Aligned with NIST SP 800-63B

Keep stolen passwords out of your app

Billions of passwords already sit in breach dumps. When a user signs up or resets with one, you inherit the risk. LeakJar checks every password against known breaches in real time — and never sees the password itself.

No plaintext passwords required

GET/v1/passwords/range/5BAA6200 OK

# SUFFIX:COUNT — match against your local hash

003D68EB55068C33ACE09247EE4C639306B3
1E4C9039C8C0B7E6F5A4D24A8FD8E2A5C713 861 493
A2B09F1D7E3C4B5A6D8E0F1C2A3B4C5D6E712

The full hash and password never leave your servers.

Drops into any auth flow

LeakJar is a plain REST API — call it from whatever identity stack you already run.

Auth0OktaMicrosoft Entra IDAWS CognitoFirebaseSupabaseClerkWorkOSKeycloakAuth.jsStytchFusionAuth
Auth0OktaMicrosoft Entra IDAWS CognitoFirebaseSupabaseClerkWorkOSKeycloakAuth.jsStytchFusionAuth
Auth0OktaMicrosoft Entra IDAWS CognitoFirebaseSupabaseClerkWorkOSKeycloakAuth.jsStytchFusionAuth
Auth0OktaMicrosoft Entra IDAWS CognitoFirebaseSupabaseClerkWorkOSKeycloakAuth.jsStytchFusionAuth

Reused passwords are how breaches spread

A password leaked from one site becomes the key an attacker tries everywhere else. Credential stuffing is cheap, automated, and relentless. LeakJar catches those passwords at the door, before they turn into an incident you have to explain.

Your users' passwords stay private

We check with k-anonymity range queries. Only a short hash prefix ever leaves your servers — never the full hash, never the password.

You decide what happens next

Block it, force a reset, step up to MFA, or just log it. The policy is yours; LeakJar simply gives you a clear signal to act on.

See exactly what you're stopping

Watch match rates, top policies, and trends in the console — so you can show the real risk you're removing, not just claim it.

Nothing sensitive leaves your servers

Four steps, one round trip. You stay in control of every outcome.

Hash on your side

Compute a SHA-1 hash of the password locally. Only the first five characters ever leave your infrastructure.

Query the range endpoint

Send that short prefix to LeakJar. We return every matching suffix — without ever learning the full hash.

Apply your policy

Compare locally. On a match, do what makes sense for you: block, require MFA, force a reset, or log it for review.

Watch the impact

Match rates and policy outcomes show up in the console in real time, so you can see the risk you're removing.

Wire it up in an afternoon

One API call is all it takes. Hash locally, query the range endpoint, enforce your policy. A plain REST API, no SDK lock-in.

  • k-anonymity range queries by SHA-1 prefix
  • Plain-text SUFFIX:COUNT response, easy to diff locally
  • Works with any language or identity provider
Read the Quickstart
bash
$ curl -s https://api.leakjar.com/v1/passwords/range/5BAA6 \
  -H "Authorization: Bearer lj_…"HTTP/1.1 200 OK · Content-Type: text/plain1E4C9039C8C0B7E6F5A4...8FD8:3861493A2B09F1D7E3C4B5A6D8E...CA5C:12# one SUFFIX:COUNT per line — match yours locally

Add it with Cursor, Claude Code, or Codex

Grab a free key, paste one prompt into your AI editor, and let the agent wire breached-password screening into your signup, login, and reset flows. Agents read our /llms.txt for the exact contract.

Two products, one workflow

Stop compromised passwords at the gate, and stay alerted when your team's credentials surface in new breaches.

Password Protect API

Screen passwords at signup, change, and reset against billions of known-compromised credentials — privacy-preserving by design.

Explore Password Protect

Exposure Monitoring

Get domain-scoped alerts the moment your organization's credentials show up in new breach data — context for triage, not noise.

Explore Monitoring
10B+

Known breached credentials

99.9%

Uptime SLA

<50ms

p95 latency

Trust the architecture, not our word

k-Anonymity by design

Only the first five characters of a SHA-1 hash ever leave your servers. LeakJar returns matching suffixes without ever learning the full hash.

Plaintext never leaves your side

Hashing happens in your infrastructure. The complete hash and the password itself are never transmitted — so we cannot store, reconstruct, or infer them.

Aligned with NIST SP 800-63B

Screening new passwords against known-compromised credential lists is a NIST SP 800-63B recommendation. LeakJar delivers that control as a drop-in API.

Frequently asked questions

What is LeakJar?

LeakJar is a developer-first credential-exposure platform. Its Password Protect API blocks breached passwords at signup, change, and reset using privacy-preserving k-anonymity checks — a plain REST call, no SDK to install — and Exposure Monitoring alerts you when your organization's credentials surface in new data breaches, stealer logs, or combolists.

Does LeakJar store or see my users' passwords?

No. LeakJar uses a k-anonymity range query: your server sends only the first five characters of a SHA-1 hash — never the full hash or the plaintext password. The complete hash and password never leave your infrastructure, so LeakJar cannot store, reconstruct, or infer the original credential.

What happens when a breached password is detected?

You decide. LeakJar returns a match signal and your application enforces the policy you configure: block the password, require step-up (MFA) verification, force a reset, or simply notify the user or your security team. LeakJar never blocks anyone on its own — the outcome is always yours.

How many breached passwords does LeakJar check against?

LeakJar screens passwords against more than 10 billion credentials sourced from publicly known data breaches, stealer logs, and combolists. The dataset is continuously updated through responsible channels as new breach data becomes available, so every check reflects the latest known-compromised passwords.

Can I use LeakJar with my existing identity provider?

Yes. LeakJar is a plain REST API — a single call with a p95 under 50ms — that drops into any authentication flow. It works with Auth0, Okta, Firebase, Supabase, AWS Cognito, or a custom-built system, in any programming language, with no SDK lock-in.

Is LeakJar compatible with Have I Been Pwned (HIBP)?

Yes. The range endpoint returns the same SUFFIX:COUNT text format as HIBP's Pwned Passwords, so existing clients migrate by swapping the base URL and adding a Bearer API key. You also get a commercial SLA, prevalence counts, exposure monitoring, and support — without self-hosting multi-gigabyte breach files.

Is LeakJar compliant with NIST password guidelines?

LeakJar supports the NIST SP 800-63B recommendation to screen new passwords against lists of known-compromised credentials. It delivers that technical control as a drop-in API, though on its own it does not constitute a complete compliance program.

Can LeakJar tell me if my company's credentials have already leaked?

Yes. Exposure Monitoring continuously watches breach data, stealer logs, and combolists for credentials tied to domains you own and verify. When a match appears, it alerts your team with breach context and severity — including for accounts that already exist — so you can rotate credentials before attackers exploit them.

Is LeakJar free?

Yes. The Password Protect API has a free plan — 10,000 password checks per month, no credit card. Create an API key in the dashboard and start testing in minutes. Paid plans add higher volume, more projects, webhooks, and step-up policies; Exposure Monitoring is priced separately, though anyone can run a free check with our Check My Email tool.

Stop inheriting other people's breaches

Add breached-password screening in an afternoon. Free to start, no credit card.