Password Protect API
Screen breached passwords without ever seeing one.
Check every password against billions of known-compromised credentials at signup, change, and reset. k-anonymity keeps the password on your servers — even from us.
Capabilities
Built for production authentication flows
Privacy-Preserving by Design
k-Anonymity range queries mean you never send the full password hash — only a 5-char prefix. We never store or log passwords or hashes; the prefix is processed in memory only. We cannot reconstruct or identify the original credential.
Configurable Policy Outcomes
Match signals are yours to act on. Block the password outright, require step-up verification, force a reset, or silently notify your security team.
Low-Latency, High-Throughput
p95 response times under 50ms. Designed to sit in the critical path of signup and authentication flows without adding perceptible delay.
Where it fits
Screen at every critical moment
Integrate breach checks wherever passwords are set or changed in your application.
Signup
Prevent users from registering with passwords already known to be compromised. Catch the risk before an account is ever created.
Password Change
Screen new passwords during voluntary changes. Ensure users aren't rotating into another compromised credential.
Password Reset
Enforce breach checks during reset flows. Especially critical after an incident or as part of a forced rotation campaign.
Policy outcomes
Your policy, your rules
LeakJar detects the risk. You decide the response. Configure policy outcomes per project, per flow, or per risk level.
Block
Reject the password immediately. The user must choose a credential that has not appeared in known breaches.
Step-Up (MFA)
Allow the password but require an additional verification factor. Balances security with user experience.
Force Reset
Accept the password now but mark the account for a mandatory reset within a defined time window.
Notify
Log the match and alert the user or security team without blocking access. Useful during rollout and monitoring phases.
Frequently asked questions
Ready to screen breached passwords?
Get up and running in minutes with our step-by-step quickstart guide.