSporT) will include the verification results.

Note: Not all calls will include verification results as many service providers are still in the process of rolling out STIR/SHAKEN in their networks.

Testing Inbound Verification

Note: We recommend testing one Location before enabling the feature across all Locations.

  1. To begin, create a new test Location in your Bandwidth Dashboard account and order a Bandwidth phone number specifically for testing. 
  2. Call the test number from another Bandwidth number in your production account (if available). A call from a Bandwidth number using a Bandwidth number will receive A-level attestation and the inbound call will include the resulting headers.
  3. To date, we have performed STIR/SHAKEN interoperability testing with Verizon, Comcast, and T-Mobile/Sprint, so a test call from a number with any of these providers should result in A-level attestation with the appropriate headers. 

Additional STIR/SHAKEN resources

Article is closed for comments.