Confused By Concepts Behind Pjsip: Endpoint, Aor, Contact

Home » Asterisk Users » Confused By Concepts Behind Pjsip: Endpoint, Aor, Contact
Asterisk Users 8 Comments


I am slightly confused by the difference between chan_sip and pjsip. Especially the new (to me) objects aor and contact.

I am having trouble mapping them to the typical SIP configuration settings on a phone.

Suppose I have a phone with two line buttons, for two extension numbers. Now, I think that means two ‘endpoints’ in pjsip right? But what exactly is the difference between aor and contact? So why does aor have a max_contacts value?
And where do phone registrations fit in, where are those kept anyway?

I hope someone can shed some light for me here.

Thanks, Antonio

8 thoughts on - Confused By Concepts Behind Pjsip: Endpoint, Aor, Contact

  • There’s some info on the wiki here…

    Generally correct, if you set up 1 extension to 1 endpoint.

    AORs contain contacts. They can be permanent or dynamic. You’d define permanent contacts for trunks or devices where the peer ip address is knon using the ‘contact’ parameter. If you don’t define any contacts, then dynamic is assumed and the aor/endpoint will accept inbound registrations.
    You’d use dynamic for most phones.

    If you’re accepting registrations, max contacts defines how many peers will be allowed to register. For most scenarios it’s 1 but you COULD have 2
    devices register to the same endpoint. When a call is sent to that endpoint, the first available contact will be dialed.

    See above.

  • Thanks for responding,

    So basically, the ‘contact’ in the AOR is just an ip address (or ‘dynamic’, in which case it accepts incoming registrations).

    So what happens if one endpoint has multiple AOR’s which are registered from different ip addresses. And you Dial() that endpoint, will PJSIP send invites to all the ip addresses?

    Is there any practical use for such a setup?

    Also I notice, an AOR does seem do be directly correlated with an auth record, so why are they separate in the configuration, why not unify the aor and the auth objects?

    And, while I’m at it, in the realtime tables, the length of ps_endpoints.aors = 200, and the length of ps_endpoints.auths = 40. This suggests there are scenarios where there are aors, without corresponding auth. Can you mix dynamic and static AORs within one endpoint, and would there be a use case for that?

    Thanks, Antonio.

  • Antonio Gómez Soto wrote:

    A contact is a SIP term, it’s a way of getting to something. (IP

    If you use the PJSIP_DIAL_CONTACTS dialplan function a dial string will be produced which calls everything.

    It depends. If you don’t need them to be individually addressable then it can be useful.

    They aren’t at all. Auth = Authentication. Used to authenticate incoming calls/registrations/other stuff, or used to authenticate outgoing things. They are NOT the same. AOR is a name for reaching something.

    You can mix however you want.

    Joshua Colp Digium, Inc. | Senior Software Developer
    445 Jan Davis Drive NW – Huntsville, AL 35806 – US
    Check us out at: &

  • Joshua,


    I did not mean they are the same, I meant that there seems to be a one-to-one relationship.

    So I am wondering, since the auth does seem useless without an aor, but an aor can exist without an auth, why was the auth object created in the first place, instead of extending the aor object with username/password/etc fields?

    I think auth’s only use would be when all the aor’s would register using the exact same credentials, and even then it would only save a small amount.

    But I bet you’re now going to say, those small amounts are going to add up..


  • Antonio Gómez Soto wrote:

    Auth is useless on its own but is used by many things – in fact it’s not even used directly by an AOR. It’s configured on an endpoint to do authentication of inbound traffic from that endpoint. It’s also used by outbound registration and outbound publish in response to challenges.

    While it would be possible to combine them you’ve now got duplicated stuff across different configuration items, both for configuration and also from an implementation perspective. As it is done right now *all*
    of the authentication is the same code for everything and there is no duplication. Fix a bug in it and you fix it for everything.

    I don’t understand what you mean.

    Joshua Colp Digium, Inc. | Senior Software Developer
    445 Jan Davis Drive NW – Huntsville, AL 35806 – US
    Check us out at: &

  • Ok, thank you. One final question:

    I see that it’s possible to have multiple auth’s in an endpoint. For incoming traffic to be authenticated, how does pjsip know which auth to consider? By looking at the From: address in the SIP header, and matching that up with the auth id?
    For example if the From: header is <10000@>, will it find the AOR
    from the IP
    address, and the auth from the ‘10000’ ?


  • Antonio Gómez Soto wrote:

    Endpoints (remember, an endpoint is the configuration to use for traffic to/from a specific client) can be determined using a pluggable mechanism. Included are modules which determine the endpoint based on the From header, based on configured IP address matching rules, and finally one that just always uses a specific endpoint (used for anonymous). Once the endpoint is determined the auth to use is pulled from there.

    Joshua Colp Digium, Inc. | Senior Software Developer
    445 Jan Davis Drive NW – Huntsville, AL 35806 – US
    Check us out at: &