Endpoint Protection

To ensure the overall security of the HYPR platform, the various HYPR components (Workforce Access Client, Mobile App, and Control Center) pass an encrypted token to the HYPR Server when making internal API calls.

When installing the Workforce Access Client on a user's machine, you need to include an rpApp-specific Access Token generated by the Control Center. The Workforce Access Client will verify the token's validity with the HYPR Server during the pairing process and automatically exchange it for a new device-unique security token which is then used to authenticate all HYPR communications between the workstation, the mobile device, and the HYPR Server.

First you must create the new access token for installing on that workstation (endpoint). Then you will need to install HYPR Workforce Access Client for Windows using the access token you make.

📘

Waiting for an Invitation

This feature is not enabled by default. Please contact your HYPR Support team member to enable it for your organization.

Windows

Generate the Workstation Installation Token

One of the following methods can be used to make a new Token:

  • Make a Workstation Installation token following the steps for Creating Access Tokens
  • Issue a cURL command to the Control Center API:
    POST {{cc_url}}/rp/api/token/endpoint
    Include the following parameters as JSON in the request body:
{
  "scope": [ "WSINSTALL" ],
   "rpAppId": "{{your-rp-app-name}}",
   "expiresInSecs": 31536000
}

Note that this is a protected endpoint; you'll need to supply an API access token in the header request to authenticate with the HYPR Server. Complete the steps for creating API Access Tokens before proceeding.

See also the HYPR API Documentation for API specifics.

ParameterDescriptionType
scopeScope of the Install Token. This should always be WSINSTALL.Access Control
rpAppIdName of your RP App in the Control Center. This must match the RP App name you'll be using in the Workforce Access Client install configuration.Access Control
expiresInSecsThe Install Token validity period in seconds. You can set a shorter period for increased security, but the token will need to be updated in the workstation settings when it expires. The recommended validity period is one year to reduce maintenance work.TTL

Example Request:

curl --location -g --request POST 'https://highlandsbank.com/rp/api/token/endpoint' \
--header 'Authorization: Bearer 110f7826-d95e-12d2-42ce-8bd67fb20bb9' \
--header 'Content-Type: application/json' \
--data-raw '{
  ...
  "scope": [ "WSINSTALL" ],
  "rpAppId": "WorkstationAccess",
  "expiresInSecs": 31536000
  ...
}
'

Example Response:

{
    "tokenId": "f8b81e27-eaec-389f-9f53-7ee187f73b55",
    "scope": [
        "WSINSTALL"
    ],
    "rpAppId": "WorkstationAccess",
    "deviceId": null,
    "machineId": null,
    "token": "6a74ce20-2c1e-4c7d-ae9d-14be27e2c197",
    "expiryDate": 1653749967975
}

You'll use the same token value when installing or upgrading the HYPR Workforce Access Client (see below):

"token": "6a74ce20-2c1e-4c7d-ae9d-14be27e2c197"

Use the Access Token to Install Workforce Access Client for Windows

Once you've generated an access token, include it when installing the HYPR Workforce Access Client on the workstation. Installation can happen either by using the wizard or by the command line.

Using the Wizard

If you're using the HYPR installer, set the Install Token value on the Environment Setting screen to the token you generated above.

Using msiexec with Command Line Parameters.

If you're setting the parameters directly on the command line, pass in the token via the HYPRINSTALLTOKEN parameter.

msiexec.exe /qn /i .\WorkforceAccess.msi HYPRAPPID="WorkstationAccess" HYPRRP="https://highlandsbank.com/rp" 
HYPRSUPPORT="[email protected]" HYPRHASH="LeM8XnCIy8+Cxm+HKTEOBZr1g3D8odQNHTH+vdu7RWc=" 
HYPRTEMPLATE="HYPRUser" HYPRINSTALLTOKEN="6a74ce20-2c1e-4c7d-ae9d-14be27e2c197"

Using msiexec with the hypr.json File

If you're setting the parameters using the hypr.json configuration file, pass in the token via the installToken parameter.

