Keep stolen passwords out of your app
Billions of passwords already sit in breach dumps. When a user signs up or resets with one, you inherit the risk. LeakJar checks every password against known breaches in real time — and never sees the password itself.
No plaintext passwords required
/v1/passwords/range/5BAA6200 OK# SUFFIX:COUNT — match against your local hash
The full hash and password never leave your servers.
Drops into any auth flow
LeakJar is a plain REST API — call it from whatever identity stack you already run.
The problem
Reused passwords are how breaches spread
A password leaked from one site becomes the key an attacker tries everywhere else. Credential stuffing is cheap, automated, and relentless. LeakJar catches those passwords at the door, before they turn into an incident you have to explain.
Your users' passwords stay private
We check with k-anonymity range queries. Only a short hash prefix ever leaves your servers — never the full hash, never the password.
You decide what happens next
Block it, force a reset, step up to MFA, or just log it. The policy is yours; LeakJar simply gives you a clear signal to act on.
See exactly what you're stopping
Watch match rates, top policies, and trends in the console — so you can show the real risk you're removing, not just claim it.
How it works
Nothing sensitive leaves your servers
Four steps, one round trip. You stay in control of every outcome.
Hash on your side
Compute a SHA-1 hash of the password locally. Only the first five characters ever leave your infrastructure.
Query the range endpoint
Send that short prefix to LeakJar. We return every matching suffix — without ever learning the full hash.
Apply your policy
Compare locally. On a match, do what makes sense for you: block, require MFA, force a reset, or log it for review.
Watch the impact
Match rates and policy outcomes show up in the console in real time, so you can see the risk you're removing.
Developer-first
Wire it up in an afternoon
One API call is all it takes. Hash locally, query the range endpoint, enforce your policy. A plain REST API, no SDK lock-in.
- k-anonymity range queries by SHA-1 prefix
- Plain-text SUFFIX:COUNT response, easy to diff locally
- Works with any language or identity provider
$ curl -s https://api.leakjar.com/v1/passwords/range/5BAA6 \ -H "Authorization: Bearer lj_…"HTTP/1.1 200 OK · Content-Type: text/plain1E4C9039C8C0B7E6F5A4...8FD8:3861493A2B09F1D7E3C4B5A6D8E...CA5C:12# one SUFFIX:COUNT per line — match yours locally
Build with AI
Add it with Cursor, Claude Code, or Codex
Grab a free key, paste one prompt into your AI editor, and let the agent wire breached-password screening into your signup, login, and reset flows. Agents read our /llms.txt for the exact contract.
Products
Two products, one workflow
Stop compromised passwords at the gate, and stay alerted when your team's credentials surface in new breaches.
Password Protect API
Screen passwords at signup, change, and reset against billions of known-compromised credentials — privacy-preserving by design.
Explore Password ProtectExposure Monitoring
Get domain-scoped alerts the moment your organization's credentials show up in new breach data — context for triage, not noise.
Explore MonitoringKnown breached credentials
Uptime SLA
p95 latency
Trust model
Trust the architecture, not our word
k-Anonymity by design
Only the first five characters of a SHA-1 hash ever leave your servers. LeakJar returns matching suffixes without ever learning the full hash.
Plaintext never leaves your side
Hashing happens in your infrastructure. The complete hash and the password itself are never transmitted — so we cannot store, reconstruct, or infer them.
Aligned with NIST SP 800-63B
Screening new passwords against known-compromised credential lists is a NIST SP 800-63B recommendation. LeakJar delivers that control as a drop-in API.
FAQ
Frequently asked questions
What is LeakJar?
Does LeakJar store or see my users' passwords?
What happens when a breached password is detected?
How many breached passwords does LeakJar check against?
Can I use LeakJar with my existing identity provider?
Is LeakJar compatible with Have I Been Pwned (HIBP)?
Is LeakJar compliant with NIST password guidelines?
Can LeakJar tell me if my company's credentials have already leaked?
Is LeakJar free?
Stop inheriting other people's breaches
Add breached-password screening in an afternoon. Free to start, no credit card.