- What: Secure your Plivo voice applications by controlling who can place inbound SIP calls, and authenticate outbound calls to SIP providers that require credentials
- How: Assign an IP ACL, SIP credential, or both to your Plivo Application via the Application API. For outbound, pass credentials in Dial XML or the Make Call API.
- Key concept: Inbound auth resolves from the SIP Request-URI (
sip:{app_id}@app.plivo.com), not the To header. Your SIP provider must send INVITEs to the application’s SIP URI for auth to apply. - Note: Rate limiting protects against brute-force: 10 failed attempts from the same IP in 60 seconds triggers a 60-second lockout.
Three Authentication Capabilities
Inbound Authentication
Inbound authentication protects your Plivo Application from unauthorized SIP calls. You configure it by assigning a credential, IP ACL, or both to your Application.Three Options
How Inbound Authentication Works
Setup Steps
1
Create a credential and/or IP ACL
Use the SIP Authentication API to create:
- A SIP credential with username and password (
POST /SipAuth/Credential/) - An IP ACL with a name (
POST /SipAuth/IpAccessControlList/), then add IP entries (POST /SipAuth/IpAccessControlList/{uuid}/Entry/)
2
Assign to your Application
Update your Application via the Application API by setting
sip_auth_type and the corresponding credential_uuid and/or ip_acl_uuid.3
Test
Make a test SIP call to your application’s SIP URI (
sip:{app_id}@app.plivo.com) and verify it succeeds with valid auth and fails without.To confirm auth is running, check for the SIPAuthType parameter in your answer_url callback (see Callback Parameters below).Callback Parameters
When authentication succeeds, youranswer_url callback receives these additional parameters:
If you don’t see
SIPAuthType in your callback, auth is not running. The most common cause is the SIP provider placing a phone number in the Request-URI instead of your app_id — see the Warning at the top of this page.
Rate Limiting and Lockout
To protect against brute-force attacks, Plivo enforces rate limiting on failed authentication attempts:- Both IP ACL denials and credential denials increment the same per-source-IP failure counter.
- Once the counter crosses 10 failures, every subsequent call from that IP is rejected with
403 Forbiddenfor the remainder of the counter TTL. - Updating the IP ACL to include the locked-out IP does NOT clear an active lockout. The IP stays locked until the counter TTL expires. This is by design.
- IP ACL changes propagate to the SIP edge within ~30 seconds (see FAQ below). During an active lockout, even a freshly allowed IP will be rejected until the counter expires.
Outbound Authentication
When making outbound calls to SIP providers that require authentication (responds with 401/407 challenge), provide credentials so Plivo can complete the digest handshake on your behalf.Before You Start
Confirm with your SIP provider:- Username and password for digest authentication
- Whether they use IP-based auth instead — if so, you don’t need to pass credentials; instead ask the provider to whitelist Plivo’s media server IPs
- Realm — Plivo handles realm matching automatically from the 407 response, so you generally don’t need to configure this
How Outbound Authentication Works
1
Plivo sends INVITE
Plivo sends a SIP
INVITE to the destination (e.g., sip:endpoint@provider.example.com).2
Provider challenges
Provider responds with
407 Proxy Authentication Required (or 401 Unauthorized).3
Plivo computes digest
Plivo automatically computes the digest response using the credentials you provided.
4
Plivo re-sends INVITE
Plivo re-sends the
INVITE with authentication headers.5
Call connects
Provider accepts and the call connects. If authentication fails, the call ends with hangup cause
sip_auth_failed (code 4240).Option 1: Dial XML
Pass credentials on the<User> element in your answer URL XML:
Option 2: Make Call API
Pass credentials when initiating an outbound call via the API:sip_auth_username and sip_auth_password are only accepted when to is a SIP URI.
Use Case: Transfer to Human Agent
A common use case is transferring an AI-handled call to a human agent. The agent typically sits behind a softphone, contact center software, or PBX that requires SIP authentication. See Transfer to Human Agent for the full workflow.Hangup Causes
When a call fails due to authentication, the CDR and hangup callback include a specific cause:
These values appear in the
HangupCauseName / PlivoHangupCause fields. CallStatus stays within the standard set (completed, busy, no-answer, failed, timeout, cancel).
