How to sign up for CodeB with OIDC

Passwordless. Per-tenant. Sovereign. You'll be in the platform in ninety seconds, and your credentials never leave your device or your tenant's own IIS server.

Passkey ready EU Wallet accepted Magic-link fallback No password required
1

Open your tenant's sign-in page

Every CodeB tenant runs on its own subdomain. Yours will look like login.your-company.com or phone.your-company.com. If you don't have a tenant yet, start one for free at get-your-tenant.html — two minutes, no card required.

Tip: bookmark the page or add it to your phone's home screen. CodeB is a Progressive Web App, so the icon behaves like a native app after the first visit.
2

Pick a sign-in method

CodeB is passwordless by default. Choose whichever fits best — you can add more methods later from your account settings.

🔑 Passkey (FIDO2 / WebAuthn)

Touch ID, Windows Hello, or a hardware key. Fastest. Most secure. Nothing to remember, nothing to phish.

Recommended for regulated environments

📧 Magic-link email

We send a one-time URL to your inbox. Click it, you're in. Link expires after five minutes and works exactly once.

Great for BYOD, contractors, guests

🇩🇪 EU Digital Identity Wallet

Present a verified credential from your EU Wallet via OID4VP. Instant KYC-grade identity for verified EU citizens.

NIS2 + eIDAS 2.0 compliant

🔒 Corporate SSO (federated OIDC / SAML)

If your admin has federated an upstream identity provider (Azure AD, Okta, Keycloak, ADFS), you'll see it as a "Sign in with <your company>" button.

Zero new credentials for enterprise users
3

Complete the challenge

Depending on the method you chose:

  • Passkey: your browser prompts for Touch ID / Windows Hello / your security key. Approve. Done.
  • Magic-link: we send the email through your tenant's local SMTP pickup directory — no third-party mail relay. Check your inbox, click the link.
  • EU Wallet: your wallet app opens with an OID4VP presentation request. Review the requested claims (usually just given_name, family_name, date_of_birth), tap Accept.
  • SSO: your upstream identity provider handles it exactly as it handles every other SSO login. You bounce back to CodeB signed in.
Behind the scenes: the OIDC provider issues a signed RS256 access token with your OIDC sub claim, your tenant, your roles. The token lives in the browser session only and expires in one hour.
4

Confirm your profile

First sign-in shows a one-screen profile confirmation:

  • Display name — what other people see in calls and chats.
  • Nickname (optional) — used as the caller-ID display when you dial outbound.
  • Preferred language — CodeB ships in English and German; the tenant admin can add more.
  • Additional passkeys (optional) — add your work laptop, your phone, your hardware key.

Everything you enter goes straight into App_Data/<tenant>/users/<your-login>.json on your tenant's IIS server. Nothing is uploaded elsewhere.

5

Start using the platform

The office.html shell opens with your phone widget, meeting rooms, chat channels, and admin tiles (if you're an admin). Everything you need is one click from here.

# First sign-in, terminal-style preview: codeb> welcome, alice codeb> tenant = login.your-company.com codeb> auth = passkey (Touch ID, iPhone) codeb> roles = user, oncall codeb> sip-jid = alice@login.your-company.com codeb> ext = 610 codeb> ready. type '?' for help.
Install as a PWA: in Chrome / Edge / Safari, look for the install icon in the address bar and add CodeB to your dock, taskbar, or home screen. Push notifications for incoming calls and chat messages work out of the box on desktop and Android; iOS requires iOS 16.4+.
Start a free tenant → Read the OIDC deep-dive Call us on 610

Frequently asked questions

Do I need a password?

No. CodeB is passwordless by default. You sign in with a passkey, a magic-link email, or an EU Digital Identity Wallet. If a tenant administrator explicitly enables it, you can also set an optional password as a fallback, but the platform never requires one. Passwords are stored dual-hashed (SIP HA1 + PBKDF2), never in plaintext.

Where is my account stored?

On your tenant's own IIS server, under App_Data/<tenant>/users/<your-login>.json. Not in a shared cloud database. Not in a vendor's directory. Every tenant is a physically separate folder tree on your own hardware, and the DR story is a single-folder file copy.

Can I use my existing corporate SSO?

Yes. The CodeB OIDC provider can federate with any upstream OIDC or SAML identity provider (Azure AD / Entra ID, Okta, Keycloak, ADFS, Google Workspace, and so on). Your administrator adds the upstream in the OIDC clients admin page, and users sign in with their existing corporate account. No new credentials to remember.

What if I don't have a CodeB tenant yet?

Start a free tenant at get-your-tenant.html. You pick your subdomain, we provision an IIS site with your own OIDC provider, TLS certificate, TURN server, and every admin surface in about two minutes. No card required for the free tier.

Does CodeB ever see my password or my biometric?

No. Passkey biometrics never leave your device — the FIDO2 protocol uses public-key cryptography and only signs a challenge. Magic-link tokens are single-use, five-minute expiry, and never persisted after use. EU Wallet presentations arrive as signed VP tokens that we verify against the issuer trust list but never store. If you set an optional password, we hash it before it hits disk (both SIP HA1 and PBKDF2) — the plaintext is discarded in the same request.

Can external participants join without signing up?

Yes. Any OIDC-authenticated user can invite an anonymous participant to a specific meeting or chat thread via email or a signed hotlink. The invitee joins the scoped conversation without creating a full account. When the meeting or thread ends, the anonymous session expires.

Which browsers work?

Any browser that supports WebAuthn (all modern browsers, Chrome 67+, Firefox 60+, Safari 13+, Edge 18+). For meetings and chat, we recommend Chrome, Firefox, Edge, or Safari on the current major or previous major version. Native XMPP clients (Conversations on Android, Monal on iOS, Gajim on desktop) also work against the same tenant identity.

How do I add a second device?

Sign in on the second device using the same magic-link email or SSO flow. Once in, go to Account settings → Passkeys → Add a passkey. Your new device now has its own passkey, independent of the first — losing one device never locks you out of the other.

What roles are available?

User, admin (per tenant), and superuser (per host, break-glass only). Admins manage users, trunks, routes, prompts, recordings, and integrations from the admin.html shell. Superuser is reserved for on-server operators and never surfaces in the customer UI.

How do I delete my account?

Your tenant administrator can delete your user profile from the admin.html Users page. This removes App_Data/<tenant>/users/<your-login>.json and all associated passkeys. Per GDPR, you can also request full erasure of your call recordings, transcripts, and chat archives — the admin has one-click erasure tools for each.