YubiCloud REST API

The YubiCloud provides a secure, scalable, and globally distributed service for validating One-Time Passwords (OTPs) generated by YubiKeys. The simple RESTful API is the recommended method for all modern OTP integrations.

This guide provides the essential details for validating a YubiKey OTP from your application.

API Endpoint Details

The API is accessed via a simple HTTPS GET request.

Method: GET
Endpoint URL: https://api.yubico.com/wsapi/2.0/verify
Protocol: HTTPS
Response Format: Newline-delimited key-value pairs (key=value\n...)

Authentication: Getting an API Key

Before you can use the YubiCloud API, you must obtain a Client ID. An optional API Key can also be generated if you wish to sign your requests for added security.

Get Your Credentials: You can generate a Client ID for free at the Yubico API Key Generator.

Making a Validation Request

A validation request is an HTTPS GET call to the verify endpoint containing the three required query parameters: id, otp, and nonce.

Request Parameters

Parameter Description Required?

Parameter	Description	Required?
`id`	Your numeric Client ID obtained from the API key generator.	Yes
`otp`	The 44-character ModHex encoded One-Time Password generated by a YubiKey.	Yes
`nonce`	A unique, random string (16-40 alphanumeric characters) generated by your client for this request. It is a critical security measure to prevent replay attacks and ensure response integrity.	Yes

id

Your numeric Client ID obtained from the API key generator.

**Yes**

otp

The 44-character ModHex encoded One-Time Password generated by a YubiKey.

**Yes**

nonce

A unique, random string (16-40 alphanumeric characters) generated by your client for this request. It is a critical security measure to prevent replay attacks and ensure response integrity.

**Yes**

Example Request with `curl`

This curl example shows a valid request, including the required nonce and proper quoting for the URL.

# Generate a random 32-character nonce for this request.
# In a real application, this should be a cryptographically secure random string.
NONCE=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)

# Press your YubiKey to generate a fresh OTP.
# Replace <YOUR_CLIENT_ID> and <YOUR_YUBIKEY_OTP> with your values.
curl 'https://api.yubico.com/wsapi/2.0/verify?id=<YOUR_CLIENT_ID>&nonce='${NONCE}'&otp=<YOUR_YUBIKEY_OTP>'

Handling the API Response

The API response is a plain-text, newline-separated list of key-value pairs. Your application should parse this response and, most importantly, check that the status field is exactly OK.

Successful Response (`status=OK`)

If the OTP is valid, the API will return status=OK along with your original nonce.

Example Successful Response

h=lR22a1+aZ55S/xVvG3S3AsFG2/c=
t=2025-06-05T20:55:10Z0814
otp=vvcijgklnrbfditdennrucunkbthghhbbgelblvifgkn
nonce=aeBieT6Nake2i4N4iim7sheeChii6u4V
sl=100
status=OK

Always verify the signature (h=...) and that the returned nonce matches the one you sent in a production environment to ensure the response is authentic and belongs to your request.

Common Error Statuses

Status Value	Meaning
`BAD_OTP`	The OTP is invalid.
`REPLAYED_OTP`	The OTP has already been seen by the validation server.
`BAD_SIGNATURE`	The request was signed with an API key, but the signature was invalid.
`MISSING_PARAMETER`	One of the required parameters (`id`, `otp`, or `nonce`) was missing from the request.
`NO_SUCH_CLIENT`	The Client ID (`id=...`) does not exist.
`BACKEND_ERROR`	An unexpected error occurred on the YubiCloud server. Your client should retry later.

Next Steps & Official Documentation

For more advanced topics like signing requests, response signature validation, and running your own validation server, please refer to the official Yubico OTP documentation.

Yubico OTP Developer Documentation (Main Hub)
YubiCloud Validation Protocol Specification (Detailed technical spec)