YubiKey Context Variables
Context variables for Yubico OTP offline authentication
yubikey Context Variables
Backends populate these variables before the yubikey action runs. After successful authentication the action updates yubikey.counter and yubikey.session; persist them to prevent replay attacks.
| Variable | Type | Required | Description |
|---|---|---|---|
yubikey.secret | Binary (16 bytes) | Yes | AES-128 key for offline decryption. Must be stored as a BLOB, not hex text. |
yubikey.public | String (12-char modhex) | No | Expected public UID. Rejects OTPs from other tokens when set. |
yubikey.private | Integer (48-bit) | No | Expected private UID inside the encrypted payload. Second identity check. |
yubikey.counter | Integer (16-bit) | No | Last accepted usage (power-on) counter. Enables replay detection. |
yubikey.session | Integer (8-bit) | No | Last accepted session (button-press) counter within a power cycle. |
Related Documentation
yubikeyactionyubikeyHTTP backend - Delegate OTP validation to an external Yubico server- YubiKey Authentication article
About Radiator software development security
Architecture Overview
Backend Load Balancing
Basic Installation
Built-in Environment Variables
Comparison Operators
Configuration Editor
Configuration Import and Export
Data Types
Duration Units
Environment Variables
Execution Context
Execution Pipelines
Filters
Getting a Radiator License
Health check /live and /ready
High Availability and Load Balancing
High availability identifiers
HTTP Basic Authentication
Introduction
Linux systemd support
Local AAA Backends
Log storage and formatting
Management API privilege levels
Namespaces
Password Hashing
Pipeline Directives
Probabilistic Sampling
Prometheus scraping
PROXY Protocol Support
Radiator server health and boot up logic
Radiator sizing
Radiator software releases
Rate Limiting
Rate Limiting Algorithms
Reverse Dynamic Authorization
Service Level Objective
TACACS+ Authentication, Authorization, and Accounting
Template Rendering CLI
Tools radiator-client
TOTP/HOTP Authentication
What is Radiator?
YubiKey Authentication
YubiKey Context Variables
About Radiator software development security
Architecture Overview
Backend Load Balancing
Basic Installation
Built-in Environment Variables
Comparison Operators
Configuration Editor
Configuration Import and Export
Data Types
Duration Units
Environment Variables
Execution Context
Execution Pipelines
Filters
Getting a Radiator License
Health check /live and /ready
High Availability and Load Balancing
High availability identifiers
HTTP Basic Authentication
Introduction
Linux systemd support
Local AAA Backends
Log storage and formatting
Management API privilege levels
Namespaces
Password Hashing
Pipeline Directives
Probabilistic Sampling
Prometheus scraping
PROXY Protocol Support
Radiator server health and boot up logic
Radiator sizing
Radiator software releases
Rate Limiting
Rate Limiting Algorithms
Reverse Dynamic Authorization
Service Level Objective
TACACS+ Authentication, Authorization, and Accounting
Template Rendering CLI
Tools radiator-client
TOTP/HOTP Authentication
What is Radiator?
YubiKey Authentication
YubiKey Context Variables