Ranked by where they create the most defensible value. Take one. Take all five. Run them next to anything you already own — carrier SIP, Teams Direct Routing, FRITZ!Box, Asterisk, FreePBX — or replace those pieces piecemeal on your own timeline.
01 · CodeB Credential Provider V2
Replace the Windows password tile.
The flagship of the CodeB line. Replaces the Microsoft password tile via the documented Credential Provider Filter interface — NFC, TOTP, PKI smartcards or USB tokens, as second factor or full passwordless. 100 % managed .NET. FIPS 140-2 enforceable by Group Policy. Windows 8 through Server 2025. No cloud, no telemetry, runs in air-gapped networks.
- NFC, TOTP, PKI smartcards, USB tokens · second factor or fully passwordless
- FIPS 140-2 enforceable by Group Policy
- System Tray Edition · card-remove auto-lock
- Tools Edition · standalone helpers, scriptable
- Admin CLI · CSV-driven enrolment for hundreds of cards
- Pairs with the CodeB IdP and EU Wallet verifier to extend Windows logon into single sign-on for your apps
02 · OpenID Connect & Passkeys IdP
A drop-in EU identity provider you can host yourself.
An OpenID Connect identity provider for Nextcloud, WordPress, Grafana, GitLab, Teams, AWS, Azure or your own apps — with Passkeys (FIDO2 / WebAuthn) and magic-links wired alongside. Per-tenant RS256 keys, PKCE-only flows, RFC 7662 introspection, RP-Initiated Logout. Server never sees plaintext passwords; the user's own device signs the assertion.
- OIDC IdP · per-tenant RS256 keys · PKCE-only · RFC 7662 introspection · RFC 7009 revocation
- Passkeys (FIDO2 / WebAuthn) · TouchID / Windows Hello / YubiKey · phishing-resistant
- Magic-link sign-in & self-service password recovery
- Identity claims propagate into the SIP, WebRTC and SBC layers below — a caller is the same subject as a logged-in user
- Wallet-as-recovery: forgot-password via your EU Wallet
03 · EU Digital Identity Wallet validator
Accept verified EU Wallet credentials — today, in production.
One of the first self-hostable EU Digital Identity Wallet verifiers in operation. OID4VP 1.0, HAIP 1.0, SD-JWT VC. Live on this domain right now. Replace usernames and passwords with cryptographically verified EU-government-grade identity claims — for sign-in, account recovery, customer onboarding, KYC, age gating, healthcare attestations, public-sector portals.
- OID4VP 1.0 verifier · HAIP 1.0 profile · SD-JWT VC and mDL credential formats
- Cited by the Maltese Minister responsible for digital identity (2026-06)
- Works with EUDI reference wallets and national pilots
- Wallet sign-in, wallet recovery, wallet KYC at onboarding, wallet-bound consent for AI calls
- REST API + signed webhooks for integration into any application
04 · Voice AI & PBX
Programmable, sovereign, carrier-independent Voice AI — not just an AI receptionist.
A self-hosted browser-and-SIP communications platform with a fully programmable Voice AI core. Per-number persona prompts, real-time multilingual conversations, scheduled outbound campaigns with conditional retries, human SIP transfer mid-call, signed transcripts and summaries emailed after every call, REST API initiation, HMAC-signed webhooks, pluggable AI engine, local TTS fallback, bring-your-own SIP carrier. WebRTC meetings + browser softphones + SIP gateway included.
- Programmable Voice AI · per-vnum persona / prompt / voice / language
- Outbound campaigns · scheduled, conditional retries, signed summary delivery
- SIP REFER human-transfer mid-call · AI hands the caller to a hardphone or browser tab
- REST v1 initiation + HMAC-signed webhooks · the AI is API-first
- Pluggable AI Voice Engine · cloud or on-prem · local TTS fallback if the engine is unreachable
- HD WebRTC meetings · browser softphones (SIP-over-WebSocket RFC 7118) · bring-your-own SIP trunk
- Signed call recordings (forensic-grade ECDSA sidecar)
05 · Sovereign SBC
The identity-aware SIP/WebRTC layer between your apps and your telephony.
