Product
Gate every share five ways. Revoke any of them in one click.
Each share carries a 32-byte token, a watermark tied to the recipient, and up to five gates the governor sets per link: password, expiry, IP allowlist, origin allowlist, country allowlist, view cap, and email verification. The recipient opens a viewer that knows them. You see who opened it, when, and where they stopped reading.
The problem
A shared deck used to be a copy of the deck.
You sent the deck on Monday. By Wednesday you had no idea who else had seen it. By Friday a competitor knew the numbers on slide 7. The link you sent was the same link you sent every prospect. The PDF lived on a hundred desktops.
Shared decks deserve a delivery layer that respects the contents.
The mechanism
One share. One token. One recipient.
Every share is a first-class record in Codexroom. The token is 32 bytes of random, base64url encoded, indexed for fast lookup. The viewer at codexroom.com/v/<token> resolves the share, applies the watermark, and renders the deck slide by slide. The recipient sees this share only.
Codexroom keeps the cookie that proves the password scope at the path of the share, so verifying one share never grants access to another. Wrong tokens, expired shares, revoked shares, and wrong passwords all return the same generic page. The page stays quiet about which guess got closer.
The five gates
Layer the gates that fit the recipient and the deal.
Each gate is set per share, runs server-side before the deck renders, and writes to the audit log on every rejection. Leave a gate empty and Codexroom treats the share as open on that dimension. Combine them freely. The IP gate, the origin gate, and the country gate cost nothing in latency.
Password. A passphrase the recipient enters once. Hashed with argon2id, never stored in clear. Five attempts per minute per token, then the prompt rate-limits.
IP allowlist. A list of CIDR ranges. The share opens only from inside the firewall, the office network, or the VPN you nominate. The viewer page stays generic for any request from a disallowed range, so a probe never learns which IP would have worked.
Origin allowlist. A list of domains the share is allowed to load from. Use it for embeds inside a partner portal or a customer data room. Requests from any other origin land on the generic unavailable page.
Country allowlist. A list of ISO-3166 alpha-2 country codes. The share opens only from the countries you allow. Geography reads from Vercel's edge geo header at city resolution, and the gate fails closed when the country is unknown.
Email verification. The recipient enters their email on the viewer. Codexroom emails them a 6-digit code through Resend, valid for 15 minutes. They enter the code, the cookie sets path-scoped to the share, and the deck opens. Only the argon2 hash of the code lives in the database.
View cap. A maximum number of times the share can open. After the cap is reached, every subsequent request is a hard reject, including from the recipient who already opened it. Use it for the self-revoking pitchbook share that opens twice and then closes.
Every rejection writes a structured audit entry under one of: gate.ip_disallowed, gate.origin_disallowed, gate.country_disallowed, gate.max_views_reached, gate.email_unverified. The governor reads the rejection log on the analytics tab.
The shape
What a share carries.
Recipient name. Free text. Drives the visible watermark and the analytics view.
Recipient email. Optional. Required when the email-verification gate is on.
Scope. Public, password-gated, or email-verified.
Expiry. Optional timestamp. After the expiry, the page is unavailable.
Status. Active, revoked, or expired. Revoked shares never re-open.
Watermark configuration. Visible style (confidential, draft, NDA, custom). Invisible fingerprinting on by default.
Gate configuration. Password, IP allowlist, origin allowlist, country allowlist, email verification, view cap. Any subset.
The lifecycle
Create. Send. Track. Revoke. Rotate. Audit.
Your team creates a share through the admin UI or through the MCP create_share tool. The reply is the URL. Every event writes to the audit log.
Rotate the token if the recipient name needs to change without losing the analytics on the share. Revoke if the deal moved or the recipient changed firms. Both actions write audit entries. Both actions take one click.
What changes
Sellers, partners, and operators get the delivery layer the deck always needed.
For sellers. A pre-built share per prospect. The right password. The right expiry. The right recipient name on the slide.
For brand and compliance. A trail from share to deck to slot to approver. Revocation that holds. Five gates the security team configures on day one.
For the recipient. A viewer that reads on any device, with a polish that suits the deck.
See it work