Implement STIR/SHAKEN attestation on outbound SIP calls

Verified steps

1. Obtain a STIR/SHAKEN certificate from an authorized Certificate Authority listed in the ATIS/SIP Forum Certificate Policy; since September 2025 the FCC requires every obligated voice provider to sign calls with their own certificate rather than relying on an upstream provider.
2. Integrate an authentication service (AS) — either a vendor product or open-source library — that accepts call metadata (calling number, called number, timestamp) and produces a signed PASSporT JWT using your certificate's private key.
3. Select the attestation level: Full (A) if you authenticated the subscriber and they are authorized to use the calling number; Partial (B) if you authenticated the subscriber but cannot confirm number authorization; Gateway (C) if you can only authenticate the call's source.
4. The AS encodes the PASSporT as a compact JWS and inserts it into the SIP Identity header of the outgoing INVITE; the header also references the certificate retrieval URL (info parameter) so the verification service (VS) can fetch the cert.
5. On the terminating side, deploy or integrate a verification service that fetches the certificate from the URL in the Identity header, validates the JWS signature, checks the PASSporT claims (origid, iat, orig, dest), and optionally sets a display label based on attestation level.
6. Test your implementation by calling a number that displays a STIR/SHAKEN result (e.g., many mobile carrier subscribers see a 'Verified' indicator); use a SIP trace tool to inspect the Identity header on the wire.