{
 "version":"1.0",
 "rpUrl":"https://highlandsbank.com/rp",
 "appId":"WorkstationAccess",
 "pinningHash":"LeM8XnCIy8+Cxm+HKTEOBZr1g3D8odQNHTH+vdu7RWc=",
 "supportEmail":"[email protected]",
 "installToken":"6a74ce20-2c1e-4c7d-ae9d-14be27e2c197",
 "fullUI":"1"
}

📘

Feature Security

For security reasons, the InstallToken parameter won't be displayed in the Registry Editor alongside the other HYPR keys.

Upgrading Earlier Versions

When you upgrade an earlier version of the Workforce Access Client to 6.12.0 or higher, you need to add the Install Token value as part of the update process. This is mandatory step.

The installation commands are the same as for a fresh install (see above). However, you only need to provide the new Install Token value. The installer will reuse the existing values for the rest of the parameters.

For example, to upgrade using msiexec with command line parameters, just specify the HYPRINSTALLTOKEN value:

msiexec.exe /q /i WorkforceAccess_x64.msi HYPRINSTALLTOKEN="6a74ce20-2c1e-4c7d-ae9d-14be27e2c197"

macOS

Generate the Workstation Installation Token

Generate the Workstation Installation access token using the following call to the Control Center API:

POST {{cc_url}}/rp/api/token/endpoint

Include the following parameters as JSON in the request body:

{
  "scope": [ "WSINSTALL" ],
   "rpAppId": "{{your-rp-app-name}}",
   "expiresInSecs": 31536000
}

Note that this is a protected endpoint; you'll need to supply an API access token in the header request to authenticate with the HYPR Server. Complete the steps for creating API Access Tokens before proceeding.

See also the HYPR API Documentation for API specifics.

Parameter Definitions

NameDescription
scopeScope of the Install Token. This should always be WSINSTALL.
rpAppIdName of your RP App in the Control Center. This must match the RP App name you'll be using in the Workforce Access Client install configuration.
expiresInSecsThe Install Token validity period in seconds. You can set a shorter period for increased security, but the token will need to be updated in the workstation settings when it expires. The recommended validity period is one year to reduce maintenance work.

Example Request:

curl --location -g --request POST 'https://highlandsbank.com/rp/api/token/endpoint' \
--header 'Authorization: Bearer 110f7826-d95e-12d2-42ce-8bd67fb20bb9' \
--header 'Content-Type: application/json' \
--data-raw '{
  "scope": [ "WSINSTALL" ],
  "rpAppId": "WorkstationAccess",
  "expiresInSecs": 31536000
}
'

Example Response:

{
    "tokenId": "f8b81e27-eaec-389f-9f53-7ee187f73b55",
    "scope": [
        "WSINSTALL"
    ],
    "rpAppId": "WorkstationAccess",
    "deviceId": null,
    "machineId": null,
    "token": "6a74ce20-2c1e-4c7d-ae9d-14be27e2c197",
    "expiryDate": 1653749967975
}

Use the Access Token to Install Workforce Access Client for Mac

Once you've generated a Workstation Installation access token, include it when installing the HYPR Workforce Access Client on the workstation. See Installing with the UI: Installing on macOS.

Upgrading Earlier Versions

When you upgrade an earlier version of the Workforce Access Client to 6.12.0 or higher, you need to include the Install Token value as part of the update process. This is mandatory step.

If your installer came without a hypr.json configuration file, you'll need to manually create one with the installToken field added. For example:

{
 "version":"4",
 "rpUrl":"https://highlandsbank.com/rp",
 "appId":"WorkstationAccess",
 "pinningHash":"LeM8XnCIy8+Cxm+HKTEOBZr1g3D8odQNHTH+vdu7RWc=",
 "supportEmail":"[email protected]",
 "installToken":"6a74ce20-2c1e-4c7d-ae9d-14be27e2c197",
}

See the Installing Manually page for more information about the hypr.json configuration file.

To upgrade, place the hypr.json file and the HYPR installer package in the same folder and execute:

installer -pkg WorkforceAccess-X.X.X-Installer.pkg