Endpoint Protection for macOS

To ensure the overall security of the HYPR platform, the various HYPR components (Workforce Access Client, Mobile App, and Control Center) pass an encrypted token to the HYPR Server when making internal API calls.

When installing the Workforce Access client on a user's machine, you need to include an rpApp-specific Install Token generated by the Control Center. The Workforce Access client will verify the token's validity with the HYPR Server during the pairing process and automatically exchange it for a new device-unique security token which is then used to authenticate all HYPR communications between the workstation, the mobile device, and the HYPR Server.



This feature requires version 6.12.0 or higher across all HYPR components, including the Mobile App, Server, and Workforce Access Client.

If you're upgrading an earlier version, you need to slightly modify your installation process. Please see Upgrading Earlier Versions below.


Beta Feature

This feature is not enabled by default. Please contact your HYPR Support team member to enable it for your organization.

Generating and Using the Install Token

Step 1: Generate the Install Token

You can generate the InstallToken using the following call to the Control Center API:

POST {{cc_url}}/rp/api/token/endpoint

Include the following parameters as JSON in the request body:

  "scope": [ "WSINSTALL" ],
   "rpAppId": "{{your-rp-app-name}}",
   "expiresInSecs": 31536000

Please note that this is a protected endpoint so you'll need to supply an API access token in the header request to authenticate with the HYPR Server. See the Access Token page for more information.

Parameter Definitions

scopeScope of the Install Token. This should always be WSINSTALL.
rpAppIdName of your RP App in the Control Center. This must match the RP App name you'll be using in the Workforce Access Client install configuration.
expiresInSecsThe Install Token validity period in seconds. You can set a shorter period for increased security, but the token will need to be updated in the workstation settings when it expires. The recommended validity period is one year to reduce maintenance work.

Example Request:

curl --location -g --request POST 'https://highlandsbank.com/rp/api/token/endpoint' \
--header 'Authorization: Bearer 110f7826-d95e-12d2-42ce-8bd67fb20bb9' \
--header 'Content-Type: application/json' \
--data-raw '{
  "scope": [ "WSINSTALL" ],
  "rpAppId": "WorkstationAccess",
  "expiresInSecs": 31536000

Example Response:

    "tokenId": "f8b81e27-eaec-389f-9f53-7ee187f73b55",
    "scope": [
    "rpAppId": "WorkstationAccess",
    "deviceId": null,
    "machineId": null,
    "token": "6a74ce20-2c1e-4c7d-ae9d-14be27e2c197",
    "expiryDate": 1653749967975

Step 2: Include the Install Token when installing the Workforce Access Client

Once you've generated an Install Token, include it when installing the HYPR Workforce Access Client on the workstation. See the Installation and Configuration page for details.

Upgrading Earlier Versions

When you upgrade an earlier version of the Workforce Access Client to 6.12.0 or higher, you need to include the Install Token value as part of the update process. This is mandatory step.

If your installer came without a hypr.json configuration file, you'll need to manually create one with the installToken field added. For example:

 "supportEmail":"[email protected]",

See the Installation and Configuration page for more information about the hypr.json configuration file.

To upgrade, place the hypr.json file and the HYPR installer package in the same folder and execute:

installer -pkg WorkforceAccess-X.X.X-Installer.pkg