This page documents the Hash Check API which checks password hashes against the haveibeenpwned database.
Businesses and developers may wish to self-host this service so we define the service implementation here for reference.
Meta Data
The root of the service MUST respond to a GET request with information about the service; this can be use to perform a health check of the service and MUST include an updated field which is an ISO 8601 date indicating when the database was last updated.
{
"name": "hashcheck",
"updated": "2023-09-29",
"version": "1.1.0"
}Example: hashcheck.saveoursecrets.com
Check Hash
The service MUST respond to a GET request to /:hash where :hash is a SHA-1 hash of a password. The :hash parameter is case-insensitive.
The response MUST be the JSON number 1 when the hash exists in the database and 0 otherwise.
Example: /A94A8FE5CCB19BA61C4C0873D391E987982FBBD3
Batch
The service MUST respond to a POST request to / where the body is a JSON array of hashes to check.
The response MUST be a JSON array of the same length as the request where each entry contains the number 1 when the hash exists in the database and 0 otherwise.
Source Code
The source code for the Hash Check service is available to fork or download.