Validation Limits
Reserved sipHeaders Prefixes
When using sipHeaders on <User> or <Number> elements within <Dial>, or via the Make Call API sip_headers parameter, customer-supplied header keys with the following prefixes (case-insensitive) are silently dropped to prevent impersonation of Plivo-internal headers:
PH-, Plivo, FS-, SipAuth, ZT-, Twilio
The exact name ClientRegion is also reserved.
SIP Headers and Raw-Mode Rendering
When the inbound leg used SIP authentication, customersipHeaders are emitted on the outbound B-leg INVITE without the X-PH- prefix. For example, CustomerId=123 renders as X-CustomerId: 123 rather than X-PH-CustomerId: 123. This raw-mode rendering is automatic when SIP auth is enabled on the inbound leg.
Non-Auth Mode
Whensip_auth_type is empty (no authentication configured), inbound SIP calls still require the calling endpoint to be a registered Plivo endpoint as the SIP From user. Calls from unknown From users are rejected with 486 Busy Here.
Security
Plivo treats SIP credentials with the same care as account credentials:- Passwords are stored as one-way hashes (HA1) — never in plaintext
- Passwords are never returned in any API response
- SIP auth credentials are never included in CDR data or callback parameters
- Auth headers are stripped before forwarding calls externally
- Failed authentication attempts are rate-limited to prevent brute-force attacks
- All internal communication uses encrypted channels
- Always use HTTPS for your answer_url — Plivo sends callback parameters (including
SIPAuthUser) over HTTP to your server - Validate callbacks with
X-Plivo-Signature— verify that callbacks are genuinely from Plivo using Signature Validation - Beware of shared IPs — if your SIP provider is on carrier-grade NAT or a shared-IP platform, IP ACL alone may not be sufficient. Use
ip_acl_and_credentialfor defense in depth. - Monitor auth failures — track
sip_auth_failedhangup causes in your call logs to detect unauthorized access attempts
Troubleshooting
End-to-End Examples
Example 1: Secure inbound calls with IP whitelist
Example 2: Secure inbound calls with digest credentials
Example 3: Outbound call to an authenticated SIP trunk
FAQ
Can I use both IP ACL and credential auth together?
Yes. Setsip_auth_type to ip_acl_and_credential. The caller must pass the IP check AND provide valid credentials.
What happens if I delete a credential or IP ACL that’s assigned to an app?
The API returns a 400 error. You must first remove the assignment from the application by settingsip_auth_type to empty ("").
Can I update the password on an existing credential?
Yes. Send aPOST to the credential’s URL with just the password field. The username remains unchanged. The change takes effect immediately for all applications using that credential.
What realm is used for digest authentication?
The default realm isapp.plivo.com. This is included in the 407 challenge response. Plivo handles realm matching automatically during the handshake.
Can I set different auth for different apps?
Yes. Each application has its ownsip_auth_type, ip_acl_uuid, and credential_uuid configuration. You can reuse the same credential or IP ACL across multiple apps.
Does changing an IP ACL take effect immediately?
No. Changes propagate to the SIP edge within ~30 seconds. During that window, calls may still match the previous ruleset.Can I use a hostname in an IP ACL?
No. IP ACL entries require a valid IPv4 address. Hostnames are not supported.Can one app have multiple IP ACLs?
No. Each application can have at most one IP ACL and one credential assigned. To allow multiple IP ranges, add multiple entries to a single ACL (up to 50 entries).What’s the latency impact of SIP authentication?
IP ACL adds negligible latency (simple lookup). Credential auth adds one round-trip for the 407 challenge/response (typically under 50ms on well-connected networks).Can I rotate a password without call interruption?
Yes. Update the password on the credential via the API, then update your SIP client with the new password. There may be a brief window where calls using the old password fail.Related
- SIP Authentication API — Manage credentials and IP ACLs
- Application API — Assign auth to your application
- Voice API: Make a Call — Outbound auth via REST API
- Dial XML — Outbound auth via XML
- Firewall & Network Configuration — Plivo media server IPs
- Signature Validation — Verify callbacks are from Plivo
- Connect External Numbers — Route external numbers via SIP
- Transfer to Human Agent — Handoff AI calls to humans