JWS Header
The first segment of the JWS — describes the signing algorithm
and the PASSporT type. Per RFC 8588,
SHAKEN requires alg=ES256 and ppt=shaken.
Paste a SIP Identity header and get an annotated PASSporT
view — attestation level (A / B / C), origination and destination
claims, iat freshness, and the JWS header / signature
breakdown. Built for the telecom-specific claims that generic JWT
decoders don’t understand.
Everything runs in your browser. The text you paste is never sent to any server — no network requests, no analytics on input content, no logging. Safe to use on real production traces.
The first segment of the JWS — describes the signing algorithm
and the PASSporT type. Per RFC 8588,
SHAKEN requires alg=ES256 and ppt=shaken.
The second segment — the PASSporT claims defined in
RFC 8225
(base) and extended for SHAKEN in
RFC 8588.
orig, dest, and iat are
base PASSporT; attest and origid are
the SHAKEN extension.
The third segment — an ECDSA-P-256 signature over
base64url(header) + "." + base64url(payload).
Verifying it requires fetching the X.509 certificate at
x5u and validating its chain to a trusted STI-CA
root. This decoder does not perform signature verification
(a browser tool can’t reach internal certs and shouldn’t
leak the cert URL to a third-party service).
Parameters appended after the JWS in the SIP header line.
info should match x5u in the JWS
header; alg and ppt should match
their JWS-header counterparts. Mismatches are not invalid
per spec but often indicate a signer bug.
The Identity header (defined in
RFC 8224)
carries a JSON Web Signature whose payload is a PASSporT
(Personal Assertion Token,
RFC 8225).
STIR/SHAKEN (Secure Telephone Identity Revisited / Signature-based
Handling of Asserted information using toKENs) is the FCC-mandated
framework for combating illegal robocalling — every U.S. originating
carrier signs outbound calls with an attestation about the caller’s
right to use the originating TN.
STIR/SHAKEN gets a chapter-length treatment in Securing VoIP at Every Layer — including how to read signed Identity headers in a real call trace, validate attestation chains, and design a compliance posture that holds up under FCC audit.