CodeB Sovereign Communications Status ← Back to app
Public API · v1

Public APIs of CodeB Sovereign Communications.

Public, rate-limited integration endpoints are available for WebRTC signaling, contact forms, captcha and the OIDC discovery / token / activation flows. Administrative and platform APIs — /api.ashx for outbound AI calls, transcripts, routing, webhooks — require an admin OIDC Bearer or a scoped ak_-prefixed API key minted from the admin UI. All endpoints are CSRF-resistant, HMAC-signed where appropriate, and rate-limited at the host.

Hosted by: Aloaha Limited · one IIS site per tenant · the path is always /<name>.ashx on the tenant’s base URL (e.g. https://phone.codeb.io/signal.ashx). All endpoints honour the tenant by inspecting the request Host: header — no API key needed.

/api.ashxBearer required

Platform REST API v1 — outbound AI calls, virtual numbers, transcripts, inbound + outbound routing, webhook subscriptions. JSON in and out, every endpoint a single curl example. Auth via OIDC bearer or ak_ API key.

Read the REST API reference →

/signal.ashx

WebRTC signaling WebSocket + public health + camera list + bridge ring-push endpoints.

Read the API doc →

/oidc.ashx

Built-in OpenID Connect IdP — discovery, JWKS, authorize, token, end-session, revoke.

Read the API doc →

EU Wallet verifier

OID4VP 1.0 verifier endpoints — vp-start, vp-request, vp-response, verifier-metadata, SSO assertion. Both x509_san_dns and x509_hash Client Identifier Prefixes, caller picks per request.

Read the verifier API doc →

/contact.ashx

Drop a contact-form message into the IIS SMTP pickup directory. Captcha-gated.

Read the API doc →

/signup.ashx

Create a new (disabled) user; activation email follows. Captcha-gated, HA1-only.

Read the API doc →

/activate.ashx

Consume the one-time activation token sent by signup. Flips the disabled flag.

Read the API doc →

/captcha.ashx

Stateless math captcha used by contact + signup. HMAC-signed, no cookies.

Read the API doc →

/diag.ashx

Client-side WebRTC diagnostic log append. POST is public; GET is admin-gated.

Read the API doc →
Need an admin endpoint? Admin-only and OIDC Bearer-gated routes are documented inside the admin UI itself (visible only to signed-in admins on this host). The public API set on this page is the surface you can integrate against without provisioning a CodeB user.

Questions? Ask us · Index: All public APIs