Introduction

Yubico’s ykman CLI (command line interface) is an advanced cross-platform tool for managing and configuring YubiKeys. Interacting with ykman involves sending text-based commands through a terminal or command prompt. ykman uses Python 3.8 (or later) and supports features of the latest YubiKey firmware (5.7+).

The YubiKey Manager GUI (graphical user interface) application is the visual interface version of YubiKey Manager. Interacting with the GUI involves clicking through intuitive screens and buttons of a desktop application. While the GUI application and CLI tool share some YubiKey configuration abilities, the CLI provides more options, advanced configuration abilities, and up-to-date features.

Important

End-of-Life (EOL) for the YubiKey Manager GUI was announced on February 19, 2025 and will commence on February 19, 2026. The YubiKey Manager GUI will not be supported by Yubico following the EOL date. For more details, see Yubico’s End-of-Life policy and the End-of-Life Products page.

For an alternative to the YubiKey Manager GUI, see the Yubico Authenticator application. Yubico Authenticator supports the latest YubiKey features and is available for desktop and mobile devices.

Features

The ykman CLI is the premier tool for advanced management and configuration of all YubiKey applications (FIDO2, FIDO U2F, PIV, Yubico OTP, YubiHSM Auth, OpenPGP, OATH, Security Domain). Capabilities include:

• Importing and managing PIV certificates
• Running scripts
• Resetting YubiKey applications to their factory default states
• Displaying YubiKey information, including the serial number and firmware version
• Configuring a YubiKey’s Secure Channel Protocol keys (SCP03 and SCP11)
• Enabling and disabling USB and NFC interfaces
• Configuring an OTP application slot
• Managing a YubiKey’s configuration lock code
• Creating a FIDO2 PIN
• Executing APDUs

Navigating this Guide

This guide contains the instructions for using both YubiKey Manager GUI and ykman CLI. For common GUI tasks, see Using the YubiKey Manager GUI in this guide. For CLI commands, see the balance of this guide. The commands are organized by protocol. CLIs that do not relate specifically to a particular protocol are listed in Base Commands.

Troubleshooting

If you attempt to use a CLI/GUI command and it fails, the cause could be due to one of the following factors:

• The CLI/GUI you are using is not the latest version
• Your YubiKey model does not support the feature
• Your YubiKey’s firmware does not include the feature

To verify if your CLI/GUI version supports a particular feature, check the release notes:

• ykman CLI Release Notes
• YubiKey Manager GUI Release Notes

To check your YubiKey’s model and firmware version, use the ykman info command with the ykman CLI tool or visit the Home (desktop, Android) or Configuration (iOS, iPadOS) page in Yubico Authenticator.

Note

Yubico periodically updates the firmware to take advantage of features and capabilities introduced into the ecosystem. YubiKeys are programmed in Yubico’s facilities with the latest available firmware and once programmed cannot be updated to another version. The firmware cannot be altered or removed from a YubiKey.

---

Click for Yubico Support.