Yubico

Developers intro
Try your YubiKey
Web Service Clients
Web Service API
Basic Server Library
Validation Server
OpenID server
Personalization tool
Yubico Forum

The Yubico Web Service APIs makes it possible for you to verify the one-time passwords (OTP) generated by the YubiKey. This page describes how to get started working with our server, and also provides the protocol specification.

We have written clients in several languages and for different purposes, so chances are that you do not need to implement our protocol yourself. Save your time and look at our existing clients: Java, C#/.NET, Python, Python, Ruby.

If you write a new client following these specifications, please let us know so that others can avoid duplicating work.

Getting started

Here is the quickest way to get started:

1. API key

To use the API, first use our online API key generator. It will assign you an ID and create a shared key. You can use the shared key to authenticate that the API responses do come from us, if you for some reason do not want to rely on HTTPS. You may also sign requests using this key, so that we know who are sending them.

2. Capture an OTP

Capture an OTP output from your YubiKey. You can do that by opening Notepad (for Windows), TextEdit (for Mac OS X) or Emacs (for GNU/Linux) and simply pressing the button on the YubiKey. The OTP is a simple string of characters, like this: vvvvvvcurikvhjcvnlnbecbkubjvuittbifhndhn.

3. Send OTP to our server

Make the authentication request against our server following the protocol specified below. Your request should include the verifier ID, a number that identifies the approver of your key, and the OTP you captured in the previous instruction. The request is part of the HTTP GET URL, encoded using normal parameter/value pairs. For example (broken into two lines for legibility):

http://api.yubico.com/wsapi/verify?id=42&otp=vvvvvvcur\
ikvhjcvnlnbecbkubjvuittbifhndhn

4. Parse response

You will recieve a response back from the server, a string of text that resembles the following:

h=hhbVQZYvkEWUdhYjx1hjB/yeW/Y=
t=2008-01-11T03:51:21Z0079
status=OK

You can check the authenticity of this response using the HMAC specification detailed below.

5. Make a decision

Do what you wish with the information in the response, specifically the section denoted with "status=" as this is the final response. All our APIs define constants related to these statuses, also listed below.

Protocol Specification

All requests are HTTP GETs. As such, all parameters must be properly URL encoded. In particular, some base64 characters (such as "+") in the value fields needs to be escaped.

Each response sent by Yubico is signed. To make sure the response has not been tampered with, you should verify the signature.

To verify a signature on a message, follow the same procedure that was used to sign the message and compare the signature in the response to the signature you generated. If the signature values are equal, the signature is correct.

Make sure you remove the signature itself from the values you generate the signature over for verification. If the incoming message is

b=1&a=2&c=3&h=V5FkMYr9GCG9tQA9ihuuybWl99U=

make sure to remove h before verifying:

b=1&a=2&c=3

Generating signatures

The Yubico API uses HMAC-SHA1 signatures with 160 bit key lengths (as defined by RFC 3174). The HMAC key to use is the API key.

Generate the signature over the parameters in the message. Each message contains a set of key/value pairs, and the signature is always over the entire set (excluding the signature itself), sorted in alphabetical order of the keys. To generate a message signature:

Alphabetically sort the set of key/value pairs by key order.
Construct a single line with each ordered key/value pair concatenated using '&', and each key and value contatenated with '='. Do not add any linebreaks. Do not add whitespace. For example: a=2&b=1&c=3.
Apply the signature algorithm to the line's octet string (UTF-8 byte values according to RFC 3629) using the API key as key.
Base 64 encode the resulting value according to RFC 4648, for example, t2ZMtKeValdA+H0jVpj3LIichn4=.
Append the value under key h to the message.

Verification

There is one call to verify YubiKey OTPs: verify.

verify

The verify call lets you check whether an OTP is valid. Since the OTP itself contains identification information, all you have to do is to send the OTP.

Request

Construct an HTTP GET call to


http://api.yubico.com/wsapi/verify

with the following parameters (note that this request need not be signed):

parameter	type	required	purpose
`id`	string	Yes	Specifies the requestor so that the end-point can retrieve correct shared secret for signing the response.
`otp`	string	Yes	The OTP from the YubiKey.
`h`	string	No	The optional HMAC-SHA1 signature for the request.

An example request (broken into two lines for legibility):

http://api.yubico.com/wsapi/verify?otp=vvvvvvcucrlcietctc\
kflvnncdgckubflugerlnr&id=87

Response

The verification response tells you whether the OTP is valid.

The response has the following values:

parameter	type	purpose
`h`	string (base64)	Signature as described above.
`t`	time stamp	Timestamp in UTC.
`status`	string (base64)	The status of the operation. The status are described in return codes.
`info`	string	Additional information if the status is `MISSING_PARAMETER`.

Return codes

These are possible status values in a verify response:

name	meaning
`OK`	The OTP is valid.
`BAD_OTP`	The OTP is invalid format.
`REPLAYED_OTP`	The OTP has already been seen by the service.
`BAD_SIGNATURE`	The HMAC signature verification failed.
`MISSING_PARAMETER`	The request lacks parameter given by key `info`.
`NO_SUCH_CLIENT`	The request `id` does not exist.
`OPERATION_NOT_ALLOWED`	The request `id` is not allowed to verify OTPs.
`BACKEND_ERROR`	Unexpected error in our server. Please contact us if you see this error.