# LeakJar > LeakJar is a credential-exposure platform for engineering and security teams. > It does two things: (1) blocks breached passwords at signup, change, and > reset using privacy-preserving k-anonymity checks (you never send the > password or full hash), and (2) monitors your verified domains and alerts you > when your organization's credentials appear in new breach data, stealer logs, > or combolists. Built by SEWORKS. Aligned with NIST SP 800-63B. ## Quick facts - Company: SEWORKS (SEW INC), an offensive-security company founded by white-hat hackers in 2013. - Products: "Password Protect" (Breached Password API) and "Exposure Monitoring" (domain-scoped breach alerts). - Privacy model: k-anonymity (range-prefix). Only a 5-char SHA-1 prefix ever leaves your environment. - HIBP-compatible: existing Pwned Passwords clients work by swapping the base URL + adding a Bearer key. - Free tier: 10,000 password checks / month, no credit card. - Standards: aligned with NIST SP 800-63B compromised-password screening guidance. ## Site map - Home: https://www.leakjar.com/ - Password Protect (product): https://www.leakjar.com/products/password-protect - Exposure Monitoring (product): https://www.leakjar.com/products/exposure-monitoring - Solutions — ATO prevention: https://www.leakjar.com/solutions/ato-prevention - Solutions — Compliance: https://www.leakjar.com/solutions/compliance - Pricing: https://www.leakjar.com/pricing - Security & trust: https://www.leakjar.com/security - Documentation: https://www.leakjar.com/docs - Quickstart: https://www.leakjar.com/docs/quickstart - About / company: https://www.leakjar.com/company/about - Contact / sales: https://www.leakjar.com/contact - Get an API key (console): https://www.leakjar.com/dashboard ## API documentation - Range endpoint (privacy model): https://www.leakjar.com/docs/password-range-api - API overview: https://www.leakjar.com/docs/password-protect-api - Recommended policies: https://www.leakjar.com/docs/policies - Errors & limits: https://www.leakjar.com/docs/errors - Use with AI agents: https://www.leakjar.com/docs/use-with-ai ## Endpoint GET https://api.leakjar.com/v1/passwords/range/{prefix} - {prefix} = first 5 uppercase hex chars of SHA-1(password). Example: "5BAA6". - Header: Authorization: Bearer lj_... (create a key in the dashboard) - Response: Content-Type: text/plain. One match per line, "SUFFIX:COUNT". - SUFFIX = the remaining 35 uppercase hex chars of the SHA-1 hash. - COUNT = how many times that password appears in the breach corpus (prevalence signal). - Quota: each call counts against your monthly check quota. 429 quota_exceeded when exceeded (free tier is a hard cap). See RateLimit-* response headers. ## Integration steps 1. SHA-1 the password, uppercase hex. 2. prefix = hash[0:5], suffix = hash[5:]. 3. GET the endpoint above with the prefix and your Bearer key. 4. The password is breached if your suffix appears in the returned list (the COUNT after the ":" tells you how often). Compare locally — never send the full hash or password. 5. Act on a match with a policy (don't just return a boolean) — see "Policies" below. ## Policies (what to do on a breach) Recommended actions when a password is breached. Wire these into the real signup/login/reset handlers. Docs: https://www.leakjar.com/docs/policies - Block — reject the password; user must pick a different one. Default for signup + reset. - Step-up MFA — allow, but require a second factor. Good for login (don't hard-block returning users). - Force Reset — allow now, require a password reset before the next session. - Notify — log + alert security, no user impact. Good for phased rollout / low risk. Decision matrix (flow x COUNT severity): - Signup / Reset: Block at any COUNT >= 1. - Login: high (COUNT > 100) -> Step-up MFA; medium (10-100) -> Step-up MFA; low (1-9) -> Notify. - Background scan: high -> Force Reset; medium/low -> Notify. ## Error codes - 400 invalid_prefix — prefix is not 5 uppercase hex chars - 401 missing_bearer — Authorization header missing/malformed - 401 invalid_api_key — key invalid/expired/revoked - 403 missing_scope — key lacks the "bpd" scope - 429 quota_exceeded — monthly check quota exceeded (see Retry-After) - 502 upstream_error — backend lookup failed ## Example — curl # SHA-1("password") = 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8 → prefix 5BAA6 curl -s \ -H "Authorization: Bearer $LEAKJAR_API_KEY" \ "https://api.leakjar.com/v1/passwords/range/5BAA6" # → text/plain, one "SUFFIX:COUNT" per line. Match your own suffix locally. ## Example — Node.js (drop-in helper) import { createHash } from "node:crypto"; export async function isBreachedPassword(password) { const hash = createHash("sha1").update(password, "utf8").digest("hex").toUpperCase(); const prefix = hash.slice(0, 5); const suffix = hash.slice(5); const res = await fetch( `https://api.leakjar.com/v1/passwords/range/${prefix}`, { headers: { Authorization: `Bearer ${process.env.LEAKJAR_API_KEY}` } }, ); if (!res.ok) throw new Error(`LeakJar ${res.status}`); for (const line of (await res.text()).split("\n")) { const [s, count] = line.split(":"); if (s === suffix) return { breached: true, count: Number(count) }; } return { breached: false, count: 0 }; } ## Example — Python (drop-in helper) import hashlib, os, requests def is_breached_password(password: str) -> tuple[bool, int]: digest = hashlib.sha1(password.encode()).hexdigest().upper() prefix, suffix = digest[:5], digest[5:] res = requests.get( f"https://api.leakjar.com/v1/passwords/range/{prefix}", headers={"Authorization": f"Bearer {os.environ['LEAKJAR_API_KEY']}"}, timeout=10, ) res.raise_for_status() hits = dict(line.split(":") for line in res.text.splitlines() if line) return (suffix in hits, int(hits.get(suffix, 0))) ## Notes for agents - Always call this from the server. Never ship the API key to a browser or mobile bundle. - There is no SDK to install — plain HTTPS + Bearer auth works from any language. - For the full reference, read https://www.leakjar.com/docs/password-range-api