Stir/Shaken APIs

STIR/SHAKEN is a framework of interconnected standards. STIR/SHAKEN are acronyms for the Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN) standards.

As every CodeB Node contains a gateway connecting the Stir/Shaken world with the CBAN Antifraud system we offer a couple of public Stir/Shaken APIs in our Antifraud Namespace on:

Test Certificates

Certificates for testing any Stir/Shaken are hard to get and complicated to generate. For that reason we offer two API’s to generate self-signed Stir/Shaken Certificates. Those are

TestCertStirShakenB64 on

This function returns a JSON Token containing the certificate and the private key.

TestCertStirShakenP12 on

This function returns a JSON Token containing a PFX/P12 password protected package containing certificate and key.

Generate Stir/Shaken Token

With CreateSelfSignedStirShakenToken you can generate a Stir/Shaken Test Token without having to own a certificate at all. It creates internally a one time certificate to sign the token. The returned Token can be validated with the function ValidateStirShakenToken.

If you own a certificate and private key you can use the function CreateStirShakenToken to generate a Token. Depending on the availability of the public part of the certificate it can be validated with ValidateStirShakenToken.

Validate Stir/Shaken Token

Validation of exiting Tokens might be the most important function for most users. To be able to validate a Token the public certificate of the signer has to be downloaded.

Note: As many Stir/Shaken participants do not have their public certificates downloadable worldwide this function might fail to validate those Tokens!

The validation function ValidateStirShakenToken is available at


Additionally to the above web services we offer also simple REST APIs. For example to integrate Stir/Shaken in popular systems such as Asterisk, FreePBX, etc.

Out simple RESTful-compliant STIR/SHAKEN Token Request API can be accessed via HTTPS using an API Key. If you have a registered identity on our platform you can obtain this API Key fully automatically. For testing purposes just request one from:

Note: When using an API Key for testing the signing certificate will be a self-signed test certificate!

All results of the above API are returned as JSON.

Below, please find the endpoints and examples:


Method: GET


  • ToNumber: Any correctly formatted telephone number.
  • FromNumber: Any correctly formatted telephone number.
  • Attestation: A, B or C


  • x-api-key: Your API key.

Sample Request Without Attestation Level: (do not forget to transmit your API Key)

Sample Request With Attestation Level: (do not forget to transmit your API Key)



What do the response values mean?

  • RequestGuid: a unique identifier assigned to this request. 
  • AccountGuid: a unique identifier assigned to your account.
  • ToNumber: The phone number sent in the ‘ToNumber’ parameter.
  • FromNumber: The phone number sent in the ‘FromNumber’ parameter.
  • IPAddress: The IP address where the request originated from.
  • Identity: The token assigned to the phone call.
  • CAID: The unique identifier assigned to this token.
  • AttestationLevel: The attestation level associated with the FromNumber.
  • RequestedAt: When we received the request to provide a token.
  • CompletedAt: When the request finished processing.
  • ProcessingTime: How much time, in milliseconds, this request required.

Important: If a validation returns attestation “A” or “B” AND the Salt and/or Pepper have been defined the anonymous CBAN Hash is being calculated and published in the CBAN System.

Questions? Just contact