A self-hosted Session Border Controller folded into the same install as the meetings, identity and Voice AI. Sits at the boundary of your VoIP estate — in front of FRITZ!Box, Asterisk, FreePBX or your carrier trunk — and does the work classic SBC vendors sell as a standalone appliance, plus identity-aware policy that none of them ship. For telecom operators, CPaaS developers, white-label communications providers, companies embedding calls into portals, and vendors building specialist browser phones.
- SIP normalisation, NAT traversal, integrated TURN (UDP / TCP / TLS) with ICE-Lite for hardphones
- SIP-over-TLS (RFC 5630) for encrypted hardphone registration · per-trunk SDES SRTP (RFC 4568) on the carrier leg · persistent REGISTER-pinhole reuse (RFC 5626) so TLS phones survive NAT teardowns
- Any-to-any voice interop matrix · WebRTC browsers, SIP-over-WebSocket softphones (sip-js / JsSIP), classic UDP phones (MicroSIP, Asterisk) and TLS-registered hardphones (Yealink) reach each other through one bridge with full SDP rewriting + media transcoding
- Native WebRTC ↔ SIP gateway · DTLS-SRTP ↔ RTP/SRTP · Opus ↔ G.711 transcoding
- Identity-aware SIP · OIDC, Passkeys, EU Wallet claims resolve to the same tenant subject as REGISTER
- Access control with CIDR + glob + per-tenant + private-IP bypass + brute-force auto-block
- Signed CDRs + tamper-evident recordings (ECDSA-P256 sidecar)
- Multi-tenant by domain · one bridge, isolated App_Data per tenant · hot-reloadable trunks and TURN config
- BYO carrier · no vendor lock on the underlying telephony estate
06 · Team Chat
The messaging layer that stays inside your tenant.
Direct messages, group channels and file sharing — all served by your own IIS / bridge install, per-tenant isolated, OIDC-authenticated. No third-party gateway ever sees the messages. Real-time delivery over WebSocket, poll fallback for restrictive networks, drag-and-drop uploads up to 20 MB, and an offline-catch-up email if a teammate has unread messages after 24 hours away.
- Direct messages + group channels · per-tenant isolated under App_Data
- Real-time WebSocket delivery · poll fallback works behind restrictive networks
- File attachments up to 20 MB · drag-and-drop · images preview inline
- OIDC-authenticated senders · identity clamped server-side, no spoofing
- Offline catch-up email · if a user is offline ≥24 h with unread messages
- Embeddable widget · drop "Chat with us" into any tenant page (visitor pairing via HMAC invitation)
- Unified bubble · in-meeting chat and standalone chat share one visual style across every surface
- Meeting archives · signed-in users get an auto per-day, per-room record of what they said in the room chat, browseable from chat.html (guests stay ephemeral)
- Full REST + WS API · automate bots, hook into CRMs, script announcements
07 · Business Intelligence
Property Management System that publishes its own website — and uses your phone system.
A full PMS for short-let, holiday-let and hotel operators, running inside the same CodeB tenant as your phone system.
Real-time ops dashboard, revenue analytics, housekeeping, guest inbox and owner statements —
and the public-facing property website is a live rendering of the same inventory, no separate CMS.
Meet, Chat and Call are the CodeB comms you already know. Multi-tenant, OIDC-authenticated, EU-hosted.
- Today dashboard · check-ins, check-outs, stay-overs, bookings, transactions · live
- Ops modules · arrivals, turnovers, guest inbox, housekeeping, issues, calendar, CDR, devices
- Revenue · revenue, cashflow, forecast, pick-up, pace, performance, owner statements
- Properties · occupancy, pricing, catalog, reviews, channels, guests, inventory · single source of truth
- Dynamic public website · auto-generated from Properties, per-tenant branding, leads capture, iCal sync
- Channel managers · Hostaway and RentalsUnited plug in natively, source picker in the top nav
- Meet · Chat · Call · the CodeB phone system, not a third-party embed
- Multi-tenant · each customer (or owner) on their own subdomain, per-tenant audit log