Important

The blueprints and code samples provided in this section are for reference and demonstration purposes only, delivered on an "as-is" basis. While these resources help illustrate how to connect Veridas services with third-party platforms, the final implementation, testing, and ongoing maintenance are the sole responsibility of the client. Our team does not guarantee continuous updates, long-term compatibility, or dedicated technical support for these sample integrations.

Agent

Amazon Connect Voice Authentication agent based solution is based on a Web Component. This component is the Amazon Connect Voice Authentication Web Component and includes all the UI and logic necessary to integrate with the following Veridas services:

• VSS (Veridas Streaming Service): for receiving and processing audio from Amazon Kinesis Video Streams.
• VCSP (Veridas Credential Service Provider): for generating, storing, and managing biometric credentials and handling authentication.

Distributables

To build Amazon Connect Voice Authentication agent based solution, Amazon Connect Voice Authentication Web Component must be served from a web service that already includes the Amazon Connect Contact Control Panel (CCP) so agents can communicate with contacts. With this in mind, Amazon Connect Voice Authentication agent based solution has two possible distribution options:

• Option 1: This option is intended for customers who want to start using the solution but do not yet have an integration where the CCP is already embedded in their own website (Salesforce, Zendesk, ...). This option involves a very simple integration, as the distributed image is an all-in-one solution.
• Option 2: This option is intended for customers who already have their own website with the CCP embedded. This option requires a slightly more complex integration than Option 1.

Option 1

With this option, Veridas provides, as part of the Amazon Connect Voice Authentication agent based solution, a Docker image that already contains a web service (Flask + Gunicorn) and serves the Amazon Connect Voice Authentication Web Component. This image is known as the Amazon Connect Voice Authentication Server.

Important

Amazon Connect Voice Authentication Server can be run in any host. It's customers responsibility to deploy this image to the cloud server from which they want to host the web service and surround it with the cloud infrastructure they consider appropriate.

Option 2

With this option, Veridas provides, as part of the Amazon Connect Voice Authentication agent based solution, a JavaScript bundled file with the Amazon Connect Voice Authentication Web Component

As part of the solution distributable, for both distribution options, Veridas also provides the following parameters:

• VERIDAS_BASE_URL: The base URL of the Veridas production environment services that the integration should point to.
• VERIDAS_CLIENT_ID: OAuth2 Client ID for authenticating with Veridas services.
• VERIDAS_CLIENT_SECRET: OAuth2 Client Secret for authenticating with Veridas services.

Important

Amazon Connect Voice Authentication Web Component has predefined behavior and is not customizable. If any behavior needs to be customized, that work must be undertaken by the client. In that case, contact with Veridas to obtain access to the source code to start your own customization.

Integration steps

Prerequisites

This section assumes the following:

• This customer/integrator has an AWS Amazon Connect active instance and possesses platform administration knowledge. No details regarding Amazon Connect administration are provided here. In case of any doubts, it is recommended to consult the official Amazon Connect documentation.
• There is an existing "Sample queue customer" flow (or any flow that places the customer in a queue) assigned to an existing phone number and at least one user/agent assigned to the queue so it can handle calls.
• Authorization has been configured to grant Veridas access to Kinesis Video Streams steams by following steps in authorization section.
• The URL of the server where integration is served has been added to Amazon Connect Approved Origins.

0.1. Configure flow

This step is common for both Option 1 and Option 2. It consists of configuring the "Sample queue customer" to allow Veridas to capture the call stream. To do this, the following blocks must be added at the beginning of the flow:

• Start media streaming
• Set contact attributes
  • Set attributes on: Current contact
  • Add another attribute:
    • Namespace: User defined
    • Key: streamArn
    • Value (Set manually): $.MediaStreams.Customer.Audio.StreamARN

Start media streaming block tells Amazon Connect to stream call audio to Kinesis Video Streams. Also, streamArn attribute is employed by Amazon Connect Voice Authentication Web Component to send it to Veridas Streaming Service so it's used to retrieve audio from Kinesis Video Streams.

Option 1

1. Run docker image

As a prerequisite, you must have Docker installed on the machine where the Amazon Connect Voice Authentication Server docker image will be run.

Once Docker is installed you can import the corresponding image in your local docker image repository by loading the distributed tar file:

docker load -i amazon-connect-voice-authentication-server.tar

The docker image includes a web server with Flask + Gunicorn running on port 80. Additionally, it includes the following environment variables, which allow configuring the behavior of the WC. Please, make sure to set these environment variables before running the docker image.

