appliedbits
LIBRARY  ·  tools TOOL

PASSporT & Identity Header Decoder

A jwt.io-style decoder for STIR/SHAKEN, Rich Call Data (RCD), and diversion (div) PASSporTs — and the SIP Identity header(s) that carry them.

Paste one or more Identity headers (one per line) — a diverted call carries several. Everything runs in your browser. ● client-side only   Need to inspect the signing cert? Certificate & TNAuthList decoder →

Input

A SIP Identity header value (RFC 8224 §4: <JWT>;info=<x5u>;alg=ES256;ppt=…) or a bare PASSporT JWT (header.payload.signature). For a diversion chain, paste each header on its own line.

Examples:

What these are

SIP Identity header (RFC 8224). Carries a signed PASSporT plus parameters: info = the x5u URL of the signing certificate, alg (always ES256 for SHAKEN), and ppt = the PASSporT type extension. A single call can carry multiple Identity headers.

PASSporT (RFC 8225). A JWT with typ:"passport". The protected header names the cert (x5u by reference, or x5c embedded) and the type (ppt); the payload carries orig/dest (calling/called numbers), iat (issued-at / replay window), and type-specific claims.

SHAKEN (ATIS-1000074). Adds attest (A = full / B = partial / C = gateway) and origid (opaque originator UUID).

RCD — Rich Call Data (ppt:"rcd"). Adds an rcd claim (caller name nam, logo/JCard jcd/jcl) and often a crn (call reason) — the basis for branded calling.

Diversion (ppt:"div", RFC 8946). When a call is retargeted (forwarded), the diverting party adds a second div PASSporT — it does not replace the original SHAKEN PASSporT, it extends the chain. The div claim records the diverting number; each hop adds another header. So div is always read alongside the original token (use the diversion-chain example).

Note: "delegate" is a certificate concept (RFC 9060), not a PASSporT type — it lives in the cert's TNAuthList (a TN/range instead of an SPC). Decode and interpret that in the Certificate & TNAuthList decoder →.

Defect checks flag common problems (wrong alg, unknown ppt, bad attest, non-E.164 numbers, missing NANP leading "1", stale iat, non-HTTPS x5u). Signature verification and certificate chain validation are not performed here.