Guides

Concepts & how things work

The reference tells you what to send. This page explains why — how a call moves through verification, what enrolling a voice actually does, and what each response property means.

On this page

The call lifecycle
How voice enrollment works
Voice authentication thresholds
Rejecting & un-enrolling a voice
Call detail properties
Activity status reference
Validation types

The call lifecycle

A reseller works inbound calls for a child institution. Each call is identified by a voiceId — Pindrop's identifier for that call's audio, and the handle you pass to every call-scoped endpoint.

Assign — POST /external/calls/assign links an inbound call (by phone number or existing voiceId) to a member (personId) and returns the voiceId.
Queue — GET /external/calls/queue lists calls awaiting verification, with optional search and date filters.
Inspect — GET /external/calls/{voiceId}/details returns the full call record: enrollment/verification flags, risk, and the Pindrop event log.
Decide — POST …/enroll to accept the caller's voice, or POST …/reject-voice to reject it.

How voice enrollment works

Enrolling a voice (POST /external/calls/{voiceId}/enroll) is how a reseller manually authenticates a caller and tells Pindrop to trust and keep that caller's voiceprint. A single call does several things atomically:

Records a verification for the member, tagged with the validationType you supplied (voice, OTP, KBA, …).
Tells Pindrop the interaction succeeded — it sends account-interaction feedback keyed by the account alias {institutionKey}-{personId} against this voiceId, with status SUCCESSFUL. This is what lets Pindrop enroll and reuse the voiceprint on future calls.
Applies the “Green Manual Authentication” policy to the call. This signals to Pindrop's call-end webhook that the enrollment should be preserved even if an automated voice-match rule would otherwise reject it.
Writes two activity records — AcceptCallerVoice (the reseller explicitly accepted the voice) and FullAuthentication (the caller is fully authenticated). The FullAuthentication activity is what stops the call-end webhook from discarding the voiceprint.

Net effect

After a successful enroll, the member's voiceprint is trusted in Pindrop and future calls from that member can be voice-authenticated automatically — no further manual verification needed.

Enroll a voice

curl -X POST https://api.getconfirmed.org/external/calls/<voiceId>/enroll \
  -H "SsoToken: <sso-token>" \
  -H "InstitutionKey: acme-cu" \
  -H "RequestedBy: jdoe" \
  -H "Content-Type: application/json" \
  -d '{ "personId": "00123", "validationType": "VoiceAuth", "notes": "Verified by agent" }'

→ { "success": true }

Voice authentication thresholds

Separately from the manual /enroll flow above, Pindrop runs its own passive voice biometrics on call audio. Two distinct checks govern this — one for creating a voiceprint (enrollment) and one for matching against an existing voiceprint (verification). Both require a low device risk_rating.

Scenario	Required conditions	Result
New enrollment (first voiceprint for a member)	`voiceStrength` = `100` and `risk_rating` = low	Pindrop applies its “Basic Enrollment Speech” enrollment policy, which flips `successfulVoiceEnrollment` = `true` on that phone call.
Voice verification (against an existing enrollment)	`voiceScore` ≥ `50` and `risk_rating` = low	The call is treated as voice-verified.

Note on voiceStrength

voiceStrength is the signal that gates a new enrollment (it must reach 100). It is not currently exposed through the Pindrop API, so it is not returned on the call-detail response — only its effect is observable, via successfulVoiceEnrollment flipping to true once enrollment succeeds.

Rejecting & un-enrolling a voice

POST /external/calls/{voiceId}/reject-voice is the inverse. It notifies Pindrop of a FAILED interaction, records a RejectCallerVoice activity, and — importantly — un-enrolls every prior manual authentication for that member: each earlier FullAuthentication activity is moved to FullAuthenticationUnenrolled, so Pindrop discards the previously trusted voiceprint. Use it when a caller's identity can't be trusted.

Call detail properties

Selected fields returned by GET /external/calls/{voiceId}/details. The reference lists the full schema; these are the ones whose meaning isn't obvious.

Property	Meaning
`voiceId`	Pindrop's identifier for the call audio; the handle used by all call-scoped endpoints.
`personId` / `valueForCore`	The matched member id and the core system's internal identifier for that member.
`isVoiceEnrolled`	A voiceprint exists in Pindrop for this member.
`isVoiceVerified`	The voice was verified on this call.
`isVoiceMismatch`	The caller's voice did not match the enrolled voiceprint — a fraud signal.
`successfulVoiceEnrollment`	Pindrop's enrollment-update webhook confirmed the voiceprint was enrolled on this call.
`isHighRiskDevice`	Pindrop's device analysis flagged the originating device as high risk.
`status`	The current activity status of the call (see the table below).
`hasVoiceMatchValidationRule`	The institution's active validation rule includes a voice-match requirement.
`metaData.pindropPolicies`	Policies applied to the call, e.g. `"Green Manual Authentication"`.
`pindropEvents`	The full event log received from Pindrop's webhooks for this call.

Activity status reference

The status on a call (and on individual activity records) is one of the following.

Status	Meaning
FullAuthentication	Caller fully authenticated (by voice or another method).
FullAuthenticationUnenrolled	A previous full authentication that has since been rejected / un-enrolled.
AcceptCallerVoice	The caller's voice was explicitly accepted.
RejectCallerVoice	The caller's voice was explicitly rejected.
RejectCallerVoiceFromValidationRule	An automated validation rule rejected the voice.
VoiceMismatch	The voice did not match the enrolled voiceprint.
AnsweredQuestions	The caller passed knowledge-based authentication (KBA).
MFAValidated	Multi-factor authentication passed.
VoiceOptIn / VoiceOptOut	The caller opted in / out of voice authentication.
CallStarted / CallEnded	Call lifecycle markers.

Validation types

The validationType you send when enrolling records how the caller was verified.

Value	Meaning
`VoiceAuth`	Verified by voice biometrics.
`OneTimePasswordAuth`	Verified with a one-time passcode.
`KnowledgeBasedAuth`	Verified via knowledge-based questions.
`NoAuth`	No additional authentication performed.
`Other`	Any other verification method.

Open the API reference →