Sovereign · Identity-aware · Standards-first · Self-hosted

The sovereign AI, WebRTC and identity layer
for your existing telephony — or your own communications service.

Five integrated products from Aloaha Limited, Malta: the CodeB Credential Provider V2 for hardened Windows logon, an OpenID Connect + Passkeys identity provider, a live EU Digital Identity Wallet verifier, a programmable Voice AI platform with browser softphones and SIP bridge, and a sovereign Session Border Controller — running in production on the page you're reading. Augment what you already own (FRITZ!Box, Asterisk, FreePBX, carrier SIP, Teams Direct Routing), or build a fresh service on top. NIS2 / DORA / CRA / GDPR aligned. No cloud required.

Get your own tenant → Try a meeting now — no signup Talk to us

Free during preview · 30-day no-limits grace · early-adopter pricing locked in · EU-hosted, no tracking pixels.

Have a question? Get a real answer in minutes: ✉ info@aloaha.com ✏ Contact form Call us in the browser → rings our office ✎ How the call-us button works →

Five sovereign products, one integrated platform.

Ranked by where they create the most defensible value. Take one. Take all five. Run them next to anything you already own — carrier SIP, Teams Direct Routing, FRITZ!Box, Asterisk, FreePBX — or replace those pieces piecemeal on your own timeline.

01 · CodeB Credential Provider V2

Replace the Windows password tile.

The flagship of the CodeB line. Replaces the Microsoft password tile via the documented Credential Provider Filter interface — NFC, TOTP, PKI smartcards or USB tokens, as second factor or full passwordless. 100 % managed .NET. FIPS 140-2 enforceable by Group Policy. Windows 8 through Server 2025. No cloud, no telemetry, runs in air-gapped networks.

NFC, TOTP, PKI smartcards, USB tokens · second factor or fully passwordless
FIPS 140-2 enforceable by Group Policy
System Tray Edition · card-remove auto-lock
Tools Edition · standalone helpers, scriptable
Admin CLI · CSV-driven enrolment for hundreds of cards
Pairs with the CodeB IdP and EU Wallet verifier to extend Windows logon into single sign-on for your apps

CP V2 details & downloads Download (Tray Edition) Request eval key

02 · OpenID Connect & Passkeys IdP

A drop-in EU identity provider you can host yourself.

An OpenID Connect identity provider for Nextcloud, WordPress, Grafana, GitLab, Teams, AWS, Azure or your own apps — with Passkeys (FIDO2 / WebAuthn) and magic-links wired alongside. Per-tenant RS256 keys, PKCE-only flows, RFC 7662 introspection, RP-Initiated Logout. Server never sees plaintext passwords; the user's own device signs the assertion.

OIDC IdP · per-tenant RS256 keys · PKCE-only · RFC 7662 introspection · RFC 7009 revocation
Passkeys (FIDO2 / WebAuthn) · TouchID / Windows Hello / YubiKey · phishing-resistant
Magic-link sign-in & self-service password recovery
Identity claims propagate into the SIP, WebRTC and SBC layers below — a caller is the same subject as a logged-in user
Wallet-as-recovery: forgot-password via your EU Wallet

IdP overview vs Okta, Auth0, Keycloak → Talk identity

03 · EU Digital Identity Wallet validator

Accept verified EU Wallet credentials — today, in production.

One of the first self-hostable EU Digital Identity Wallet verifiers in operation. OID4VP 1.0, HAIP 1.0, SD-JWT VC. Live on this domain right now. Replace usernames and passwords with cryptographically verified EU-government-grade identity claims — for sign-in, account recovery, customer onboarding, KYC, age gating, healthcare attestations, public-sector portals.

OID4VP 1.0 verifier · HAIP 1.0 profile · SD-JWT VC and mDL credential formats
Cited by the Maltese Minister responsible for digital identity (2026-06)
Works with EUDI reference wallets and national pilots
Wallet sign-in, wallet recovery, wallet KYC at onboarding, wallet-bound consent for AI calls
REST API + signed webhooks for integration into any application

EU Wallet sign-in Verifier API → Talk EU Wallet

04 · Voice AI & PBX

Programmable, sovereign, carrier-independent Voice AI — not just an AI receptionist.

A self-hosted browser-and-SIP communications platform with a fully programmable Voice AI core. Per-number persona prompts, real-time multilingual conversations, scheduled outbound campaigns with conditional retries, human SIP transfer mid-call, signed transcripts and summaries emailed after every call, REST API initiation, HMAC-signed webhooks, pluggable AI engine, local TTS fallback, bring-your-own SIP carrier. WebRTC meetings + browser softphones + SIP gateway included.

