M
API Matrix

HaveIBeenPwned API

⭐ Beginner's Pick Security / API Key Intermediate HTTPS
Varies by plan (check documentation)
77 Score
Grade B
Visit Official Site Compare Alternatives

Overview

Have I Been Pwned (HIBP) lets you check whether an email address or password has appeared in known data breaches. It is one of the most trusted security APIs available and is used by browsers, password managers, and security tools worldwide. Beginners can use the password API without any authentication by sending a hash prefix instead of the actual password.

💡

Beginner Tip

Never send full passwords to the API — use the k-anonymity model: hash your password with SHA-1, send only the first 5 characters, and check if your full hash appears in the returned list. This keeps your password private even from the API.

Available Data

word definitions
pronunciation
synonyms and antonyms
example sentences
part of speech

Example Response

JSON Response 
{
  "status": "success",
  "data": {
    "result": "Data from HaveIBeenPwned",
    "description": "Passwords which have previously been exposed in data breaches",
    "timestamp": "2025-01-15T10:00:00Z"
  }
}

Field Reference

Name Short identifier for the breach (e.g., "Adobe").
Title Full human-readable name of the breached service.
BreachDate Date when the breach is estimated to have occurred (YYYY-MM-DD).
PwnCount Number of accounts exposed in the breach.
DataClasses Types of data exposed, such as "Email addresses" or "Passwords".

Implementation Example 

// ⚠️ Note: This URL may be a documentation page. Check official docs for actual API endpoint.
const url = "https://haveibeenpwned.com/API/v3";
// Replace headers or query params with the values required by this API.
const response = await fetch(url, {
  headers: {
  "X-API-Key": "YOUR_API_KEY"
  }
});
if (!response.ok) throw new Error(`Request failed: ${response.status}`);
const data = await response.json();
console.log(data);

What Can You Build?

Note: These code examples are AI-generated and unverified. Always refer to the official API documentation for accurate usage.

Common Errors & Troubleshooting

401 Unauthorized The hibp-api-key header is missing from the request.
Purchase an API key at haveibeenpwned.com/API/Key and include it as the hibp-api-key header in every request.
403 Forbidden (User-Agent missing) The HIBP API requires a descriptive User-Agent header and will reject generic or missing ones.
Add a User-Agent header with your application name, e.g., -H "User-Agent: MyPasswordChecker/1.0".
404 Not Found The email address was not found in any breach — this is actually a good result.
A 404 means the account is clean. Treat this as a success case in your code rather than an error.

Matrix Score Breakdown

🌐 Reachability 30/30
⚡ Speed 10/20
🔒 Security 15/15
🛠 Developer XP 12/20
✓ Reliability 10/15

Partially tested on Apr 5, 2026

Technical Specifications

Auth API Key
HTTPS REQUIRED
CORS UNKNOWN
Category Security
Difficulty Intermediate
Verified: 2026-04-04

Similar APIs

View All →

Application Environment Verification

82

Application Environment Verification (AEV) is an Android library and API from FingerprintJS that checks whether a user device is safe to use.

API Key Intermediate HTTPS

BinaryEdge

82

BinaryEdge is a cybersecurity platform that continuously scans the entire internet and exposes the results through its API.

API Key Intermediate HTTPS

Botd

82

Botd is an open-source JavaScript library and API from FingerprintJS that detects whether a web visitor is a bot or a real human browser.

API Key Intermediate HTTPS

Bugcrowd

72

The Bugcrowd API gives you programmatic access to your organization's bug bounty program data, including submissions, rewards, and researcher profiles.

API Key Intermediate HTTPS

Censys

44

Censys is an internet-wide scanning platform that lets you search for any internet-connected host, device, or certificate using its REST API.

API Key Intermediate HTTPS