Public API

Site discovery files · public API

Three conventional discovery files served at fixed URLs every web crawler and disclosure pipeline already knows how to ask for: /robots.txt, /sitemap.xml and /.well-known/security.txt. On CodeB they are per-tenant by request host — one IIS site per tenant, one canonical host per sitemap. No caller authentication, no parameters, no cookies.

Multi-tenancy by domain. CodeB ships one IIS site per tenant FQDN (see CPaaS). The discovery files honour the request Host: header, so each tenant's crawlers see only that tenant's URLs — never a sister tenant's.

GET /robots.txt #

Standard robots-exclusion file (RFC 9309). The Sitemap: line is rewritten on every request to point at the same host the crawler asked on — or, if the operator has set Site:CanonicalHost in the tenant's appsettings.json, at that canonical override.

Request

No parameters, no headers. Anonymous.

Response

HTTP/1.1 200 OK
Content-Type:     text/plain; charset=utf-8
X-Build-Version:  2026-06-11-filfla-robots-dyn
X-Tenant:         phone.codeb.io
X-Canonical-Host: phone.codeb.io

User-agent: *
Allow: /

# … Disallow list (backend .ashx handlers, admin pages,
#       PWA support files) …

Sitemap: https://phone.codeb.io/sitemap.xml

The Disallow list is host-independent — it covers backend .ashx handlers, OAuth2 path aliases, tenant-scoped WebRTC + auth-flow pages, the admin / superadmin dashboards, and PWA support files. Only the trailing Sitemap: line varies between tenants.

Diagnostic headers

  • X-Build-Version — handler build slug. Bumped on every behaviour change. Smoke probes assert against it.
  • X-Tenant — the request Host: as parsed.
  • X-Canonical-Host — the resolved canonical host that ended up on the Sitemap: line.

Example

curl -i https://phone.codeb.io/robots.txt
curl -i https://aloaha.com/robots.txt    # different Sitemap: line
URL Rewrite serves /robots.txt from a dynamic handler under the hood. The public URL stays at /robots.txt for crawlers that only know the conventional location.

GET /sitemap.xml #

XML sitemap generated by filesystem scan on every request, scoped to the request host. Customer-facing pages at the root and under /de/ are included; admin, tenant-scoped, auth-flow and PWA-support files are filtered out by a deny list that mirrors the robots.txt Disallow set. The result is cached in-process for 60 seconds per canonical host.

Request

No parameters, no headers. Anonymous.

Response shape

HTTP/1.1 200 OK
Content-Type: application/xml; charset=utf-8

<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"
        xmlns:xhtml="http://www.w3.org/1999/xhtml">
  <url>
    <loc>https://phone.codeb.io/</loc>
    <lastmod>2026-06-13</lastmod>
    <changefreq>weekly</changefreq>
    <priority>1.0</priority>
    <xhtml:link rel="alternate" hreflang="en"
                href="https://phone.codeb.io/"/>
    <xhtml:link rel="alternate" hreflang="de"
                href="https://phone.codeb.io/de/"/>
    <xhtml:link rel="alternate" hreflang="x-default"
                href="https://phone.codeb.io/"/>
  </url>
  …
</urlset>

Per-page metadata

  • <loc>https://<canonical-host>/<relative-path>.
  • <lastmod> — the HTML file's mtime, yyyy-MM-dd. Drift between disk and sitemap is bounded by the 60‑second cache.
  • <changefreq> + <priority> — heuristic per filename.
  • <xhtml:link rel="alternate"> — EN ↔ DE alternate emitted whenever a matching /de/<name> file is present on disk.

Canonical host resolution

  1. App_Data/<host>/appsettings.jsonSite:CanonicalHost wins if present. Lets an operator point a sitemap at www.example.com instead of phone.example.com.
  2. Otherwise Request.Url.Host — the host the crawler asked on.

Example

curl -i https://phone.codeb.io/sitemap.xml
The on-disk file scan is the source of truth, not a hand-maintained sitemap list. Drop a new .html file at the root and within one minute it appears in /sitemap.xml — subject to the deny list. Conversely, anything on the deny list cannot leak into a sitemap by accident.

GET /.well-known/security.txt #

Coordinated-disclosure contact file per RFC 9116. Security researchers and automated disclosure pipelines should look here first.

Request

No parameters, no headers. Anonymous.

Response

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8

Contact:             mailto:security@aloaha.com
Contact:             mailto:info@codeb.io
Expires:             2027-06-06T00:00:00.000Z
Preferred-Languages: en, de
Canonical:           https://phone.codeb.io/.well-known/security.txt
Policy:              https://phone.codeb.io/privacy.html

Disclosure expectations

  • Acknowledgement within two business days.
  • Substantive response or remediation within thirty days.
  • No paid bug-bounty programme; researchers who follow coordinated disclosure receive credit.

Example

curl -i https://phone.codeb.io/.well-known/security.txt
For full incident-handling posture see CRA / Cyber resilience. CodeB operators reporting under Regulation (EU) 2024/2847 should also wire their CSIRT into the Contact: addresses above.
Need an admin endpoint? Admin-only and OIDC Bearer-gated routes are documented inside the admin UI itself (visible only to signed-in admins on this host). The public API set on this page is the surface you can integrate against without provisioning a CodeB user.

Questions? Ask us · Index: All public APIs