Programmable Voice AI · per-vnum persona / prompt / voice / language
Outbound campaigns · scheduled, conditional retries, signed summary delivery
SIP REFER human-transfer mid-call · AI hands the caller to a hardphone or browser tab
REST v1 initiation + HMAC-signed webhooks · the AI is API-first
Pluggable AI Voice Engine · cloud or on-prem · local TTS fallback if the engine is unreachable
HD WebRTC meetings · browser softphones (SIP-over-WebSocket RFC 7118) · bring-your-own SIP trunk
Signed call recordings (forensic-grade ECDSA sidecar)

Voice AI platform Browser softphones → Talk Voice AI

05 · Sovereign SBC

The identity-aware SIP/WebRTC layer between your apps and your telephony.

A self-hosted Session Border Controller folded into the same install as the meetings, identity and Voice AI. Sits at the boundary of your VoIP estate — in front of FRITZ!Box, Asterisk, FreePBX or your carrier trunk — and does the work classic SBC vendors sell as a standalone appliance, plus identity-aware policy that none of them ship. For telecom operators, CPaaS developers, white-label communications providers, companies embedding calls into portals, and vendors building specialist browser phones.

SIP normalisation, NAT traversal, integrated TURN (UDP / TCP / TLS) with ICE-Lite for hardphones
Native WebRTC ↔ SIP gateway · DTLS-SRTP ↔ RTP/SRTP · Opus ↔ G.711 transcoding
Identity-aware SIP · OIDC, Passkeys, EU Wallet claims resolve to the same tenant subject as REGISTER
Access control with CIDR + glob + per-tenant + private-IP bypass + brute-force auto-block
Signed CDRs + tamper-evident recordings (ECDSA-P256 sidecar)
Multi-tenant by domain · one bridge, isolated App_Data per tenant · hot-reloadable trunks and TURN config
BYO carrier · no vendor lock on the underlying telephony estate

Sovereign SBC overview STUN / TURN / ICE explained → Talk SBC

Three ways to phone from your browser.

Same audio quality. Same call routing — internal extensions, AI agents, virtual numbers, external destinations all work identically. Pick whichever matches how your team already works, or run all three side by side. All are installable PWAs.

A · Office (CodeB native)

Full-featured CodeB Webphone.

The default browser softphone for CodeB tenants. Click-to-call, meeting handoff, in-room chat, screen share, presence. Talks to the bridge over the CodeB signalling channel — no third-party SIP library to learn.

One-click meeting handoff to/from a phone call
Presence, in-room chat, screen share built in
PWA install · works offline for sign-in shell

Open office.html

B · SIP.js

Bring your own RFC 7118 softphone.

For teams that already use the SIP.js library or want a pure standards-based path. Speaks SIP over WebSockets directly to the bridge. Real 3×4 dialpad with DTMF. Credentials in your browser’s localStorage — never on our servers.

Pure RFC 7118 · vendor-neutral SIP-over-WSS
SIP.js v0.21.2 from public CDN
PWA install · credentials never leave the device

Open sip-js.html

C · JsSIP

Same standard, alternative library.

For teams that prefer the JsSIP library or already have integrations against it. Same RFC 7118 wire protocol, same dialpad UX, same browser-only credential storage. Pick whichever JS library your team already knows.

Pure RFC 7118 · vendor-neutral SIP-over-WSS
JsSIP v3.10.1 from public CDN
PWA install · credentials never leave the device

Open jssip.html

Live, on this very server

This page proves itself.

SIP fraud engine

built-in

An operator-curated Access Control system gates every inbound INVITE and every outbound dial. CIDR + glob + per-tenant + private-IP bypass + auto-blacklist on brute-force. Toll fraud doesn't reach your trunk.

How the bridge protects you →

EU Wallet verifier

live

Full OID4VP 1.0 end-to-end with SD-JWT VC + KB-JWT holder binding. Both x509_hash and x509_san_dns client identifier prefixes supported. Try it on logineu.html.

Wallet verifier API →

Open standards

100%

RFC 6749, 7009, 7517, 7523, 7662, 8414, 9101, 9116, 9309. OID4VP 1.0. HAIP 1.0. WebAuthn L3. SIP over UDP/TCP/TLS. No proprietary protocol, no lock-in.

All public APIs →

Hosted in

Aloaha Limited — Malta-registered, EU-hosted. Zero tracking pixels, zero analytics SDKs, zero third-party CDN. RFC 9116 security.txt published.

CRA / NIS2 / DORA posture →

Talk to us → Open the live status page Try a meeting now

Why this exists

Because EU sovereignty isn't a slogan.

Your data never leaves your infrastructure.

No US analytics SDK. No third-party CDN. The phone calls, the identity sign-ins, the Windows logon events — all stay on your server. The same binaries you run, you can audit. The AI Voice Engine is pluggable: local TTS auto-reply ships by default (no cloud at all); the real-time AI Voice Engine is operator-selected per tenant (local or your chosen cloud provider) so the data-path choice is yours.

NIS2 · DORA · CRA aligned by default.

Designed around the EU Cyber Resilience Act (Reg. 2024/2847), NIS2 and DORA from the first commit. Secure-by-default, vulnerability handling documented, security.txt published, atomic file writes with rolling backups everywhere.

Standards over lock-in. Always.

