# Have I Been Pwned API

**Provider:** Troy Hunt
**Category:** security
**Base URL:** `https://haveibeenpwned.com/api/v3`
**Auth:** api-key — `hibp-api-key: YOUR_API_KEY`
**Rate Limit:** 1 request/1,500ms (breach endpoint) · Unlimited (password range)
**Free Tier:** Yes — [object Object]
**Pricing:** from $3.50/mo (freemium)
**Docs:** https://haveibeenpwned.com/API/v3

## Description

Have I Been Pwned (HIBP) is the authoritative database of compromised credentials from 700+ public data breaches covering 12+ billion records. The API lets you check if an email address has been exposed in a breach (with breach details), check if a password hash has appeared in the Pwned Passwords dataset (k-anonymity model — your plaintext password never leaves your server), get the full list of breaches, and list breaches for a specific domain.

## Endpoints

| Method | Endpoint | Description |
|--------|----------|-------------|
| GET | `https://haveibeenpwned.com/api/v3/breachedaccount/{account}` | Get all breaches for an email address |
| GET | `https://haveibeenpwned.com/api/v3/breaches` | List all public breaches in the database |
| GET | `https://haveibeenpwned.com/api/v3/breach/{name}` | Get details for a specific breach by name |
| GET | `https://haveibeenpwned.com/api/v3/range/{firstFiveHashChars}` | k-Anonymity password check (free, no auth needed) |
| GET | `https://haveibeenpwned.com/api/v3/pasteaccount/{account}` | Get all pastes an email has appeared in |

## Authentication

The password-range endpoint requires no key. Breach lookups by email require a subscription key in the hibp-api-key header.

```
hibp-api-key: YOUR_API_KEY
```

## Sample Request

```bash
# Check if a password has been pwned (k-anonymity — safe to call)
PASSWORD_HASH=$(echo -n "password123" | sha1sum | tr '[:lower:]' '[:upper:]')
PREFIX=${PASSWORD_HASH:0:5}
SUFFIX=${PASSWORD_HASH:5}
curl "https://api.pwnedpasswords.com/range/$PREFIX" | grep "^$SUFFIX"
```

## Sample Response

```json
# Response is a list of hash suffixes and breach counts
# If your suffix appears, the count shows how many times that password was seen
003D68EB55068C33ACE09247EE4C639306B:3
1D4A2773D2F1E27E58C6A7D3D25B5B3C:5921
```

## Pricing Details

Pwned Passwords (/range endpoint): free and unlimited. Breach search by email: $3.50/mo or $35/year. Domain search: $3.50/mo per domain. Educational institutions get 50% off.

---

*Source: [API Map](https://apimap.dev/apis/haveibeenpwned/) — CC BY 4.0*