yubioath-cli(1) Yubico Authenticator command line interface


yubioath-cli [-h] command


The Yubico Authenticator is a graphical desktop tool for generating Open AuTHentication (OATH) event-based HOTP and time-based TOTP one-time password codes, with the help of a YubiKey that protects the shared secrets.


yubioath-cli has the following options:

-h, --help

Shows a list of available sub commands and arguments.

-R, --remember

Save any password given for a YubiKey to avoid having to enter it in again.

-r, --reader READER

Name to match smartcard reader against (case insensitive).


yubioath-cli supports multiple commands, each with its own options, in addition to the global options:

yubioath-cli show [OPTIONS] [QUERY]

Display one or more one time codes calculated by the YubiKey.

-s1, --slot1 DIGITS

Calculate and show a one time code from slot 1, displaying DIGITS number of digits.

-s2, --slot2 DIGITS

Calculate and show a one time code from slot 2, displaying DIGITS number of digits.

-t, --timestamp TIMESTAMP

Use the user provided TIMESTAMP instead of the system clock.


A filter string to match credential names against. If given, only credentials containing the QUERY substring will be displayed. For HOTP credentials, codes will only be calculated when given a QUERY which uniquely specifices the credential as to avoid unwanted counter incrementation.

yubioath-cli put [OPTIONS] KEY

Load and store a credential into the YubiKey.

-S, --destination DEST

Where DEST is one of:

0 the main applet (default).

1 the YubiKey standard slot 1.

2 the YubiKey standard slot 2.

-N, --name NAME

The name to give the credential. When giving a name with an issuer, the issuer and name should be separated by a colon: issuer:name. Not applicable to slot-based credentials.

-A, --oath-type ALGORITHM

OATH algorithm to use. Should be one of totp (default) and hotp. Not applicable to slot-based credentials.

-D, --digits DIGITS

The number of digits to output when generating codes. Should be 6 (default) or 8. Not applicable to slot-based credentials.

-I IMF, --imf IMF

The initial value to store for the counter. Only applicable for HOTP credential. Not applicable to slot-based credentials.

-T, --touch

When set, the slot will require the user to press the button on the YubiKey before calculating a code. Only applicable to slot-based credentials.


Either a base32 encoded key to use as the secret for the credential, or an otpauth:// URI containing the parameters of the credential. When a URI is given the other options are not needed, but can be used to override parameters in the URI, if needed.

yubioath-cli delete NAME

Deletes a credential from the main OATH credential storage.


A filter string that uniquely identifies the credential to delete.

yubioath-cli password [OPTIONS]

Manage the access password of the OATH applet.

-S, --set

Sets a new password for the YubiKey.

-U, --unset

Unsets the current password, so that the YubiKey does not require a password to be used.

-F, --forget

Remove all access keys stored on disk.

-P, --password PASSWORD

Provide the new password for use with --set as an argument. If not given, the command will prompt the user to enter a new password while masking input.

yubioath-cli reset [OPTIONS]

Factory-reset the OATH applet, unsetting any access password and erasing
all stored credentials.

-f, --force

Do not prompt for confirmation before resetting.


Report bugs in the issue tracker (https://github.com/Yubico/yubioath-desktop/issues)