Do you store or see my users' passwords?

No. LeakJar uses a k-Anonymity range query model. You send only a short hash prefix — never the full hash or plaintext. We cannot reconstruct or infer the original password from the prefix.

What happens when a breached password is detected?

You decide. LeakJar returns a match signal, and your application enforces the policy you've configured: block the password, require step-up authentication, force a reset, or simply notify the user.

How large is the breach corpus?

Our dataset includes over 10 billion password hashes sourced from publicly known data breaches. It is continuously updated as new breach data becomes available through responsible channels.

Is LeakJar compliant with NIST guidelines?

LeakJar supports the NIST SP 800-63B recommendation to screen passwords against known-compromised sets. It does not replace a full compliance program, but it provides a key technical control.

Can I use LeakJar with my existing identity provider?

Yes. LeakJar is a simple REST API that integrates with any authentication flow — whether you use Auth0, Okta, Firebase, Supabase, AWS Cognito, or a custom-built system.

Aligned with NIST SP 800-63B

Keep stolen passwords out of your app

Billions of passwords already sit in breach dumps. When a user signs up or resets with one, you inherit the risk. LeakJar checks every password against known breaches in real time — and never sees the password itself.

Get a free API key Read the Quickstart

No plaintext passwords required

GET/v1/passwords/range/5BAA6200 OK

# SUFFIX:COUNT — match against your local hash

003D68EB55068C33ACE09247EE4C639306B3

1E4C9039C8C0B7E6F5A4D24A8FD8E2A5C713 861 493

A2B09F1D7E3C4B5A6D8E0F1C2A3B4C5D6E712

The full hash and password never leave your servers.

Integrates with your existing auth stack

Auth0OktaAWS CognitoFirebaseSupabaseAzure AD

The problem

Reused passwords are how breaches spread

A password leaked from one site becomes the key an attacker tries everywhere else. Credential stuffing is cheap, automated, and relentless. LeakJar catches those passwords at the door, before they turn into an incident you have to explain.

Your users' passwords stay private

We check with k-anonymity range queries. Only a short hash prefix ever leaves your servers — never the full hash, never the password.

You decide what happens next

Block it, force a reset, step up to MFA, or just log it. The policy is yours; LeakJar simply gives you a clear signal to act on.

See exactly what you're stopping

Watch match rates, top policies, and trends in the console — so you can show the real risk you're removing, not just claim it.

How it works

Nothing sensitive leaves your servers

Four steps, one round trip. You stay in control of every outcome.

Hash on your side

Compute a SHA-1 hash of the password locally. Only the first five characters ever leave your infrastructure.

Query the range endpoint

Send that short prefix to LeakJar. We return every matching suffix — without ever learning the full hash.

Apply your policy

Compare locally. On a match, do what makes sense for you: block, require MFA, force a reset, or log it for review.

Watch the impact

Match rates and policy outcomes show up in the console in real time, so you can see the risk you're removing.

Developer-first

Wire it up in an afternoon

One API call is all it takes. Hash locally, query the range endpoint, enforce your policy. A plain REST API, no SDK lock-in.

k-anonymity range queries by SHA-1 prefix
Plain-text SUFFIX:COUNT response, easy to diff locally
Works with any language or identity provider

Read the Quickstart

bash

$ curl -s https://api.leakjar.com/v1/passwords/range/5BAA6 \
  -H "Authorization: Bearer lj_…"HTTP/1.1 200 OK · Content-Type: text/plain1E4C9039C8C0B7E6F5A4...8FD8:3861493A2B09F1D7E3C4B5A6D8E...CA5C:12# one SUFFIX:COUNT per line — match yours locally

Build with AI

Add it with Cursor, Claude Code, or Codex

Grab a free key, paste one prompt into your AI editor, and let the agent wire breached-password screening into your signup, login, and reset flows. Agents read our /llms.txt for the exact contract.

Get the AI prompt View /llms.txt

Products

Two products, one workflow

Stop compromised passwords at the gate, and stay alerted when your team's credentials surface in new breaches.

Password Protect API

Screen passwords at signup, change, and reset against billions of known-compromised credentials — privacy-preserving by design.

Explore Password Protect

Exposure Monitoring

Get domain-scoped alerts the moment your organization's credentials show up in new breach data — context for triage, not noise.

Explore Monitoring

0B+

Password hashes checked

Uptime SLA

<0ms

p95 latency

What security teams say

Trusted by teams who take credential security seriously

“LeakJar cut our credential stuffing incidents by 73% in the first quarter. The privacy-preserving approach made it easy to get buy-in from our legal and security teams.”

Sarah Chen

Head of Security Engineering, Series B Fintech

“We integrated the Password Protect API in under an hour. The range-prefix model means we never send sensitive data, which was a hard requirement for our compliance team.”

Marcus Rivera

Staff Engineer, E-commerce Platform

“The exposure monitoring alerts gave us context we never had before. When a breach hits, we know which accounts need resets within minutes, not weeks.”

Anja Kowalski

Director of InfoSec, Enterprise SaaS

FAQ

Frequently asked questions

Stop inheriting other people's breaches

Add breached-password screening in an afternoon. Free to start, no credit card.

Get a free API key Talk to Sales