Every protocol we speak is RFC, W3C, OIDF or ISO. Every API is documented and curl-able. Every integration is BYO-anything: bring your own SIP trunk, your own AI engine, your own SMTP, your own IdP — or use ours. Walk away anytime.

One team. One product line. Real humans.

You email info@aloaha.com, you get a reply from the people who write the code. Aloaha Limited has shipped signing, PKI and secure communications software since 2003 — and dogfoods every product in production.

Your own free live tenant

Try it on your own domain. Free. In production.

Conference, Phone bridge, Voice AI and the OIDC + EU Wallet identity stack are fully multi-tenant. Every customer gets their own isolated tenant — their own users, their own trunks, their own admin UI, their own data on disk. Free to evaluate, live, on infrastructure you can verify.

Path A · You point the DNS

Bring your own subdomain.

Point an A record from your subdomain (e.g. phone.yourcompany.com) at our IP, then email us. We light up your tenant inside one business day — your domain, your Let's Encrypt certificate, your isolated admin console at phone.yourcompany.com/admin.html.

Your domain in every URL — full white-label feel
Your own SIP trunks, vnums, recordings, transcripts
Your own OIDC IdP signing keys (per-tenant RS256)
Zero data sharing with other tenants — HARD-isolated by host

Tell us your subdomain →

Path B · We host the subdomain

Pick a name. We host it.

No DNS control needed. Suggest a tenant name and we provision <yourname>.codeb.io or <yourname>.aloaha.com for you, live, free, inside one business day. Same isolation, same admin console, same per-tenant data — just under our DNS.

Live within one business day — no infrastructure prep
Same multi-tenant isolation as Path A
Move to your own subdomain later, anytime, no data loss
Free evaluation period · no card, no contract, no auto-billing

Suggest a tenant name →

Both paths give you a real production tenant — not a demo sandbox, not a screenshot, not a marketing trial that's artificially gated. The same multi-tenant code that runs phone.aloaha.com runs your tenant. The same ACL system that defends our trunks defends yours. Walk away anytime, take your data with you.

Request your free tenant → Email info@aloaha.com Call us in the browser

How it works

See the architecture, not just the screenshots.

Four canonical data flows, each one diagrammed end-to-end so an architect can verify our claims before booking a call. Every flow is on a separate page with two SVG diagrams — ingress and egress — sized for print and screen.

Flow 01 · Meetings

Your video never touches the server.

Browser-to-browser DTLS-SRTP over WebRTC; the server only relays signalling. Peer-to-peer mesh by default; auto-promotes to a self-hosted SFU on demand. See where media flows, where signalling goes, and where neither does.

View the meeting data flow →

Flow 02 · SIP bridge

Where the browser meets the phone network.

WebRTC ↔ SIP gateway with BYO trunk. PAI/RPID outbound caller-ID, multi-trunk priority, integrated TURN. Two diagrams: inbound from PSTN, outbound to PSTN.

View the SIP bridge data flow →

Flow 03 · Identity (OIDC)

Sign-in, end to end, no cookies.

OpenID Connect Authorization Code + PKCE through to refresh-token rotation, plus the EU Wallet (OID4VP) side path. Per-tenant RS256 keys, RFC 7662 introspection, RFC 7009 revocation.

View the identity data flow →

Flow 04 · Voice AI

AI on your trunk, prompts on your disk.

How a single inbound DID is mapped to a virtual-number persona, how the prompt is loaded, where the AI Voice Engine sits, and how the transcript ends up in your tenant's storage. Pluggable engine, fixed contract.

View the AI receptionist data flow →

Each diagram is a static SVG — no client-side rendering, no third-party CDN, no JavaScript required. Open the page, hit Ctrl+P, hand the print-out to your architect.

Three ways to start a conversation

Let's talk.

Whether you want a Credential Provider evaluation key, a 20-minute demo of the AI receptionist, an integration walkthrough for the OIDC IdP, or just to understand whether self-hosted CPaaS makes sense for your team — start here.

Send the form

Quick, captcha-gated, no account. Tell us your scenario; we'll come back with the right person and the right deck.

contact.html →

Email us directly

One business day for substantive replies. Forward a brief, attach a deployment diagram, send an RFP — whatever helps.

info@aloaha.com →

Call us in the browser

One click, WebRTC, no app to install, no number to dial. Rings the office during business hours CET. Uses the same SIP bridge we sell.

Click to call →

Replies within one business day. Email lands with humans, not a queue. Need an evaluation key for the Credential Provider? Add "eval key" to your subject — we ship one inside 24 hours.

Built and operated by Aloaha Limited, Malta-registered since 2003. CodeB Conference runs in production on this domain as the daily-driver phone and meeting platform for the team that develops it — dogfooded, not demoware.

Registered: Malta · Aloaha Limited· EU-hosted · no tracking pixels, no analytics SDKs· RFC 9116 security.txt published· Talk to us →

The sovereign AI, WebRTC and identity layer for your existing telephony — or your own communications service.