API: Best Practices and FAQs

The following best practices are specific to the YubiEnterprise Delivery API. For general best practices, troubleshooting and FAQs for the YubiEnterprise Console, see Best Practices and Troubleshooting and General FAQs.

Controlling Access to your Accounts

API tokens are used by API caller accounts for authentication when integrating applications with the YubiEnterprise Delivery service.

  • Protect access to the API token, because whoever is in possession of the token is authorized to perform API operations for your organization.
  • Accounts that use machine tokens should have the Admin role, not the Owner role. This reduces the risk if the token is compromised, since the token has only the permissions associated with its role.
  • The fact that API tokens can easily be issued and revoked helps to assure the security of accounts that use machine tokens.
  • To handle machine token expiry, we recommend using the API (/auth/machine-token) to renew the API token. Ideally, logic should be put in to renew by calling the API to get a new token before the existing one expires.
  • If a user is removed from an organization and has a token in that organization, the token is revoked. If a user is suspended, all tokens are revoked. The tokens are left untouched if the user is reset or the password is reset.
  • Before an API token expires, the system generates and sends a notification to the associated email address. The email notifies that the token will expire in 7 days/1day and will not be accepted by our system after that.

Managing API Tokens

The following section describes how to create and delete API tokens, and regenerate them before they expire.

Generating API Tokens

  1. In the Console, click the organization name in the top left corner.
  1. Select Generate API token. The Manage API token dialog appears showing the generated API token.
  2. Make a copy of the token and store it in a secure location. The token is shown only at this time, if you navigate away from the dialog you will no longer be able to view it.
  3. Click I have saved my token to close the dialog.


The API token is tied to an account AND an organization. If a token does not exist for an account/organization, the menu option under the organization name will be Generate API token. If a token exists for an account/organization, the option will be Manage API token.

Notification of API Token Expiry

API tokens expire one year after generation. Since a user (API caller) can have only one API token at a time, you must have a plan to roll-over to a new API token before the old one expires.

The system automatically emails notification that the API token will expire:

  • 7 days beforehand
  • 1 day beforehand
  • On the day of expiry

The notification is emailed to:

  • The user (holder) of the API token
  • The Console Owner (account owner, in cc)

For more information about user roles, see Roles and Permissions.


API tokens are only valid for one year at the time. Generating a new API token can be done at any time, and the generation of a new token will invalidate the old one. Tokens are bound to a user within an organization. If an application is using an API token generated by user A, then user B generating a new API token will not revoke the token generated by user A.

Revoking and Deleting API Tokens

An account can have 0 or 1 API access (machine) tokens. Once you have a token, it must be revoked and deleted before you can get a new one - even if the old one has expired.

  • From the API: The GET /auth/machine-token request revokes any existing tokens and creates a new machine token. Note that this could cause outages since GET in this instance is not a safe idempotent operation.
  • From the Console: While logged in to the Console as the user with the relevant API token, click the organization name and select Manage API token. Click Revoke and delete active API token. Once you revoke and delete the old token, the button to generate a new token appears.

Deprecated APIs

Deprecated APIs are not maintained and will eventually be removed. Ensure that your implementation is not using a deprecated version of the API. For information, see Deprecated APIs: Overview.


Q. Who should use the API?

  1. Customers of YubiEnterprise Delivery.

Q. Does Yubico charge for API calls?

  1. No.

Q. How do I get access to the API?

  1. Get login credentials from the YubiEnterprise Delivery account owner in your organization, and see Onboarding Workflow.

Q. How should I set up an account to call the API?

  1. After you have been given a YubiEnterprise Delivery account, follow the instructions in API Onboarding Playbook.

Q. How do I test the API?

  1. In the API Onboarding Playbook in the current guide, see YubiEnterprise Delivery Self-Service Web Portal and API: ServiceNow Integrations.

Q. How do I revoke an API token?

  1. See Revoking and Deleting API Tokens above.

Q. Where do I go if I need help?

  1. Get help now from our support team: to file a support ticket for YubiEnterprise Delivery, click Support, or reach out to the customer success representative who was assigned to your company.

Q. Can I get notification of YubiEnterprise Delivery API changes?

  1. Subscribe to the Yubico Developer Program mailing list. Go to https://www.yubico.com/why-yubico/for-developers/developer-program/. Although this page looks as if it is just for a coupon, it is actually the sign-up page for the mailing list.

Q. Does the country code look-up API return the countries to which Yubico can ship, or does it return all countries in the world?

  1. It returns all the countries in the world. Currently we can ship only to the countries named in Delivery Policies.

Q. Do I need to validate addresses via the API prior to submitting them?

  1. “Pre-qualifying” the address does not eliminate the address validation step. Every shipping request is sent for address validation. Status is updated when address validation is complete. Once the request reaches the “Accepted for Fulfillment” status, it has passed the address validation phase. If the status is “Incomplete Address”, edit or delete the request. See Reviewing Incompletes.

To file a support ticket for YubiEnterprise Delivery, click Support.