Authentication and InstaCall

It is simple to add an InstaCall button to a webpage. However, allowing anonymous website visitors access to your SIP credentials can lead to fraud and theft. It’s important that InstaCall calls are configured to make SIP requests without being authenticated. OnSIP allows for two ways of doing this, using either anonymous user agents or unauthenticated user agents in an OnSIP domain.

Unauthenticated User Agents

By default, OnSIP accounts allow user agents to register and make SIP requests without being challenged for authentication. Such user agents can be used to create web calls with permissions to call any OnSIP endpoint or external destination. For example, you could direct it to call you or another user (, an application such as a queue (, or a third-party service ( Remember that PSTN calling always requires SIP credentials, so website visitors cannot use InstaCall to directly call the PSTN on your dime.

Since you can choose any SIP address in your domain, you can also uniquely identify the context of the caller by choosing different SIP addresses for different web calls. For example, if you place a WebRTC button on your blog, you may choose a SIP address such as

Anonymous User Agents

While unauthenticated user agents are ideal for InstaCall, OnSIP domains with authentication enabled cannot make use of them. Instead, InstaCalls can assign an anonymous SIP address to each website visitor, such as anonymous.12345@anonymous.invalid.

Anonymous SIP addresses can only make requests; they cannot be called back by normal mechanisms. Since they use a non-OnSIP (and in fact, unresolvable) domain, user agents with an anonymous SIP address may invite only OnSIP SIP addresses, such as you or another user ( or an application such as a queue (, but not a third-party service (, nor the PSTN. Other destinations will be blocked.

To configure InstaCall to use an anonymous SIP address, simply do not assign a From URI. By default, InstaCall will generate an anonymous SIP address at load time.

Never Use Authenticated User Agents

To reiterate, never use authenticated user agents as the From URI of an InstaCall. At best, any attempted call will be challenged for authentication and fail. Attempting to circumvent this by also adding SIP credentials is a bad idea; anybody using the InstaCall could then steal the credentials and pose as the user elsewhere. This can lead to fraud and theft, as the visitor will have full user access to your OnSIP account.

Topics: Developer Docs