Skip to content

One api.yubico.com; One HTTP GET

2021-04-15

A year ago, we moved all YubiOTP validation API servers behind one common api.yubico.com endpoint, introducing a modernized, cloud-based, YubiOTP validation service to improve reliability and scalability. As a result, customers no longer need to call multiple endpoints; instead, we recommend  implementing Yubico OTP support in applications using an HTTP GET request to api.yubico.com.

In order to direct YubiCloud clients to the closest location, domain names pointing to the new service are geolocated to the closest endpoint to the requestor. If you have not done so already, we recommend configuring your clients to point to our servers via the api.yubico.com domain name.

Refer to this status post from 2019 to ensure you have updated your configurations: https://status.yubico.com/2019/11/21/2019-11-21-yubicloud-service-upgrade/

The Yubico legacy client libraries in PHP, C, .NET, Perl, and Java on Github will be archived; they will not be updated to call the new endpoint. Their main benefit was to abstract the calling of multiple YubiCloud endpoints from client applications. This is no longer necessary and actually makes resulting client applications use the backwards-compatible legacy interface for YubiCloud, which is a sub-optimal solution for our customers.
By implementing the one HTTP GET call directly in client applications, customers no longer need to take a dependency on a 3rd party library in their solutions.

How to generate and verify signatures and how to construct an HTTP GET call to verify OTPs and what responses you need to handle is outlined in the Yubico OTP Validation Protocol Version 2.0 that can be found on https://developers.yubico.com/OTP/Specifications/OTP_validation_protocol.html  
For more recent (and older) status.yubico.com updates, please scroll through https://status.yubico.com/

api.yubico.com unscheduled downtime

2020-12-22

On Wednesday, November 25, 2020, starting at about 15:00 UTC Yubico became aware of an issue servicing api.yubico.com requests which were routed to YubiCloud’s US-East data center.  At peak, about 2.5% of requests were receiving error responses.  By 17:00 UTC, error rates had fallen to < 0.5% with complete resolution by 19:00 UTC.  Only requests sent to the US-East data center were affected; all other data centers were operating normally.  A retry of a failed request should have been successful.


The underlying cause was a prolonged outage of services in AWS’s US-East1 region.  AWS is YubiCloud’s Cloud Platform provider.  More information on the AWS outage can be found here.  


We apologize for any inconvenience the disruption of YubiCloud’s service may have caused.  Steps are being taken to mitigate the effects of such outages upon our customers in the future.

Postponement of decommissioning

2020-03-20

Yubico has introduced a new global endpoint supporting our YubiOTP service based on the AWS platform. Most of our customers have already migrated to the new service. As a result of having some customers still using the legacy endpoints, we have decided to move the decommissioning date of the old service from March 23 to April 14, 2020.

For more details of the change, see https://status.yubico.com/2020/02/25/decommissioning-old-yubiotp-api-validation-servers/.

Decommissioning old YubiOTP API validation servers

2020-02-25

On March 23, 2020 Yubico will be decommissioning the old YubiOTP API validation servers. This is the final step of an ongoing initiative to improve reliability and scalability of the YubiOTP validation service.  If you are hardcoding the IP address of any of the API servers, then you will see responses indicating that they have been decommissioned.

These responses will look like:

status=DECOMMISSIONED
message=See https://status.yubico.com/

To ensure that you are not adversely impacted, please follow the instructions at https://status.yubico.com/2019/11/21/2019-11-21-yubicloud-service-upgrade/.

[2020-02-03] api.yubico.com service upgrade

2020-01-29

On February 3, 2020 at 23:00 UTC, we will be moving the api.yubico.com domain name to point to the modernized, cloud-based YubiOTP validation service.

This is the final domain name to be changed as part of the ongoing YubiCloud upgrades.

To ensure that you are not disrupted by this change, we recommend taking the actions listed in our previous update.

[2019-11-21] YubiCloud service upgrade

2019-11-21

On 12th November 2019, one of the YubiOTP validation API servers, api5.yubico.com, was replaced by a modernized, cloud-based YubiOTP validation service to improve reliability and scalability of the existing service. We will gradually be moving all existing domain names (api.yubico.com, api2.yubico.com, api3.yubico.com, and api4yubico.com) to point to the new service. The current (v2) YubiOTP API contract has not changed as part of this gradual upgrade.

In order to direct YubiCloud clients to the closest location, domain names pointing to the new service are geolocated to the closest endpoint to the requestor. If you have not done so already we recommend configuring your clients to point to our servers via a domain name.

To ensure that you are not disrupted by this and further planned upgrades we recommend the following actions:

  • If you have hardcoded the CA or certificate fingerprint that you use to validate the YubiOTP API servers’ identities you will need to update the hardcoded information.
  • If you have hardcoded the IP address you will need to use DNS instead. We will no longer allocate static IP addresses and will not be able to provide a list of stable addresses.
  • SNI is required as part of TLS negotiation due to the edge routing layer of our new infrastructure. For example, if you are using nginx as a forward proxy to connect to the YubiOTP validation API you may need to enable the proxy_ssl_server_name option.
  • The third-party open-source Python client library yubico-client (PyPI, GitHub) must be upgraded to version 1.12.0 or newer. Previous versions had an issue where a TLS failure on one request could be interpreted as a verification failure for the OTP itself.

Planned Changes during YubiCloud upgrade

DateAffected Server(s)Changes
12th November, 2019 (completed)api5.yubico.comDNS-based routing and non-static IP address
New TLS certificate requiring SNI
3rd December, 2019api2.yubico.comDNS-based routing and non-static IP address
New TLS certificate requiring SNI
January, 2020api3.yubico.com
api4.yubico.com
DNS-based routing and non-static IP address
New TLS certificate requiring SNI
Q1, 2020api.yubico.comDNS-based routing and non-static IP address
New TLS certificate requiring SNI

api.yubico.com TLS certificate renewed

2019-07-24

As mentioned earlier in this post, the TLS certificate for api.yubico.com has been renewed today, Jul 24th, 2019.

If you have pinned the CA or certificate fingerprint (not recommended), you will need to update your configuration.

[2019-07-24] api.yubico.com TLS certificate renewal

2019-07-11

On Wednesday 24th July 2019, we will renew the TLS certificate for api.yubico.com

No service interruption is expected. If you have pinned the CA or certificate fingerprint (not recommended), you will need to update your hard coded information.

We will write a new post once the renewal has taken place.

Maintenance on upgrade.yubico.com

2019-05-17

On Monday, May 27th, 2019 we will perform maintenance on upgrade.yubico.com.

The service will be unavailable between 10:30 and 12:30 UTC.

Maintenance on upload.yubico.com

2019-04-11

On Monday, April 15th, 2019 we will perform maintenance on upload.yubico.com.

The service will be unavailable between 11:00 and 13:00 UTC.