STIR/SHAKEN 302 redirect setup for Freepbx?

We are working on the new FCC regulations for robo calling and require this to be setup. Has anyone configured this on their system? If so, what are the steps? I can’t seem to find any information for freepbx

I’m guessing like others who have posted in the past few days you are wanting to take an Identity header from the 302 Redirect and stick it on an outgoing INVITE. That’s not currently supported in Asterisk.

Great. I love the FCC. What is the work around?

Craptacular… I’m dealing with the same issue…
Remember, we’re the government… we’re here to help…

Cheapest we found was $500 a month. So stupid


@jcolp I know you’re on the Asterisk side but thinking out loud here is this something that could be accomplished with a FreePBX Module somehow? Have a module that reaches out to the SHAKEN token authority, validates the PBX then adds the token into the invite header directly on the PBX prior to it heading out on its normal trunk path?

So you sign your own calls?

Asterisk provides the PJSIP_HEADER dialplan function to add arbitrary headers to outgoing INVITE requests.

Does the service provide APIs for this purpose? If so, then it may be possible. I’ve also pinged a few SBC experts, and it seems likely that an SBC could be programmed to use the SIP 302 method.

I am confused here. Why does FreePBX have to be involved in signing a call. Stir/shaken and getting a token is for service providers. Why would your PBX sign a call. That is the job of the service provider. Last I knew you could not even get a token if you are not a FCC 499 filer.


Not just that, you need an OCN and be the number authority since then you actually own the numbers.

I tried to get a token and not having an OCN stopped that.

I’m still trying to sort my way through all of this myself.

To me, if you don’t operate an SBC or have your own network facilities, you shouldn’t be required to sign your own traffic because you physically can’t. Apparently the FCC and Sangoma (Voip Innovations) disagrees with my position based on the latest guidelines.

All OTT (Over the Top) service providers must be shaken compliant by June 30, 2022. IT was June 30, 2023 but the FCC changed it because apparently the vast majority of robocalling is coming from small OTT providers. (Forget the fact that a report just issues shows that 75% of all current robocalls are shaken signed…).

It seems like the government gun control model to me, “lets make it harder for good guys to get guns because some bad guys use them for bad purposes.”

This means that if you resell sip trunks and provide PBX’s for your clients you MUST be SHAKEN compliant by June 30, 2022. And yes that means all the benefits of being a ‘de-minis’ company are gone and you must file 499’s and get an OCN or contract with a company that has one and can sign your traffic for you…

From Voip Innovation latest documentation:


As announced by the FCC on December 10th, 2021, the FCC has shortened the STIR/SHAKEN implementation extension for all small non-facilities-based voice services providers to June 30th, 2022. Facilities-based voice services providers still have until June 30th, 2023,to implement STIR/SHAKEN.

To summarize --this change means that any company operating as an OTT(over the top) service provider is required to implement STIR/SHAKEN by June 30th of this year.

This 12-month shift in deadline has left many voice service providers scrambling to determine what steps they need to take to prepare their network to be compliant for STIR/SHAKEN, and information regarding what steps to follow can be difficult to find publicly online. The purpose of this document is to de-mystify the STIR/SHAKEN implementation process and create a simple summary of the steps that OTT providers need to follow to be ready for the June 30th deadline.

Do these Requirements Apply to my Telecommunications Business?

A common misconception amongst OTT service providers is that, if your downstream carrier is signing all your outbound traffic, then you can claim Complete STIR/SHAKEN implementation with the FCC. This line of thought is incorrect.

Qualification for STIR/SHAKEN implementation essentially boils down to the following two points:-

==You are operating a business that provides voice service to end users.

==Your company is operating its own SBC (Session Border Controller) and/or PBX(Private Branch Exchange)that is routing phone calls to/from end users.

If your business checks both boxes, you are a voice service provider that operates your own voice network, and you are subsequently required to implement STIR/SHAKEN into your network and obtain your own SHAKEN certificate, a process that starts with contacting the STI-PA to register and receive a token that is unique to your company.

I can argue this both ways but my arguments don’t count against the FCC. Yes, I resell sip trunks to my clients and manage their PBX. But it’s THEIR PBX not mine. Problem is the FCC says the the wholesale provider (Sangoma, Voip Innovations in this case) can’t sign the traffic because they don’t know my end customer. And… traffic must be signed. But you can’t sign if you can’t verify who the end user is. VI being one step removed can’t legally sign the traffic for me.