Environment variable	default	description
AMAZON_INSTANCE_URL		URL of the Amazon Connect instance to be used.
AMAZON_REGION		Amazon region of the Amazon Connect instance (e.g. eu-central-1).
AMAZON_EXTERNAL_ID		Identifier for external role access. See Authorization.
VERIDAS_BASE_URL		VERIDAS_BASE_URL provided by Veridas as part of the distributable used to access production environment.
VERIDAS_CLIENT_ID		VERIDAS_CLIENT_ID provided by Veridas as part of the distributable used to authenticate within Veridas Cloud.
VERIDAS_CLIENT_SECRET		VERIDAS_CLIENT_SECRET provided by Veridas as part of the distributable used to authenticate within Veridas Cloud.
REGISTER_NET_SPEECH_DURATION	5	Audio seconds required for a registration process.
VERIFY_NET_SPEECH_DURATION	5	Audio seconds required for an authentication process.
REGISTER_AUTHENTICITY_THRESHOLD	0.8	Threshold below which a registration is considered spoof*.
VERIFY_AUTHENTICITY_THRESHOLD	0.8	Threshold below which an authentication is considered spoof*.
BIOMETRIC_THRESHOLD	0.8	Threshold below which an authentication is considered unsuccessful*.

* Check voice biometry performance report.

To run docker image, you can run it using docker run by specifying environment variables (-e) and publishing port 80 (-p 80:80):

docker run -p 80:80 -e AMAZON_INSTANCE_URL=<AMAZON_INSTANCE_URL> -e AMAZON_REGION=<AMAZON_REGION> -e AMAZON_EXTERNAL_ID=<AMAZON_EXTERNAL_ID> -e VERIDAS_BASE_URL=<VERIDAS_BASE_URL> -e VERIDAS_CLIENT_ID=<VERIDAS_CLIENT_ID> -e VERIDAS_CLIENT_SECRET=<VERIDAS_CLIENT_SECRET> amazon-connect-voice-authentication-server:latest

Alternatively, you can also use docker compose if it's clearier or easier for you:

version: '3.8'
services:
  amazon-connect-voice-authentication-server:
    image: amazon-connect-voice-authentication-server:latest
    ports:
      - "80:80"
    environment:
        - AMAZON_INSTANCE_URL=<AMAZON_INSTANCE_URL>
        - AMAZON_REGION=<AMAZON_REGION>
        - AMAZON_EXTERNAL_ID=<AMAZON_EXTERNAL_ID>
        - VERIDAS_BASE_URL=<VERIDAS_BASE_URL>
        - VERIDAS_CLIENT_ID=<VERIDAS_CLIENT_ID>
        - VERIDAS_CLIENT_SECRET=<VERIDAS_CLIENT_SECRET>

After starting the image, you will see the corresponding Gunicorn logs, indicating that the server started successfully.

[2025-09-29 06:41:17 +0000] [1] [INFO] Starting gunicorn 23.0.0
[2025-09-29 06:41:17 +0000] [1] [INFO] Listening at: http://0.0.0.0:80 (1)
[2025-09-29 06:41:17 +0000] [1] [INFO] Using worker: sync
[2025-09-29 06:41:17 +0000] [7] [INFO] Booting worker with pid: 7
[2025-09-29 06:41:17 +0000] [8] [INFO] Booting worker with pid: 8
[2025-09-29 06:41:17 +0000] [9] [INFO] Booting worker with pid: 9
[2025-09-29 06:41:17 +0000] [10] [INFO] Booting worker with pid: 10

You can now open your browser and start using Amazon Connect Voice Authentication Web Component by starting a new call.

Option 2

Important

This option assumes that the customer already has a web service, from which the Amazon CCP is embedded.

1. Set up authentication backend

Amazon Connect Voice Authentication Web Component uses an OAuth2 client credenials flow to authenticate. In this flow, since the client_id and client_secret cannot be exposed in the front-end code, it is necessary to create an authentication backend that stores these values and makes requests to the Veridas authentication server to obtain tokens.

This backend authentication logic can be implemented by the customer in whichever way they consider appropriate. In fact, it is recommended to use already existing web service to add a new endpoint to access the authentication backend. Below is a basic example of an authentication backend endpoint implementation using Python and Flask.

import requests
from flask import Flask, request, jsonify

app = Flask(__name__)

@app.route("/oauth", methods=["POST"])
def get_token():
    data = request.get_json()
    authentication_server_url = data.get("authentication_server_url")
    response = requests.post(
        f"{authentication_server_url}",
        json={
            "client_id": <VERIDAS_CLIENT_ID>,
            "client_secret": <VERIDAS_CLIENT_SECRET>,
            "grant_type": "client_credentials"
        }
    )
    return jsonify(response.json())

Amazon Connect Voice Authentication Web Component will automatically make POST requests to this authentication backend including authentication_server_url. Authentication backend must use this authentication_server_url along with VERIDAS_CLIENT_ID and VERIDAS_CLIENT_SECRET to make requests to Veridas authentication server. It will get a JSON response that must be returned as it is to frontend. Amazon Connect Voice Authentication Web Component will use the resulting token to make requests to Veridas services. It will also automatically request for new token when token expires..

