About the API

The data is brought to you by ‎Troy Hunt over at Have I Been Pwned.

The API has been specifically designed to be easy to use! It requires no authentication, secret keys or anything else that would get in the way.

A sample use case for the API, is testing, during the signup process, whether a user's password has previously been leaked, and take appropriate actions based on the result of the API query.

A sample test might look something like this:

$.getJSON("https://leakedpassword.com/api/?p=1234", function(data) {
    if (data['password']['leak'] == true) {
        // Alert the user to leaked password
    } else {
        // Continue signup process


Since the API draws on data from Have I Been Pwned, the acceptable use guidelines must be adhered to. Among the things not allow are:

  • Querying the data for purposes that are intended to cause harm to the victims of data breaches
  • Prolonged and aggressive querying of the service such that it impacts availability or costs
  • Anything deliberately intended to limit service availability such as denial of service attacks
  • Deliberate attempts to circumvent the rate limit or abuse other measures design to ensure acceptable use
  • Not properly identifying the user agent such that it accurately describes the consumer of the API
  • Misrepresenting the consuming client by impersonating other user agents in an attempt to obfuscate API requests
  • Other services designed to fraudulently represent the Have I Been Pwned name or brand
  • Misrepresenting the source of the data as originating from somewhere other than Have I Been Pwned
  • Not adhering to the Creative Commons Attribution License as described below
  • Automating the consumption of other APIs not explicitly documented on this page
  • Using the service in a fashion that brings Have I Been Pwned into disrepute

You can read more about the use here: Acceptable use by Have I Been Pwned.