That said, I would argue that VI knows me, their end customer and if I have an attestation in the Robocall Mitigation Database and a Robocall Mitigation Plan on file, they can sign ALL my traffic because they know me and I have a RM plan in effect.

Traffic must be signed but my provider won’t sign it for me.

It’s a very grey area and VI is taking the cautious approach, which I understand.

So where does that leave the thousands of small OTT providers. Screwed basically.

IF the solutions for signing traffic offered by OCN holders worked (which at this point they do not), it will still cost me roughly half my current monthly net profit to get compliant.

So I have to decide if it’s worth staying in this business. If so, then I have to expand this end of my business (of which now it is just a part) much further in order to make all the hassle worth it and profitable.


Just because you have VI and a bunch of FreePBX boxes doesnt make you a “carrier”. You need two very important things to do this.

  1. Be an active 499A filer. That means you are paying FCC directly. VI cant charge you any federal taxes/fees because you are already paying them. It also means you are doing quarterly and annual reports to the FCC.

  2. You must have an active OCN, Operating Carrier Number. This means you have your own SPIDs and routing. You are a number authority means DIDs are assigned directly to you and you can get pools assigned to you.

Facilities-Based VoIP means you are providing the connection from a CO to the customer. That means the copper/fiber the service is over.

Non-Facilities is over-the-top but if you need someone like VI to peer to the PSTN and provide you with numbers and you dont have the above then this is moot

So basically what this says is, all you have to do is drop your SBC and connect your clients right to VI. Then you dont have to do this. Seems a bit too easy to get around. The FCC doesnt find SBCs as an indication of being a carrier/provider.

To stop any arguing. I will contact my compliance guys and legal this week and get the skinny.

1 Like


I totally agree with you but VI and the FCC don’t. Those are exactly the arguments I’ve been having all along and planned on continuing to make until the 2023 deadline or until I got a definitive answer. Unfortunately they (FCC) decided to change the deadline to June 30th 2022 for all OTT provider which my compliance company is… strongly indicating… I am.

VI has made it clear that they cannot, and will not sign calls from their customers based on their reading of the FCC rules. So where does that leave me?

If you are the one charging the end user, then you are a OTT provider. Regardless of whether you have an SBC, don’t own the connection to the PSTN etc… That’s the guidance I have been given.

Unfortunately right now nobody seems to be clear on what the rules are and IF I am required to implement SHAKEN at my level of service I want to be able to show that I have made a best effort to do that so that IF I run afoul of the FCC I have some legitimate defense.

This is the issue. My current understanding is that the FCC did a study and found that the vast majority (90%+) of illegal robocalling is coming from small OTT providers. So… if you are a small OTT provider you must implement SHAKEN. This study is what lead to the 1 year date change for the deadline.

relevant FCC docs for the above.

yes that was the only option for us

So you got a token assigned to you?

I guess I need to talk to Bandwidth. I get notices, calls from my account manager, et al about these things. Something like “we cant sign your calls after X date” seems like something they would tell me. I havent recieved a single notice about this.

I do not have an answer to your question, but I have a comment that I think is relevant.
I’ve been a big proponent of Stir/Shaken. Here’s my real world observation so far.
I have it all working on my systems, we are A level signed on everything. (through my carrier).

I am blocking all inbound traffic that is C rated, or failed signature.
However, I cannot block unsigned traffic as that accounts for 98% of all traffic.

To make matters worse, spammers are now getting A rated signed numbers and calling me.
So the whole stir/shaken has proven to be a useless waste of time, it was not implemented properly, and it is a dismal failure.

1 Like

This has been explained by multiple people ad nauseam. STIR/SHAKEN is a carrier to carrier validation system stating the presented CallerID is theirs, another carrier but their customer or a carrier and not their customer (transit).

This is the result of the TRACED Act and allows the call to be traced back to its origin better. STIR/SHAKEN is a cog in a bigger system.

This is why having some third party sign calls on your behalf is strange. Do you own these numbers? As in they were assigned to you by the authority not something you picked from carrier stock. These numbers would show you as the carrier of record for the number? Having a third party giving your Bandwidth numbers an A level when you send out VI seems to break the chain of trust.

You could have your Bandwidth account terminated tomorrow. Bandwidth pull your DIDs and put them back in stock. What is stopping this third party from still signing these revoked numbers with an A level for you?

How does a third party validate these are actually your numbers?