API Workflow
Upload the Stir Shaken Certificate
Request| What you send | Why we need it | Where it is used |
|---|---|---|
| x5u_url (HTTPS URL string) | A public URL that returns the X.509 certificate containing the public key, usually hosted by your STI-CA (e.g., TransNexus) or on your own server. | PASSporT headers include this URL so downstream STIR/SHAKEN verifiers can fetch the certificate, check its TNAuthList, and verify the signature. Placed in the PASSporT header (“x5u”: “<your-url>”) of every signed call. |
| private_key (PEM-formatted EC-P256 or RSA-2048 key) | The unencrypted private key that belongs to your STIR/SHAKEN certificate. | We use this key to cryptographically sign every PASSporT we attach to your outbound calls. Without it, we cannot generate a valid Identity header. Only our secure signing service ever sees or stores it (encrypted at rest). |
Associate the certificate to an outbound voice profile
Mission Control Portal Workflow
Step 1
Step 2
Simply drag and drop your .pem file and hit “complete” to save.
Step 3
Signing Validation
- Set up an IP connection with a valid public IP. This IP doesn’t need to work. Enable “Receive SHAKEN/STIR Identity SIP header”
- Assign a US phone number to this connection.
- Call this US phone number from a connection with outbound voice profile that has the Stir Shaken certificate. Make sure the CLI is a US phone number on your account.
- The call is expected to fail with “Temporarily Unavailable (code: 480)”.
- Go to https://portal.telnyx.com/#/debugging/sip-call-flow-tool and find the inbound call legs.
- In the SIP flow, examine the INVITE message. The
Identityheader is expected to be present.
- The
Identityheader is of this expected format:
- Use https://jwt.io/, paste in
[LONG_STRING].[LONG_STRING].[LONG_STRING]and decode it.
- Take the first part of the public certificate.
- Paste it into “JWT Signature Verification”. “Valid public key” should show.
Cost
$100 per certificate per month.Billing Behavior for Hosted STIR/SHAKEN Certificates
Telnyx applies usage-based billing rules to hosted STIR/SHAKEN certificates. The following policies help you manage charges effectively:7-Day Grace Period
When you upload a hosted STIR/SHAKEN certificate for the first time, Telnyx provides a 7-day grace period before billing begins.- You can upload, associate, test, or remove the certificate during this window without incurring charges.
Charge Cancellation on Certificate Deletion
If the certificate has already been billed and you later delete the hosted certificate from your account:- Telnyx will cancel the recurring charges associated with that certificate.
- This stops any future monthly billing tied to that hosted certificate.
Charges Apply Once per x5u URL
Hosted certificate billing is based on the x5u URL, not the account.- Telnyx charges only once per unique x5u URL, regardless of how many accounts upload it.
- If another Telnyx account uploads the same certificate using the same x5u URL, that account will not be charged again.
- A charge occurs only if the x5u URL has never been billed before.