Docs
API Reference

Breached Password API

The Breached Password API lets you check whether a password has appeared in known data breaches—without exposing the password to LeakJar or any third party. It powers the Password Protect product.

How it works

LeakJar uses a hash-prefix model (also known as k-anonymity) to preserve user privacy. Instead of sending the full password hash, your application sends only the first 5 characters of the SHA-1 hash. The API responds with all suffixes matching that prefix, and your application performs the comparison locally.

  1. Hash the password with SHA-1 on the client or server.
  2. Extract the first 5 hex characters (the prefix).
  3. Send the prefix to the LeakJar range endpoint.
  4. Receive a list of matching suffixes with exposure counts.
  5. Compare your full hash against the returned suffixes locally.

At no point does LeakJar see the full hash or the original password.

We never store or log your passwords.

Only the 5-character hash prefix leaves your environment. We never receive, store, or log full password hashes or plaintext passwords — the prefix is processed in memory to return the matching range and is never persisted. This is the same privacy guarantee that makes k-anonymity safe to run on your signup and reset flows.

Try it live

Type a password below. It’s SHA-1 hashed in your browser and only the 5-char prefix is sent — the same k-anonymity flow your integration uses.

Try it liveConnecting…

Authentication

All API requests require a valid API key passed in the Authorization header as a Bearer token.

Authorization: Bearer lj_...
Security: API keys are secret credentials. Never expose them in client-side JavaScript, mobile app bundles, or public repositories. Route all API calls through your backend.

Endpoints

GET/v1/passwords/range/{prefix}

Returns all hash suffixes matching the given 5-character SHA-1 prefix, along with the number of times each has appeared in known breaches. See the range endpoint reference for the full request/response walkthrough.

Path parameters

prefixstringFirst 5 characters of the SHA-1 hash (hex, uppercase).

Request example

request.shbash
curl -s \
  -H "Authorization: Bearer lj_..." \
  "https://api.leakjar.com/v1/passwords/range/CBFDA"

Response format

Content-Type: text/plain — one match per line in SUFFIX:COUNTformat (the same shape as HIBP’s Pwned Passwords). Match your own suffix against the list locally.

response.txttext
C09E6A76B2639DE8CF63D6B4C3EBEBD4A96:3861493
D9B2A1F4E7C3A2B1D8E5F6A7B8C9D0E1F23:12
A1B2C3D4E5F6A7B8C9D0E1F2A3B4C5D6E78:1

SUFFIX — the remaining characters of each matching SHA-1 hash (the full hash minus the 5-character prefix you queried).

COUNT — how many times this password has been seen in breaches.

Rate limits

To ensure fair usage and system stability, the API enforces the following rate limits:

Free tier100 requests / minute
Production (Starter)1,000 requests / minute
Production (Enterprise)Custom

When you exceed the rate limit, the API returns a 429 Too Many Requests response with a Retry-After header indicating when you can retry.