# STIR/SHAKEN

STIR/SHAKEN is the industry framework for authenticating caller ID on calls that cross the phone network, designed to combat spoofing and illegal robocalls. Each call carries a cryptographically signed identity token stating who originated it and how confident the originating provider is in the caller ID. Cloud Voice participates fully: outbound calls are signed automatically, and inbound calls have their signatures verified, with no configuration required on your side.

## Attestation levels

The signing provider attaches one of three attestation levels to each call:

| Level | Name | Meaning |
| --- | --- | --- |
| **A** | Full attestation | The provider knows the customer **and** verified they are entitled to use the caller ID |
| **B** | Partial attestation | The provider knows the customer, but hasn't verified their right to the caller ID |
| **C** | Gateway attestation | The provider is only passing the call along (e.g. from an international gateway) |

Higher attestation gives downstream carriers and analytics engines more confidence in the call, which affects how it's presented to the person you're calling.

## How Cloud Voice signs your calls

Every outbound call to the phone network is signed as it leaves Cloud Voice, using an identity token (a PASSporT) generated under our carrier certificate. Because [outbound caller ID validation](/sip/routing/outbound/) guarantees a trunk can only present numbers authorized on your account, your calls qualify for signing with **full (A) attestation**: the strongest signal a call can carry.

There is nothing to enable: signing applies to all outbound trunk calls automatically.

## Inbound verification

Calls arriving at your numbers are checked too. Cloud Voice verifies the inbound call's signature and confirms the signing certificate chains to an industry-approved STIR/SHAKEN certificate authority. Calls whose signature fails verification are stripped of their attestation claims, a forged "full attestation" can't be smuggled through to you, but the call itself still completes, so a verification failure never costs you a legitimate call.

## What you should expect

- **Outbound**: your calls carry A-level attestation, which helps them display normally instead of being flagged by carrier analytics. Presenting numbers you own (and keeping caller ID validation clean) is what preserves this.
- **Inbound**: verified attestation information is passed to your equipment where supported, and unverifiable claims are removed.
- **No configuration**: signing and verification are platform features; there are no toggles on trunks or numbers.

:::note
STIR/SHAKEN attestation is one input into how carriers label calls, it does not by itself guarantee a "verified" checkmark or prevent every spam label, since carriers also weigh calling patterns and number reputation.
:::
