Sovereign · Self-hosted · Standards-first

Three products. One platform.
No cloud required.

A self-hosted phone system (PBX + AI receptionist + browser meetings), an OpenID Connect identity provider with live EU Wallet (EUDI) sign-in, and the CodeB Credential Provider V2 for hardened Windows logon — built and operated by Aloaha Limited in Malta, running in production on the page you're reading.

Talk to us → Call us in the browser info@aloaha.com

Replies within one business day · email lands with humans, not a queue · EU-hosted, no tracking pixels, no analytics SDKs.

The three things we ship.

Independent, integrable, sovereign. Take one. Take all three. Run them next to anything you already own.

01 · PBX

Browser meetings, Voice AI & SIP bridge.

A self-hosted communications and Voice AI platform on your own domain. Click-to-call from any web page. AI receptionists on your inbound DIDs. WebRTC meetings with signed recordings. Bridge to your existing FRITZ!Box, Asterisk, FreePBX or carrier SIP trunk. (Queues, voicemail, attended transfer and a mobile app are on the near-term roadmap.)

  • HD WebRTC meetings · peer-to-peer mesh by default; auto-promotes to a self-hosted SFU when client bandwidth tightens or rooms grow
  • AI receptionist with per-number persona prompts
  • Outbound AI campaigns · REST v1 + signed webhooks
  • WebRTC ↔ SIP bridge with BYO trunk + PAI/RPID
  • Signed call recordings (forensic-grade ECDSA sidecar)
  • Integrated TURN server (UDP / TCP / TLS)
Voice AI overview SIP & telecoms → Book a demo

02 · Identity

OpenID Connect, Passkeys & EU Wallet.

A drop-in OpenID Connect identity provider for Nextcloud, WordPress, Grafana, GitLab or your own apps. Passkeys (FIDO2/WebAuthn) and magic-links wired alongside. And one of the first self-hostable EU Digital Identity Wallet verifiers — live, OID4VP 1.0, SD-JWT VC, on this domain right now.

  • OIDC IdP · per-tenant RS256 keys · PKCE-only
  • Passkeys (FIDO2 / WebAuthn) · TouchID / Windows Hello / YubiKey
  • EU Wallet verifier · OID4VP 1.0 · HAIP 1.0 · SD-JWT VC
  • Magic-link sign-in & self-service password recovery
  • RFC 7662 introspection · RFC 7009 revocation · RP-Initiated Logout
  • Wallet-as-recovery: forgot-password via your EU Wallet
Identity overview EU Wallet API → Talk identity

03 · Credential Provider V2

Replace the Windows password tile.

The flagship product of the CodeB line. Replaces the Microsoft password tile via the documented Credential Provider Filter interface — NFC, TOTP, PKI smartcards or USB tokens. Second factor or full passwordless. 100 % managed .NET. FIPS 140-2 enforceable by Group Policy. Windows 8 through Server 2025.

  • NFC, TOTP, PKI smartcards, USB tokens
  • FIPS 140-2 enforceable by Group Policy
  • System Tray Edition · card-remove auto-lock
  • Tools Edition · standalone helpers, scriptable
  • Admin CLI · CSV-driven enrolment for hundreds of cards
  • No cloud, no telemetry, runs in air-gapped networks
CP V2 details & downloads Download (Tray Edition) Request eval key

04 · Sovereign SBC

SIP security gateway, EU-built.

A self-hosted Session Border Controller folded into the same install as the meetings, identity and Voice AI. Sits at the boundary of your VoIP estate — in front of FRITZ!Box, Asterisk, FreePBX or your carrier trunk — and does the work classic SBC vendors sell as a standalone appliance. Toll-fraud, NAT traversal, identity-aware SIP, signed CDRs, multi-tenant policy. Without per-seat SBC licences, without a separate identity vendor, without a US-cloud hop.

