IP allowlisting was slowing us down. Credential auth for SIP trunking is live!

SIP Digest Authentication is now available for Exotel SIP Trunking. If you’re integrating a Voice AI platform — ElevenLabs, LiveKit, Retell, Bolna, or others — this removes the biggest friction point in getting a trunk live.

The problem

Every new SIP integration started the same way. A developer would reach out: “Can you share the static IP to allowlist?”

Cloud Voice AI platforms don’t have static IPs. They run on shared AWS or GCP infrastructure with dynamic egress. The only workaround was collecting every possible egress IP range, adding all of them to the allowlist, and hoping cloud infrastructure didn’t change. When it did — and it does — calls failed in production. Debug for hours, add more IPs, repeat.

IP ACL was designed for on-premises PBX systems sitting in server rooms with fixed addresses. It was the wrong abstraction for cloud-native Voice AI, and it was adding days to every integration.

How Digest Auth works

When a SIP REGISTER or INVITE arrives at Exotel, we challenge it with a nonce. The provider computes a hash of username:realm:password combined with that nonce and sends it back. We verify. No plaintext password on the wire. No IP dependency.

The provider needs three things: user_name, password, and your Exotel SIP domain. That’s it.

Setup

Auth for all calls: credentials in the URL — https://API_KEY:API_TOKEN@SUBDOMAIN/...

India subdomain: api.in.exotel.com | Singapore: api.exotel.com

All POST/PUT requests require Content-Type: application/json.

1. Create the trunk

curl -s -X POST “https://${API_KEY}:${API_TOKEN}@api.in.exotel.com/v2/accounts/${ACCOUNT_SID}/trunks” \

-H “Content-Type: application/json” \

-d ‘{

“trunk_name”: “my_trunk_name”,

“nso_code”: “ANY-ANY”,

“domain_name”: “‘”${ACCOUNT_SID}”‘.pstn.exotel.com”

}’

trunk_name: alphanumeric + underscores, max 16 characters. Save the trunk_sid from the response.

2. Map a phone number (DID)

curl -s -X POST “https://${API_KEY}:${API_TOKEN}@api.in.exotel.com/v2/accounts/${ACCOUNT_SID}/trunks/${TRUNK_SID}/phone-numbers” \

-H “Content-Type: application/json” \

-d ‘{“phone_number”: “+91XXXXXXXXXX”}’

3. Create SIP digest credentials

curl -s -X POST “https://${API_KEY}:${API_TOKEN}@api.in.exotel.com/v2/accounts/${ACCOUNT_SID}/trunks/${TRUNK_SID}/credentials” \

-H “Content-Type: application/json” \

-d ‘{

“user_name”: “SIP_USER”,

“password”: “SIP_PASS”,

“friendly_name”: “voice_ai_platform”

}’

Save the credential id from the response — you’ll need it for deletion and rotation.

Give user_name, password, and ${ACCOUNT_SID}.pstn.exotel.com to your provider. For outbound SIP (Voice AI placing calls via Exotel to PSTN), this is all they need.

Exotel SIP edge — what to give your Voice AI provider

Transport	Host:Port
TCP	in.voip.exotel.com:5070
TLS	in.voip.exotel.com:443

Use the exact host and port Exotel assigns to your account. If we give you a different address during onboarding, use that one.

Adding inbound routing (PSTN → Voice AI)

For inbound calls — customer dials your Exotel number and lands on your Voice AI agent — add a destination URI pointing to your provider’s SIP endpoint:

curl -s -X POST “https://${API_KEY}:${API_TOKEN}@api.in.exotel.com/v2/accounts/${ACCOUNT_SID}/trunks/${TRUNK_SID}/destination-uris” \

-H “Content-Type: application/json” \

-d ‘{

“destinations”: [

{ “destination”: “your-provider.example.com:5061;transport=tls” }

]

}’

Then create an Exotel Flow with a Connect applet — set “Dial whom” to sip:<trunk_sid> (just the trunk SID with sip: prefix, not a full SIP URI). Map your Exophone to this flow.

Destination URI is for inbound routing only. Outbound SIP does not use it.

ACL — when to use it and when not to

IP allowlisting (/whitelisted-ips) is for providers that give you a single dedicated static egress IP. Add one IP per call, mask: 32. Exotel trunk ACL does not support CIDR range allowlisting.

curl -s -X POST “https://${API_KEY}:${API_TOKEN}@api.in.exotel.com/v2/accounts/${ACCOUNT_SID}/trunks/${TRUNK_SID}/whitelisted-ips” \

-H “Content-Type: application/json” \

-d ‘{“ip”: “203.0.113.50”, “mask”: 32}’

If your provider publishes shared or dynamic egress ranges — use digest credentials, not ACL. Don’t mix both unless we’ve explicitly confirmed the behavior for your account. In multi-tenant egress setups, an active IP allowlist can interfere with digest auth in non-obvious ways.

Credential rotation without downtime

Create new credentials → save new id
Give new user_name and password to provider, confirm they work
Delete old credentials:

curl -s -X DELETE “https://${API_KEY}:${API_TOKEN}@api.in.exotel.com/v2/accounts/${ACCOUNT_SID}/trunks/${TRUNK_SID}/credentials?id=<credential_id>”

Both sets are valid simultaneously until you delete the old one. No service gap.

Rate limits

Trunk configuration APIs: 200 requests/minute. Outbound call initiation default: 200 attempts/minute at the account level. Contact your CSM if you need higher throughput.

Platforms we support

Documented and tested integrations via Exotel SIP Trunking:

ElevenAgents (ElevenLabs) — import Exotel DID in Phone Numbers, configure SIP digest matching your credentials, set Exotel edge as outbound address
LiveKit — SIP participant joins via Exotel trunk; configure authUsername/authPassword from your credentials
Retell AI — import Exotel as telephony provider, credentials go into termination config
Bolna Voice AI — Indian-first platform with Hindi and regional language support; direct SIP trunk configuration
Pipecat (via Daily SIP) — open-source voice AI pipeline; configure Exotel as the SIP transport layer
Smallest AI (Atoms) — low-latency voice AI; trunk credentials in developer console
Vocallabs (Superflow B2B API) — voice automation platform; currently Alpha on Exotel
Rapida AI — AI agent platform with voice; SIP trunk for outbound calling
NLPearl.AI — conversational AI with native SIP support

Provider-specific guides: Voice AI Ecosystem docs | Integration scripts: AgentStream VoiceAIEcosystem on GitHub

Full API reference: SIP Trunking API Reference