Enables integration with the Yubico validation platform, so you can use Yubikey's one-time-password in your Rust application, allowing a user to authenticate via Yubikey.
- Synchronous Yubikey client API library, validation protocol version 2.0.
- Asynchronous Yubikey client API library relying on Tokio
Note: The USB-related features have been moved to a separated repository, yubico-manager
Add this to your Cargo.toml
[dependencies]
yubico_ng = "0.14"Or, since this crate is still backwards compatible with the yubico crate.
[dependencies]
yubico = { version = "0.14", package = "yubico_ng" }The following are a list of Cargo features that can be enabled or disabled:
- online-tokio (enabled by default): Provides integration to Tokio using futures.
- native-tls (enabled by default): Use native-tls provided by the OS.
- rustls-tls: Use rustls instead of native-tls.
You can enable or disable them using the example below:
[dependencies.yubico_ng]
version = "0.13"
# don't include the default features (online-tokio, native-tls)
default-features = false
# cherry-pick individual features
features = []extern crate yubico_ng;
use yubico_ng::config::*;
use yubico_ng::verify;
fn main() {
let config = Config::default()
.set_client_id("CLIENT_ID")
.set_key("API_KEY");
match verify("OTP", config) {
Ok(answer) => println!("{}", answer),
Err(e) => println!("Error: {}", e),
}
}use yubico_ng::verify;
use yubico_ng::config::Config;
fn main() {
let config = Config::default()
.set_client_id("CLIENT_ID")
.set_key("API_KEY")
.set_api_hosts(vec!["https://api.example.com/verify".into()]);
match verify("OTP", config) {
Ok(answer) => println!("{}", answer),
Err(e) => println!("Error: {}", e),
}
}#![recursion_limit="128"]
use futures::TryFutureExt;
use std::io::stdin;
use yubico_ng::config::Config;
use yubico_ng::verify_async;
#[tokio::main]
async fn main() -> Result<(), ()> {
println!("Please plug in a yubikey and enter an OTP");
let client_id = std::env::var("YK_CLIENT_ID")
.expect("Please set a value to the YK_CLIENT_ID environment variable.");
let api_key = std::env::var("YK_API_KEY")
.expect("Please set a value to the YK_API_KEY environment variable.");
let config = Config::default()
.set_client_id(client_id)
.set_key(api_key);
let otp = read_user_input();
verify_async(otp, config)
.map_ok(|()| println!("Valid OTP."))
.map_err(|err| println!("Invalid OTP. Cause: {:?}", err))
.await
}
fn read_user_input() -> String {
let mut buf = String::new();
stdin()
.read_line(&mut buf)
.expect("Could not read user input.");
buf
}For convenience and reproducibility, a Docker image can be generated via the provided repo's Dockerfile.
You can use a build-arg to select which example to be used. For example use --build-arg=EXAMPLE=otp_async to build the async example instead of the default otp example.
Build:
$ docker build -t yubico-rs .
...
Successfully built 983cc040c78e
Successfully tagged yubico-rs:latestRun:
$ docker run --rm -it -e YK_CLIENT_ID=XXXXX -e YK_API_KEY=XXXXXXXXXXXXXX yubico-rs:latest
Please plug in a yubikey and enter an OTP
ccccccXXXXXXXXXXXXXXXXXXXX
The OTP is valid.A static binary can be extracted from the container and run on almost any Linux system.
Build:
$ docker build -t yubico-rs-static . -f Dockerfile.static
...
Successfully built 983cc040c78e
Successfully tagged yubico-rs-static:latestRun:
$ docker run --rm -it -e YK_CLIENT_ID=XXXXX -e YK_API_KEY=XXXXXXXXXXXXXX yubico-rs-static:latest
Please plug in a yubikey and enter an OTP
ccccccXXXXXXXXXXXXXXXXXXXX
The OTP is valid.-
0.15.0 (2026-01-18):
- Use reqwest v0.13 or higher
- Switched to edition 2024
- Set MSRV to v1.85.0 which supports edition 2024 by default
- Removed
native-tlsandrustls-tlsand usereqwest/default-tlsby default.
All other reqwest features are disabled in this crate it self!
In this version I removed the specific
reqwestfeatures because it would limitreqwestto those specific features.
Also updated toreqwestv0.13 as a minimal version. If you need to use v0.12 ofreqwest, just keep using v0.14 ofyubico_ng.
I default to thedefault-tlsfeature via thedefaultfeature of the crate it self, which should be fine for most use cases.If you want to use anything else besides
default-tls, usedefault-features = false, definereqwestas a custom dependency and define the wanted features. This way you can userustls-no-providerand use any provider supported byreqwest.[dependencies] yubico_ng = { version = "0.15", default-features = false, features = ["online-tokio"] } reqwest = { version = "0.13.1", default-features = false, features = ["rustls-no-provider"] } rustls = { version = "0.23.36", default-features = false, features = ["ring"] }
fn main() { // Initialize rustls with ring so reqwest v0.13+ will work without aws-lc for example rustls::crypto::ring::default_provider() .install_default() .expect("Failed to install rustls crypto provider for Reqwest"); }
-
0.14.1 (2025-08-13):
- Exclude several files from the crate package
-
0.14.0 (2025-08-13) (not published to crates.io):
- Upgrade to
tokio1.47 - Bumped MSRV to v1.82.0 needed by latest packages
- Added more clippy/rust lints including
pedanticand fixed found items - Use only the main api server, the others are deprecated
- Updated GHA
- Added dotenvy as a dev dependency to load
.envfiles
- Upgrade to
-
0.13.0 (2025-04-23):
- Upgrade to
tokio1.44,rand0.9 - Renamed to yubico_ng and published crate
- Made edition 2024 compatible
- Added several clippy/rust lints and fixed those
- Fixed a panic if the
YK_API_HOSTwas invalid - Use only the main api server, the others are deprecated
- Run cargo fmt
- Updated GHA to use hashes and run/fix zizmor
- Upgrade to
-
0.12.0: Upgrade to
tokio1.37,reqwest0.12,base640.22, clippy fixes. -
0.10.0: Upgrade to
tokio1.1 andreqwest0.11 -
0.9.2: (Yanked) Dependencies update
-
0.9.1: Set HTTP Proxy (Basic-auth is optional)
-
0.9.0: Moving to
tokio0.2 andreqwest0.10 -
0.9.0-alpha.1: Moving to
futures0.3.0-alpha.19 -
0.8: Rename the
syncandasyncmodules tosync_verifierandasync_verifierto avoid the use of theasyncreserved keyword.
