Client library written in Java for verifying YubiKey one-time passwords (OTPs).
Java Other
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
demo-server demo server now uses response.isOk() Feb 24, 2015
jaas Prevents NPE error Mar 5, 2015
v2client User-Agent now includes JRE version. Better logging of wsapi request … Jun 9, 2015
.gitignore Removed unnecessary lazy loading Oct 29, 2014
.travis.yml run jacoco + coveralls from .travis.yml Jan 21, 2015
COPYING Add 2011. Oct 10, 2011
NEWS Update NEWS Jul 15, 2015
README Updated version number in README Jul 15, 2015
README.adoc Asciidoc README Aug 11, 2014
pom.xml update project URL Jan 22, 2015



This repository contains a Java library with an accompanying demo server, as well as a JAAS module, to validate YubiKey OTPs (One-Time Passwords).

By default, this library uses the Yubico YubiCloud validation platform, but it can be configured for another validation server.

For more details on how to use a YubiKey OTP library, visit


Add this to your pom.xml:

// clientId and secretKey are retrieved from
YubicoClient client = YubicoClient.getClient(clientId, secretKey);

// otp is the OTP from the YubiKey
VerificationResponse response = client.verify(otp);
assert response.isOk();

After validating the OTP you should make sure that the publicId part belongs to the correct user. For example:

    .equals(/* Yubikey ID associated with the user */);

For a complete example, see the demo server.


The validation client depends on slf4j-api for logging. To get the actual logs and not receive warnings on System.out you will need to depend on a slf4j logger binding, for example slf4j-log4j with the following Maven configuration:


Read more

For more complete descriptions of methods and failure states, please see the JavaDoc.

If you want the client for the legacy version 1 of the API, it can be found here.