PHP Yubikey decoder class
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Yubikey is a piece of hardware from Yubico which generates One-Time-Passwords (OTPs) and transfers them to your computer by emulating a keyboard.

The OTPs look something like this:


The string is an encrypted buffer which has been encoded with modhex (a Yubico- invented version of base64 encoding).

This PHP class deals with decoding of the modhex, decryption of the data (provided the 128-bit AES key) and unpacking of the data into more easily accessible fields.

The class only extracts the information contained in the OTP, it does not carry out any authentication. It is up to the application to do whatever it wants with the data.

If you are looking for a complete Yubikey authenticator server, go here:

If you are looking for a PHP class to authenticate against the official Yubico servers via its web API, go here:

If you want to build a custom authenticator solution based on YubiKey technology, this class may be useful for you.


See examples/ for a very basic YubiKey authenticator.


If you want to testrun this class without installing a full-blown LAMP installation, the following sequence with Docker can be used:

$ git clone
$ cd yubikey
$ docker run -it --rm -v "$PWD":/usr/src/yubikey -w /usr/src/yubikey/examples php:7.3-cli bash
root@378352d1bb27:/usr/src/yubikey/examples# php authenticator.php
thgegbdkbjgv: authenticated successfully! usage=6 session=0
thgegbdkbjgv: used/spent token (session)

The docker container will be removed as soon as the shell is exited.