Skip to content
POST AI agent ready /v1/breach/check

Password Breach Check API - Free Have I Been Pwned Lookup

Hashes the password with SHA-1, sends only the first 5 characters of the hash to the Have I Been Pwned database, and checks if the full hash appears in known breaches. The full password and full hash are never transmitted. Returns whether the password is breached, how many times it appeared, and a recommendation.

Parameters

stringrequired

The password to check against known breaches.

Code examples

curl -X POST https://api.botoi.com/v1/breach/check \
  -H "Content-Type: application/json" \
  -d '{"password":"P@ssw0rd123"}'

When to use this API

Enforce breach-aware password policies at signup

Check passwords against known breaches during account creation. Reject passwords that appear in breach databases and prompt users to choose a stronger alternative. Reduces credential stuffing risk.

Audit existing user passwords in bulk

Hash stored passwords and check them against the breach database. Flag affected accounts for mandatory password resets. Run this as a scheduled job after major breach disclosures.

Add breach warnings to password change flows

When users update their password, check the new password in real time. Show a warning with the breach count if the password is compromised. Let users proceed but make the risk visible.

Frequently asked questions

Is my password sent to the server?
Your password is sent to the Botoi API over HTTPS, where it is hashed with SHA-1 in memory. Only the first 5 characters of the hash are sent to the Have I Been Pwned service. The full password and full hash never leave the Botoi server.
What is k-Anonymity?
k-Anonymity is a privacy technique where only a partial hash prefix is sent to the breach database. The database returns all matching suffixes, and the check happens locally. This means the breach database never learns which specific hash you are checking.
How many breaches does this check against?
The endpoint queries the Have I Been Pwned Pwned Passwords database, which contains over 900 million breached passwords collected from hundreds of data breaches.
Does a breach_count of 0 mean the password is safe?
It means the password has not appeared in known breach databases. It does not guarantee the password is strong. A unique but simple password (like "MyDog2026") may pass this check but still be guessable.
Can I check multiple passwords at once?
Not in a single request. Each check requires a separate API call. For bulk audits, send requests in parallel with appropriate rate limiting.

Get your API key

Free tier includes 5 requests per minute with no credit card required. Upgrade for higher limits.

Sign up free View full docs