Package yubikey implements the Yubico YubiKey API.
The package needs to know the secret key of the YubiKey token; this may be stored as a string. For example, the secret key could be loaded from a file with:
import (
func LoadSecretKey(filename string) (*Key, error) {
in, err := ioutil.ReadFile(filename)
if err != nil {
return nil, err
in, err = bytes.TrimSpace(in)
if err != nil {
return nil, err
keyBytes := make([]byte, len(in) / 2)
err = hex.Decode(keyBytes, in)
if err != nil {
return nil, err
priv := yubikey.NewKey(keyBytes)
return priv, nil
Then, you can pass the OTP string directly from the YubiKey to
func GetToken(otpString string, priv *Key) (*Token, error) {
pub, otp, err := yubikey.ParseOTPString(otpString)
if err != nil {
return nil, err
keyBytes, err := hex.DecodeString(secretKey)
if err != nil {
return nil, err
t, err := otp.Parse(priv)
return t, nil
It is important to keep track of the YubiKey's counter as well; this is a 16-bit unsigned integer. The counter value in the token should be checked against the last known counter value of the YubiKey to prevent replay attacks.
Package yubikey is licensed under the liberal ISC License.