Introduction

Yubico’s YubiKey Manager ykman CLI (command line interface) is an advanced cross-platform tool for managing and configuring YubiKeys. Interacting with ykman involves sending text-based commands through a terminal or command prompt. ykman uses Python 3.10 (or later) and supports features of the latest YubiKey firmware (5.7.4).

Important

YubiKey Manager GUI is end of life, as of February 19, 2026. It is no longer supported. For more details, see Yubico’s End-of-Life policy and the End-of-Life Products page.

For an alternative to the YubiKey Manager GUI, see the Yubico Authenticator application. Yubico Authenticator supports the latest YubiKey features and is available for desktop and mobile devices.

The YubiKey Manager (ykman) CLI remains available for command line tasks.

Note

The terms YubiKey Manager and ykman are used interchangeably. These terms were also used interchangeably between the GUI and CLI versions. Going forward these terms apply to the CLI version only.

Features

The ykman CLI is the premier tool for advanced management and configuration of all YubiKey applications (FIDO2, FIDO U2F, PIV, Yubico OTP, YubiHSM Auth, OpenPGP, OATH, Security Domain). Capabilities include:

• Importing and managing PIV certificates
• Running scripts
• Resetting YubiKey applications to their factory default states
• Displaying YubiKey information, including the serial number and firmware version
• Configuring a YubiKey’s Secure Channel Protocol keys (SCP03 and SCP11)
• Enabling and disabling USB and NFC interfaces
• Configuring an OTP application slot
• Managing a YubiKey’s configuration lock code
• Creating a FIDO2 PIN
• Executing APDU (application protocol data unit) commands.

Navigating this Guide

This guide contains the instructions for using the ykman CLI tool. The majority of this guide describes the ykman CLI commands, which are organized by YubiKey application. General YubiKey commands are listed in Base ykman Command.

Troubleshooting

If you attempt to use a CLI command and it fails, the cause could be due to one of the following factors:

• The CLI you are using is not the latest version
• Your YubiKey model does not support the feature
• Your YubiKey’s firmware does not include the feature

To verify if your CLI version supports a particular feature, check the ykman CLI Release Notes.

To check your YubiKey’s model and firmware version, use the ykman info command with the ykman CLI tool or visit the Home (desktop, Android) or Configuration (iOS, iPadOS) page in Yubico Authenticator.

Note

Yubico periodically updates the firmware to take advantage of features and capabilities introduced into the ecosystem. YubiKeys are programmed in Yubico’s facilities with the latest available firmware and once programmed cannot be updated to another version. The firmware cannot be altered or removed from a YubiKey.

See also, Yubico Support.