2. Integrate web component

Lastly, Amazon Connect Voice Authentication Web Component must be added to customers frontend code. The variability of scenarios can be quite wide here, depending on how the customer has set up their web service. As an example, below is a basic index.html which shows the minimal code required for the integration. From this point onward, it is the customer’s responsibility to integrate it into their web service.

<!doctype html>
<html lang="en-GB">
<head>
  <meta charset="utf-8">
  <style>
    body {
      background: #fafafa;
    }
  </style>
</head>
<body>
  <script type="module" src="voice-authentication-agent-amazon.bundle.js"></script>
  <script>
    window.addEventListener('DOMContentLoaded', () => {

      const containerCcp = document.getElementById('container-div');
      connect.core.initCCP(containerCcp, {
          ccpUrl: '<AMAZON_INSTANCE_URL>',
          loginPopup: true,
          loginPopupAutoClose: true,
          loginOptions: {
              autoClose: true,
              height: 600,
              width: 400,
              top: 0,
              left: 0,
          },
          region: '<AMAZON_REGION>',
          softphone: {
              allowFramedSoftphone: true,
              disableRingtone: false,
              ringtoneUrl: './ringtone.mp3',
          },
          pageOptions: {
              enableAudioDeviceSettings: false,
              enablePhoneTypeSettings: true,
          },
      });

      const voiceAuthenticationAgent = document.createElement('voice-authentication-agent-amazon');
      voiceAuthenticationAgent.setAttribute('amazonExternalId', "<AMAZON_EXTERNAL_ID>");
      voiceAuthenticationAgent.setAttribute('authenticationBackendUrl', "<AUTHENTICATION_BACKEND_URL>");
      voiceAuthenticationAgent.setAttribute('veridasBaseUrl', "<VERIDAS_BASE_URL>");
      containerCcp.appendChild(voiceAuthenticationAgent);
    });
  </script>
  <div style="width: 50%">
    <div id="container-div" style="height: 500px;"></div>
  </div>
</body>
</html>

Essentially, the only thing the displayed code does is instantiate the CCP using Amazon Connect Streams, and then instantiate the Amazon Connect Voice Authentication Web Component (imported from voice-authentication-agent-amazon.bundle.js). Following attributes may be specified:

Attribute	default	description
amazonExternalId		Identifier for external role access. See Authorization.
veridasBaseUrl		VERIDAS_BASE_URL provided by Veridas as part of the distributable used to access production environment.
authenticationBackendUrl		URL of the configured authentication backend.
registerNetSpeechDuration	5	Audio seconds required for a registration process.
verifyNetSpeechDuration	5	Audio seconds required for an authentication process.
registerAuthenticityThreshold	0.8	Threshold below which a registration is considered spoof*.
verifyAuthenticityThreshold	0.8	Threshold below which an authentication is considered spoof*.
biometricThreshold	0.8	Threshold below which an authentication is considered unsuccessful*.

* Check voice biometry performance report.

Once you have adapted your web service’s source code to include the Amazon Connect Voice Authentication Web Component, you will be able to start using it by accessing it through the browser.

Note

It is important to note here that Option 1 is essentially just Option 2 packaged as a Docker image, making it easy to deploy and sparing the client from having to create their own server.

Usage

Amazon Connect Voice Authentication Web Component offers to the agent user registration/verification capabilities.

Upon successful integration, Amazon Connect Voice Authentication Web Component will appear within platform's agent panel for an existing call.

Register a user

Any agent can start a registration process for a calling user using voice from interaction call just by pressing Register User button. This will create a session in VSS (using the stream from the Audiohook integration) and the agent will receive feedback of the progress of the session. Once enough voice has been collected, an enrollment request will be performed against VCSP, which will store the credential for future identifications based on the specified subject_id:

Upon successful registration, agent will receive a notification and a green tick icon will be displayed.

When an audio is marked as spoof (based on authenticity_threshold) during registration, a warning message will be displayed.

Important

Caller ANI number is used as default subjectId. This is the default behavior and can't be changed by the customer unless it creates its own solution.

Authenticate a user

When an agent receives a call from a user that was previously registered, then Authenticate User button will be displayed:

Any agent can start an authentication process for a calling user using voice from interaction call just by pressing Authenticate User button. This will create a session in VSS and the agent will receive feedback of the progress of the session. Once enough voice has been collected, a 1:1 matching request will be performed against VCSP using the previously registered subject_id:

Upon successful authentication, agent will receive a notification and a green tick icon will be displayed.

Upon unsuccessful authentication, agent will receive a notification and a red cross icon will be displayed.

When an audio is marked as spoof (based on authenticity_threshold) during authentication, a warning message will be displayed.

Delete a user

During an interaction, an agent can delete a user if already registered just by pressing Delete User trash icon button. A popup will be displayed for confirmation.

After confirmation, a delete account request will be performed against VCSP to remove existing subject_id account.

Errors

If any error is detected during the usage of the application, an error message will be displayed. For more details about the specific error, check browser console.