Good morning, Support Team, I am currently migrating the SIP trunks of our assistants to a BYO-SIP-Trunk model ("provider": "byo-sip-trunk"), and the process has been successful so far following your documentation. However, I’ve encountered an issue when creating a phone number with "provider": "byo-phone-number" and linking it to a trunk via "credentialId": "YOUR_CREDENTIAL_ID". Despite this association, I am still able to receive calls to the number from any SIP origin. My question is: How can I configure the BYO phone number to only accept calls originating from the SIP trunk associated with its credentials? I’ve configured the trunk using peer authentication, which is suitable for my use case. If any specific parameter needs to be set, I would appreciate if you could let me know which SIP header the sip.vapi.ia backend expects to receive in order to validate the source. Logs: Call from an external source Call ID 9008baa0-539a-4ae6-a996-86aa1c674e54 (should not be allowed). Call from my SIP Trunk BYO Call ID 8e16ea8b-7d6f-4b1b-967a-cfc4ad8e258e. Thank you for your support — I look forward to your guidance. Best regards, S.Caballero

Hi caballero330, To restrict incoming calls to a specific SIP trunk using a "byo-phone-number," you'll need to ensure that your provider's configuration only allows calls from the designated SIP trunk. The generic SIP setup in Vapi doesn't inherently restrict call sources, so this control must be enforced at the SIP provider level. 1. Verify your SIP provider settings: Ensure your provider's settings are configured to accept calls only from your Vapi SIP URI or the specific credentials associated with your "byo-phone-number." 2. Use IP whitelisting: If your SIP provider supports it, limit the IP addresses that can send calls to your trunk to only those associated with your Vapi configuration. 3. Configure Vapi Webhooks: Implement webhooks on events like "call.ringing" to manage call behavior programmatically by inspecting the call source and deciding whether to accept or reject the call. The required headers are the to: and from:

From: <sip:+1234567890@provider.com>
To: <sip:+1987654321@YOUR_CREDENTIAL_ID.sip.vapi.ai>

For more detailed steps on configuring your SIP provider and Vapi setup, you might find this [SIP Trunking guide](https://docs.vapi.ai/advanced/sip/sip-trunk) helpful.

Good morning, Kyle, What I want is to prevent a pseudo number from being dialed from any public IP address other than the one of my SIP trunk. Usually, setting type=peer is enough. I have tried enabling all possible authentication options in the SIP trunk and assigned the pseudo number to use my SIP trunk. However, I can still dial the number from any source. I'm sharing the anonymized SIP trunk and number data below so you can review them and see if anything is missing, or if it could be a bug in Vapi. [ { "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "orgId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "provider": "byo-sip-trunk", "createdAt": "2025-06-30T08:12:32.875Z", "updatedAt": "2025-06-30T08:12:32.875Z", "gateways": [ { "ip": "3x.2xx.2x.2xx", "outboundEnabled": true, "optionsPingEnabled": true } ], "name": "ANON_PBX", "outboundAuthenticationPlan": { "authUsername": "REDACTED_USERNAME", "sipRegisterPlan": { "domain": "example.com", "username": "REDACTED_USERNAME", "realm": "example.com", "publicIpInContactEnabled": true } }, "outboundLeadingPlusEnabled": false } ] { "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "orgId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "assistantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "number": "+00000000000", "createdAt": "2025-06-30T08:13:48.244Z", "updatedAt": "2025-06-30T08:15:50.982Z", "name": "+00000000000", "credentialId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "provider": "byo-phone-number", "numberE164CheckEnabled": false, "status": "active", "providerResourceId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "smsEnabled": true } Thank you very much. S. Caballero

This kind of configuration for restricting all domains except the one specified is something that must be performed on your SIP trunk. if type=peer isn't working, you can try editing the acl.conf and permit the range of IPs for the domain you are allowing. If you would like some more suggestions, please provide the specific SIP trunk you are using and we can look over some options

Good morning, I believe the instructions you provided may not be entirely correct. Outbound calls from VAPI to my trunk are working as expected, so that flow is fine. The issue arises when I make an outbound call to the number I have configured and assigned to a BYO SIP trunk. According to your explanation, the configuration of my trunk is affecting VAPI’s behavior, which doesn’t align with my understanding—my trunk’s configuration shouldn’t impact your end. Even so, I have deactivated my trunk, and I’m still able to reach the pseudo number when dialing it, which suggests that the call isn't actually going through my trunk. Based on the tests I've performed, everything indicates that this could be a bug on your side for this type of number. Could you please review and escalate it if necessary? Here’s the ID of my number so you can verify it: a9dc5e2e-2bdb-4c9b-9513-5cd07b0xxxxx Thank you very much.

Thanks for providing that info, we will look into it a little further

Good morning, my email is caballero330@gmail.com. You can write to me there, and I'd be happy to help with all the necessary testing, send you SIP traffic captures, and serve as a beta tester