Health Pricing About ← Back
H

Have I Been Pwned API

by Troy Hunt Free tier

Have I Been Pwned (HIBP) is the authoritative database of compromised credentials from 700+ public data breaches covering 12+ billion records. The API lets you check if an email address has been exposed in a breach (with breach details), check if a password hash has appeared in the Pwned Passwords dataset (k-anonymity model — your plaintext password never leaves your server), get the full list of breaches, and list breaches for a specific domain.

data-breachpassword-securitycredentialscybersecurityhaveibeenpwnedprivacy

Quick Reference

Base URL https://haveibeenpwned.com/api/v3 Auth type API Key Header Auth header hibp-api-key: YOUR_API_KEY Rate limit 1 request/1,500ms (breach endpoint) · Unlimited (password range) Pricing from $3.50/mo Free quota Password range endpoint is free (unlimited) Documentation https://haveibeenpwned.com/API/v3 Endpoint status Live — HTTP 200 — endpoint is accessible812ms (checked Mar 29, 2026) Builder score A 82% builder-friendly
Pricing
90
Latency
76
Depth
81

Authentication

The password-range endpoint requires no key. Breach lookups by email require a subscription key in the hibp-api-key header.

hibp-api-key: YOUR_API_KEY

Pricing

Model freemium Starting price from $3.50/mo Free quota Password range endpoint is free (unlimited)

Pwned Passwords (/range endpoint): free and unlimited. Breach search by email: $3.50/mo or $35/year. Domain search: $3.50/mo per domain. Educational institutions get 50% off.

Key Endpoints

MethodPathDescription
GET /breachedaccount/{account} Get all breaches for an email address
GET /breaches List all public breaches in the database
GET /breach/{name} Get details for a specific breach by name
GET /range/{firstFiveHashChars} k-Anonymity password check (free, no auth needed)
GET /pasteaccount/{account} Get all pastes an email has appeared in

Sample Request

# Check if a password has been pwned (k-anonymity — safe to call)
PASSWORD_HASH=$(echo -n "password123" | sha1sum | tr '[:lower:]' '[:upper:]')
PREFIX=${PASSWORD_HASH:0:5}
SUFFIX=${PASSWORD_HASH:5}
curl "https://api.pwnedpasswords.com/range/$PREFIX" | grep "^$SUFFIX"

Sample Response

# Response is a list of hash suffixes and breach counts
# If your suffix appears, the count shows how many times that password was seen
003D68EB55068C33ACE09247EE4C639306B:3
1D4A2773D2F1E27E58C6A7D3D25B5B3C:5921

Data sourced from API Map. Always verify pricing and rate limits against the official Troy Hunt documentation.