Background
Setting up hosted STIR/SHAKEN certificate (via Telnyx) enables you to sign outbound voice calls with a PASSporT and identity header — this increases trust for your traffic. On the “hosted certificate” workflow you upload your certificate (and private key) to Telnyx, then associate it with your outbound voice profile, and finally verify the identity header.
The documentation focuses on the Mission Control Portal workflow for ease of setup.
Summary of steps in Mission Control Portal
Log into the Mission Control Portal.
Upload certificate & private key via the Portal UI.
Associate that certificate with your outbound voice profile via the Portal.
Validate that the identity header is being attached (via debug tools).
Note: The hosted certificate is priced at $100 per certificate, per month.
Also, be aware you’ll need your own certificate and private key (PEM-formatted) ready for upload.
Pre-requisites
Before you begin, make sure you have:
A Telnyx Mission Control Portal account with routing/voice permissions.
A valid STIR/SHAKEN certificate issued by your STI-CA (or your organisation), with public URL (
x5u) and the corresponding private key (un-encrypted, PEM format) ready.An outbound voice profile in Mission Control to which the certificate will be applied.
A US phone number on your account (for validation).
Access to the SIP Call Flow Debugging tool in the Portal (to inspect INVITE headers).
Step 1: Upload Your Certificate in the Portal
Explain: This is where you submit your certificate and private key via the UI.
Navigate to the Mission Control Portal → Voice → Settings and locate STIR/SHAKEN Hosted Certificates section.
Select your .pem Upload certificate .
Enter the x5u URL (the public URL of your X.509 certificate) and upload your private key (PEM format).
Click "Complete" to submit the form. Once successful, you should see a certificate record in the Portal.
Step 2: Associate the Certificate with the Outbound Voice Profile
Explain: After upload, assign it to the voice profile so outbound traffic uses the certificate.
In the same settings section switch to Outbound Voice Profiles.
Select the profile you want to configure for STIR/SHAKEN signing.
In the profile’s settings, find the STIR/SHAKEN certificate section.
From the dropdown or selector, choose the certificate you just uploaded.
Save the changes.
The outbound voice profile will now use the hosted certificate for generating PASSporTs and identity headers.
Step 3: Validate Signing & Identity Header
Explain: To confirm the certificate is working, perform a test call and inspect the INVITE header.
Set up a test SIP connection: assign a US phone number to the connection and enable “Receive SHAKEN/STIR Identity SIP header”.
From an outbound voice profile that is using the hosted certificate, initiate a call. Ensure the calling line identifier (CLI) is a US phone number on your account.
The call may fail (for the purpose of testing you can just examine the INVITE). According to docs, you may see a “Temporarily Unavailable (code: 480)” response.
Navigate to the Portal’s Debugging → SIP Call Flow Tool to inspect the INVITE message exchange.
In the SIP INVITE, locate the
Identity:header. It should look like:Identity:[LONG_STRING].[LONG_STRING].[LONG_STRING];info=<https://[YOUR_CERT_URL]>;alg=ES256;ppt="shaken"
Copy the JWT portion (
[LONG_STRING].[LONG_STRING].[LONG_STRING]) and decode it (you can use https://jwt.io). The JWT header and payload should reflect correct values such as the certificate’sx5u, algorithm etc.Extract the public key from your certificate and paste it into the JWT Signature Verification tool at jwt.io. It should verify as “Valid public key”.
Tips for Success
Ensure the public URL (
x5u) is reachable from Telnyx infrastructure (i.e., not behind a firewall that blocks access).Use the SIP Call Flow Tool soon after setting up to verify the
Identityheader is present — if it’s missing, check profile assignment or certificate validity.Consider rolling out the hosted certificate in a test environment before production.
Keep track of the certificate expiry and renewal — since you are using a hosted certificate but still your own certificate, you need to coordinate renewal with your STI-CA.
There is a cost of $100/month per certificate for the hosted solution — factor this into your budgeting.