HaveIBeenPwned

Pwned Passwords

Free, unauthenticated k-anonymity API for checking whether a password's SHA-1 (or NTLM) hash appears in the HIBP credential corpus. Funded by Cloudflare; no API key required.

GitHub OpenAPI

Documentation

📖
Documentation
https://haveibeenpwned.com/API/v3#PwnedPasswords

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/haveibeenpwned/refs/heads/main/openapi/pwned-passwords-openapi.yml

SDKs

📦
SDK
Azure Function Reference Implementation
📦
SDK
Cloudflare Worker Reference Implementation

Examples

📝
Example
https://raw.githubusercontent.com/api-evangelist/haveibeenpwned/refs/heads/main/examples/pwned-passwords-search-range-example.json

Schemas & Data

📊
JSONSchema
Range Result Schema

Other Resources

🔗
Tools
Pwned Passwords Downloader CLI

OpenAPI Specification

pwned-passwords-openapi.yml Raw ↑ 
openapi: 3.0.3
info:
  title: Pwned Passwords API
  description: |
    Pwned Passwords is a free k-anonymity-based lookup service that exposes whether a password
    appears in any of the public credential corpora ingested by Have I Been Pwned. Clients
    submit the first five characters of the SHA-1 (or NTLM) hash of a password and receive
    a list of matching hash suffixes with their breach counts. No authentication is required.
  version: "2.0.0"
  contact:
    name: Pwned Passwords
    url: https://haveibeenpwned.com/API/v3#PwnedPasswords
  license:
    name: Creative Commons Attribution 4.0
    url: https://creativecommons.org/licenses/by/4.0/
servers:
  - url: https://api.pwnedpasswords.com
    description: Pwned Passwords k-anonymity API
tags:
  - name: Range Search
    description: K-anonymity range search for password hashes.
paths:
  /range/{hashPrefix}:
    get:
      tags: [Range Search]
      summary: Search By Hash Range
      description: |
        Returns suffixes of all SHA-1 (or NTLM) hashes that begin with the supplied 5-character
        prefix, alongside the number of times each hash was observed in breaches.
      operationId: searchPasswordRange
      parameters:
        - name: hashPrefix
          in: path
          required: true
          description: First 5 characters of the SHA-1 (or NTLM) password hash, uppercase hex.
          schema:
            type: string
            pattern: '^[A-F0-9]{5}$'
        - name: mode
          in: query
          required: false
          description: Hash algorithm. Default is SHA-1; set `ntlm` for NTLM hashes.
          schema:
            type: string
            enum: [sha1, ntlm]
            default: sha1
        - name: Add-Padding
          in: header
          required: false
          description: When `true`, the response is padded to 800-1,000 entries to mask the response size.
          schema:
            type: boolean
      responses:
        '200':
          description: |
            A newline-separated list of `HASHSUFFIX:COUNT` entries. The endpoint always returns
            200; absence of the queried suffix indicates the password is not known to HIBP.
          content:
            text/plain:
              schema:
                type: string
                example: |
                  0018A45C4D1DEF81644B54AB7F969B88D65:1
                  00D4F6E8FA6EECAD2A3AA415EEC418D38EC:2
components: {}