Skip to content
Client library for verifying YubiKey one-time passwords (OTPs).
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.


Type Name Latest commit message Commit time
Failed to load latest commit information.
.github/workflows Test with JDK 7 too Jan 23, 2020
demo-server Remove unused import Feb 10, 2020
doc Add some documentation of release process Feb 25, 2019
jaas Don't use deprecated Class.newInstance() method Feb 10, 2020
v2client Trying to set maxRetries as negative is an error. Feb 10, 2020
.gitattributes Add .gitattributes Dec 21, 2017
.gitignore Ignore VSCode metadata Feb 6, 2020
BLURB update project URL Jan 22, 2015
COPYING Add 2011. Oct 10, 2011
NEWS Update NEWS Feb 11, 2020
README Move CI to GitHub Actions Jan 23, 2020
README.adoc Asciidoc README Aug 11, 2014
pom.xml Update developers in POM Feb 18, 2020



Build Status

This repository contains a Java library with an accompanying demo server, as well as a JAAS module, to validate YubiKey OTPs (One-Time Passwords).

By default, this library uses the Yubico YubiCloud validation platform, but it can be configured for another validation server.

For more details on how to use a YubiKey OTP library, visit


Add this to your pom.xml:

// clientId and secretKey are retrieved from
YubicoClient client = YubicoClient.getClient(clientId, secretKey);

// otp is the OTP from the YubiKey
VerificationResponse response = client.verify(otp);
assert response.isOk();

After validating the OTP you should make sure that the publicId part belongs to the correct user. For example:

    .equals(/* Yubikey ID associated with the user */);

For a complete example, see the demo server.


The validation client depends on slf4j-api for logging. To get the actual logs and not receive warnings on System.out you will need to depend on a slf4j logger binding, for example slf4j-log4j with the following Maven configuration:


Read more

For more complete descriptions of methods and failure states, please see the JavaDoc.

You can’t perform that action at this time.