What Telnyx Customers Need to Know
The Federal Communications Commission (FCC) has issued new compliance requirements in its Eighth Report and Order concerning third-party authentication. These rules, which impact originating service providers (OSPs) with a STIR/SHAKEN obligation, will take effect as early as June 20, 2025. It is crucial for Telnyx customers to understand these requirements to ensure compliance and avoid potential service disruptions.
In this Report and Order, the FCC prohibits the use of “third-party authentication,” which it defines as an arrangement in which a provider subject to a STIR/SHAKEN implementation obligation under the Commission’s rules contracts with a third party to perform the technical function of signing calls on the provider’s behalf. The FCC limits permissible third-party authentication arrangements to those in which the provider subject to the STIR/SHAKEN implementation obligation: (1) independently determines attestation levels in accordance with STIR/SHAKEN technical standards, and (2) ensures that all calls are authenticated using its own certificate obtained from a STIR/SHAKEN Certificate Authority, rather than relying on a third party’s certificate. Any use of a third party to sign traffic without meeting these requirements constitutes a violation of the Commission’s caller ID authentication rules.
Additionally, the FCC mandates that any provider certifying to partial or full STIR/SHAKEN implementation in the Robocall Mitigation Database must be registered with the STIR/SHAKEN Policy Administrator, obtain its own SPC token from the Policy Administrator, use that token to generate a certificate with the Certificate Authority, and authenticate all calls using that certificate.
Who Is Required to Secure Their Own SPC Tokens?
The Eighth Report and Order clarifies that originating service providers (OSPs) with control over their network infrastructure must obtain a Service Provider Code (SPC) token from the STIR/SHAKEN Policy Administrator and then present that token to a STIR/SHAKEN Certificate Authority to obtain a certificate.
For Telnyx customers, this means:
If you exclusively use Telnyx numbers for both origination and termination, you do not need an SPC token.
If you use both Telnyx and another provider and either:
Send calls using numbers from another operator across our network, or
Send calls from Telnyx numbers across another provider’s network,
you will need an SPC token to properly sign and authenticate your calls.
If you only use a limited number of outside Verified Numbers, Telnyx will not require you to obtain an SPC token.
If you maintain multiple Public Switched Telephone Network (PSTN) relationships, you must obtain an SPC token.
If you intend to spoof caller ID, you may only do so if you are whitelisted for legitimate caller ID spoofing, and obtaining your own STIR/SHAKEN token will be required by June 20, 2025.
FCC Compliance and the Robocall Mitigation Database
The FCC maintains a record of originating, intermediate, and gateway service providers and their STIR/SHAKEN implementation status in the Robocall Mitigation Database (RMD). In the Eighth Report & Order, the FCC mandates that any OSP certifying that they have partial or complete STIR/SHAKEN implementation in the RMD must have an SPC token and digital certificate.
Pure resellers who do not have control over their network infrastructure cannot claim to have “Partial” or “Complete” STIR/SHAKEN Implementation in their RMD filings.
Instead, these providers must select “No STIR/SHAKEN Implementation” and include an explanatory note indicating their exemption due to a lack of control over the network infrastructure necessary to implement STIR/SHAKEN, pursuant to 47 CFR 64.6305(d)(2)(i).
If you have stated in the RMD that your company has “Complete” or “Partial” STIR/SHAKEN implementation, Telnyx will no longer be able to sign calls on your behalf.
If you have improperly certified and instead are a pure reseller with no control over the network infrastructure, you must update your RMD registration to properly reflect your status.
Next Steps
If you determine that you do qualify as an OSP with a STIR/SHAKEN implementation obligation, you must do the following under the new regulations:
Obtain your own SPC token from the official Policy Administrator (iconectiv).
Authenticate your calls with your own certificate.
Independently determine attestation levels in accordance with STIR/SHAKEN technical standards.
Disclaimer: The information provided in this Telnyx support article is for general informational purposes only and should not be construed as legal advice. Please consult with a qualified attorney for guidance on legal or regulatory compliance.