Skip to main content

Inbound SIP URI

Bandwidth Inbound SIP URI provides a SIP endpoint that allows your existing SIP infrastructure, PBXs, SIP clients, contact center platforms, and third-party SIP services, to originate calls into the Bandwidth voice network authenticated against your account. SIP URIs are configured on a per- Voice Application basis and secured by SIP digest password authentication, a source-IP allow list (CIDR-based), or both.

Inbound SIP URI can be enabled, disabled, and scoped to allowed regions and source IPs via the Voice Application Management API or through the Bandwidth App. Traditional PSTN inbound reaches Programmable Voice through an SBC and the carrier network. Inbound SIP URI is an over-the-top (OTT) entry point: calls arrive directly from your SIP infrastructure over the public internet and are handed to the same Programmable Voice call-handling flow already configured on your Voice Application.

Get Started

How it Works

A SIP URI is an attribute of a Bandwidth Voice Application. Voice Applications are the container that holds your Programmable Voice configuration (callback URLs, fallback handlers, inbound SIP settings, and more). When you enable inbound SIP calls on a Voice Application, Bandwidth:

  1. Generates a SIP URI for the application (e.g. sip:479fbd44-3362-45f3-bb80-284f21111be4@sip-uri.voice-api.bandwidth.com).
  2. Applies the auth mechanisms you configured — digest password authentication (passwordAuthEnabled), a source-IP allow list (allowedSourceIps), or both.
  3. Returns a one-time sipAuthPassword in the API response when password auth is enabled.
  4. Optionally limits authentication to the set of allowedRegions you specify.

Your SIP client authenticates against the returned URI using the generated password and/or matching a whitelisted source IP. Calls placed through the SIP URI fire the same initiate webhook configured on the Voice Application, and your backend responds with BXML to control call flow.

Auth Modes

Inbound SIP URI supports four auth mode combinations. At least one auth mechanism must be configured when inbound SIP calls are enabled.

passwordAuthEnabledallowedSourceIpsBehavior
true[]Password-only (digest auth via 407 challenge)
true["203.0.113.0/24"]Password + IP check (must pass both)
false["203.0.113.0/24"]IP-only (no 407 challenge, source IP must match)
false["0.0.0.0/0"]Wide open — explicit customer choice, use with care
false[]Rejected — at least one auth mechanism required

Architecture

The Inbound SIP URI service is fronted by two pools of public servers operated by Bandwidth:

  • Signaling: terminates SIP signaling (INVITE, authentication, and call routing).
  • Media: handles RTP media for calls accepted through the signaling tier.

Customers connect to published DNS records that resolve to the current set of signaling instances. Because the server pools are managed by Bandwidth and can scale up or down at any time, DNS is the authoritative source of the current endpoint set. Do not hard-code individual IPs. See Connecting to Bandwidth in the Quick Start for the DNS records and CIDRs used, and Media Path and Firewall Rules for the egress rules your network must allow.

Key Concepts

  • Voice Application: the container that holds call-handling configuration, callbacks, and Inbound SIP URI settings. See Applications.
  • inboundSipCallsEnabled: master switch that enables or disables inbound SIP calling on a Voice Application. When false, the SIP URI and all auth config are cleared.
  • passwordAuthEnabled: controls whether SIP digest (407 challenge / password) authentication is used. Setting true generates a new password and returns it once in the enable response.
  • allowedSourceIps: list of CIDR blocks that are permitted to originate calls. Public IPv4 only, in canonical form, up to 25 entries. Default is empty. Supplying 0.0.0.0/0 makes the URI reachable from any source.
  • sipUri: the SIP URI generated when inbound SIP calls are enabled. null when disabled.
  • sipAuthPassword: password used to authenticate SIP requests. Returned only on the enable/rotate response. Bandwidth does not echo it on subsequent GET requests, so store it securely.
  • allowedRegions: list restricting where inbound SIP authentication is permitted. Empty list denies all regions.

Use Cases

  • Bridging an on-prem PBX, carrier, or SBC to Bandwidth for termination into the PSTN.
  • Connecting a contact-center platform or softphone directly to your Programmable Voice application without writing REST glue code.
  • Integrating a third-party SIP-based AI or IVR service with your Bandwidth-hosted voice flows.

Managing Inbound SIP URI

Inbound SIP URI can be configured two ways:

  • Bandwidth App: navigate to your Voice Application and toggle inbound SIP calling, choose an auth mode, and manage your allowedSourceIps. The UI surfaces the generated URI and password when password auth is enabled.
  • Voice Application Management API: programmatically enable, disable, and scope inbound SIP calling. See the API Reference and the Quick Start Guide for end-to-end examples.
Need help? Reach out to our team for dev tips
Contact Us
Our Company
About UsBlogContactNewsroomCareersInvestor RelationsLeadership
Quicklinks
SupportService StatusDevelopersResourcesSecurityPartner ProgramCustomersRelease NotesGlossaryTwilio AlternativeRegulations
Legal
GeneralAccessibilityLaw Enforcement GuideBandwidth Privacy NoticeReport a Phone NumberCookie NoticeTerms of Use
Request trialTalk to an expert
Call Us
+1 800 808 5150
Bandwidth.com CLEC, LLC is a wholly owned subsidiary of Bandwidth Inc. ©2026
The Bandwidth logo is a registered trademark of Bandwidth Inc. in the United States and/or other countries. All other marks are the property of their respective owners.