  • Access Control with CIDR + glob + per-tenant + private-IP bypass + brute-force auto-block
  • NAT traversal, Contact-URI rewrite, symmetric RTP, integrated TURN (UDP / TCP / TLS)
  • Native WebRTC ↔ SIP gateway · DTLS-SRTP ↔ RTP/SRTP · Opus ↔ G.711
  • Identity-aware SIP · OIDC, passkeys, EU Wallet resolve to the same tenant subject as REGISTER
  • Signed CDRs + tamper-evident recordings (ECDSA-P256 sidecar)
  • Multi-tenant by domain · one bridge, isolated App_Data per tenant
Sovereign SBC overview WebRTC ↔ SIP gateway → Talk SBC

Live, on this very server

This page proves itself.

SIP fraud engine

built-in

An operator-curated Access Control system gates every inbound INVITE and every outbound dial. CIDR + glob + per-tenant + private-IP bypass + auto-blacklist on brute-force. Toll fraud doesn't reach your trunk.

How the bridge protects you →

EU Wallet verifier

live

Full OID4VP 1.0 end-to-end with SD-JWT VC + KB-JWT holder binding. Both x509_hash and x509_san_dns client identifier prefixes supported. Try it on logineu.html.

Wallet verifier API →

Open standards

100%

RFC 6749, 7009, 7517, 7523, 7662, 8414, 9101, 9116, 9309. OID4VP 1.0. HAIP 1.0. WebAuthn L3. SIP over UDP/TCP/TLS. No proprietary protocol, no lock-in.

All public APIs →

Hosted in

EU

Aloaha Limited — Malta-registered, EU-hosted. Zero tracking pixels, zero analytics SDKs, zero third-party CDN. RFC 9116 security.txt published.

CRA / NIS2 / DORA posture →
Talk to us → Open the live status page Try a meeting now

Why this exists

Because EU sovereignty isn't a slogan.

Your data never leaves your infrastructure.

No US analytics SDK. No third-party CDN. The phone calls, the identity sign-ins, the Windows logon events — all stay on your server. The same binaries you run, you can audit. The AI Voice Engine is pluggable: local TTS auto-reply ships by default (no cloud at all); the real-time AI Voice Engine is operator-selected per tenant (local or your chosen cloud provider) so the data-path choice is yours.

NIS2 · DORA · CRA aligned by default.

Designed around the EU Cyber Resilience Act (Reg. 2024/2847), NIS2 and DORA from the first commit. Secure-by-default, vulnerability handling documented, security.txt published, atomic file writes with rolling backups everywhere.

Standards over lock-in. Always.

Every protocol we speak is RFC, W3C, OIDF or ISO. Every API is documented and curl-able. Every integration is BYO-anything: bring your own SIP trunk, your own AI engine, your own SMTP, your own IdP — or use ours. Walk away anytime.

One team. One product line. Real humans.

You email info@aloaha.com, you get a reply from the people who write the code. Aloaha Limited has shipped signing, PKI and secure communications software since 2003 — and dogfoods every product in production.

Your own free live tenant

Try it on your own domain. Free. In production.

Conference, Phone bridge, Voice AI and the OIDC + EU Wallet identity stack are fully multi-tenant. Every customer gets their own isolated tenant — their own users, their own trunks, their own admin UI, their own data on disk. Free to evaluate, live, on infrastructure you can verify.

Path A · You point the DNS

Bring your own subdomain.

Point an A record from your subdomain (e.g. phone.yourcompany.com) at our IP, then email us. We light up your tenant inside one business day — your domain, your Let's Encrypt certificate, your isolated admin console at phone.yourcompany.com/admin.html.

  • Your domain in every URL — full white-label feel
  • Your own SIP trunks, vnums, recordings, transcripts
  • Your own OIDC IdP signing keys (per-tenant RS256)
  • Zero data sharing with other tenants — HARD-isolated by host
Tell us your subdomain →

Path B · We host the subdomain

Pick a name. We host it.

