Password Protect API
The Breached Password Detection (BPD) API lets you check whether a password has appeared in known data breaches—without exposing the password to LeakJar or any third party.
How it works
LeakJar uses a hash-prefix model (also known as k-anonymity) to preserve user privacy. Instead of sending the full password hash, your application sends only the first 5 characters of the SHA-1 hash. The API responds with all suffixes matching that prefix, and your application performs the comparison locally.
- Hash the password with SHA-1 on the client or server.
- Extract the first 5 hex characters (the prefix).
- Send the prefix to the LeakJar range endpoint.
- Receive a list of matching suffixes with exposure counts.
- Compare your full hash against the returned suffixes locally.
At no point does LeakJar see the full hash or the original password.
Authentication
All API requests require a valid API key passed in the Authorization header as a Bearer token.
Authorization: Bearer YOUR_API_KEYEndpoints
/api/demo/passwords/range/{prefix}Returns all hash suffixes matching the given 5-character SHA-1 prefix, along with the number of times each has appeared in known breaches.
Path parameters
Request example
curl -s \
-H "Authorization: Bearer YOUR_API_KEY" \
"https://api.leakjar.com/api/demo/passwords/range/CBFDA"Response format
{
"prefix": "CBFDA",
"suffixes": [
{
"suffix": "C09E6A76B2639DE8CF63D6B4C3EBEBD4A96",
"count": 3861493
},
{
"suffix": "D9B2A1F4E7C3A2B1D8E5F6A7B8C9D0E1F23",
"count": 12
},
{
"suffix": "A1B2C3D4E5F6A7B8C9D0E1F2A3B4C5D6E78",
"count": 1
}
]
}prefix — the 5-character hash prefix you queried.
suffixes[].suffix — the remaining characters of each matching SHA-1 hash.
suffixes[].count — how many times this password has been seen in breaches.
Rate limits
To ensure fair usage and system stability, the API enforces the following rate limits:
When you exceed the rate limit, the API returns a 429 Too Many Requests response with a Retry-After header indicating when you can retry.