CodeB Sovereign Communications Status ← Back to app
Public API

/activate.ashx · public API

Single-purpose endpoint that consumes the one-time activation token emailed by /signup.ashx. Hitting the URL exactly once flips the user's disabled flag and redirects to the login page.

The token is the only secret here. Anyone who can read the user's email can activate the account, by design — just like every consumer signup flow on the open web. Tokens are 43+ urlsafe-base64 characters, single-use, and expire after 7 days. Personal data handling is described in the public privacy notice.

GET /activate.ashx?token=<token> #

Consume a one-time activation token. The token was generated by /signup.ashx and sent to the user’s email. Hitting this URL flips the user's disabled flag to false and removes the token from the store.

Request

Query: token (43+ chars, urlsafe base64).

Response

200 text/html success page. The page contains a meta-refresh + JavaScript redirect to /login.html so a single click activates AND lands the user on the login screen.

Errors

400 friendly HTML page when the token is missing, malformed, expired (>7 days), already used, or the user record was deleted in the meantime.

Example (verified 2026-06-05)

# 1) The signup flow generates and emails a token; the link in the email is:
https://phone.codeb.io/activate.ashx?token=abc123…

# 2) The token is consumed on the FIRST GET; a second GET returns 400.
$ curl -i "https://phone.codeb.io/activate.ashx?token=invalid"
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=utf-8
<!DOCTYPE html><html>…Activation link is invalid or expired…

Programmatic clients normally do not call this endpoint — the activation link is delivered to the user’s inbox and opened in a browser. The 200 success page contains a meta-refresh that lands the user on /login.html.

Token is single-use — even if leaked from the user’s inbox, it can be redeemed only once. Activation also triggers a one-shot Nextcloud-welcome email to the user (if configured).
Need an admin endpoint? Admin-only and OIDC Bearer-gated routes are documented inside the admin UI itself (visible only to signed-in admins on this host). The public API set on this page is the surface you can integrate against without provisioning a CodeB user.

Questions? Ask us · Index: All public APIs