No DNS control needed. Suggest a tenant name and we provision <yourname>.codeb.io or <yourname>.aloaha.com for you, live, free, inside one business day. Same isolation, same admin console, same per-tenant data — just under our DNS.

  • Live within one business day — no infrastructure prep
  • Same multi-tenant isolation as Path A
  • Move to your own subdomain later, anytime, no data loss
  • Free evaluation period · no card, no contract, no auto-billing
Suggest a tenant name →

Both paths give you a real production tenant — not a demo sandbox, not a screenshot, not a marketing trial that's artificially gated. The same multi-tenant code that runs phone.aloaha.com runs your tenant. The same ACL system that defends our trunks defends yours. Walk away anytime, take your data with you.

Request your free tenant → Email info@aloaha.com Call us in the browser

How it works

See the architecture, not just the screenshots.

Four canonical data flows, each one diagrammed end-to-end so an architect can verify our claims before booking a call. Every flow is on a separate page with two SVG diagrams — ingress and egress — sized for print and screen.

Flow 01 · Meetings

Your video never touches the server.

Browser-to-browser DTLS-SRTP over WebRTC; the server only relays signalling. Peer-to-peer mesh by default; auto-promotes to a self-hosted SFU on demand. See where media flows, where signalling goes, and where neither does.

View the meeting data flow →

Flow 02 · SIP bridge

Where the browser meets the phone network.

WebRTC ↔ SIP gateway with BYO trunk. PAI/RPID outbound caller-ID, multi-trunk priority, integrated TURN. Two diagrams: inbound from PSTN, outbound to PSTN.

View the SIP bridge data flow →

Flow 03 · Identity (OIDC)

Sign-in, end to end, no cookies.

OpenID Connect Authorization Code + PKCE through to refresh-token rotation, plus the EU Wallet (OID4VP) side path. Per-tenant RS256 keys, RFC 7662 introspection, RFC 7009 revocation.

View the identity data flow →

Flow 04 · Voice AI

AI on your trunk, prompts on your disk.

How a single inbound DID is mapped to a virtual-number persona, how the prompt is loaded, where the AI Voice Engine sits, and how the transcript ends up in your tenant's storage. Pluggable engine, fixed contract.

View the AI receptionist data flow →

Each diagram is a static SVG — no client-side rendering, no third-party CDN, no JavaScript required. Open the page, hit Ctrl+P, hand the print-out to your architect.

Three ways to start a conversation

Let's talk.

Whether you want a Credential Provider evaluation key, a 20-minute demo of the AI receptionist, an integration walkthrough for the OIDC IdP, or just to understand whether self-hosted CPaaS makes sense for your team — start here.

01

Send the form

Quick, captcha-gated, no account. Tell us your scenario; we'll come back with the right person and the right deck.

contact.html →

02

Email us directly

One business day for substantive replies. Forward a brief, attach a deployment diagram, send an RFP — whatever helps.

info@aloaha.com →

03

Call us in the browser

One click, WebRTC, no app to install, no number to dial. Rings the office during business hours CET. Uses the same SIP bridge we sell.

Click to call →

Replies within one business day. Email lands with humans, not a queue. Need an evaluation key for the Credential Provider? Add "eval key" to your subject — we ship one inside 24 hours.

Built and operated by Aloaha Limited, Malta-registered since 2003. CodeB Conference runs in production on this domain as the daily-driver phone and meeting platform for the team that develops it — dogfooded, not demoware.

Registered: Malta · Aloaha Limited· EU-hosted · no tracking pixels, no analytics SDKs· RFC 9116 security.txt published· Talk to us →

By industry: Hospitality· Healthcare· Law firms· Public sector· IT providers & resellers· Telecoms (EU Wallet)

CP V2· Voice AI· Identity· EU Wallet· All features· Public APIs· Pricing· Contact· Status· Imprint

Architecture diagrams: Meetings flow· SIP bridge flow· OIDC flow· Voice AI flow