Hash Check

Last Updated :

This page documents the Hash Check API which checks password hashes against the haveibeenpwned database.

Businesses and developers may wish to self-host this service so we define the service implementation here for reference.

Meta Data

The root of the service MUST respond to a GET request with information about the service; this can be use to perform a health check of the service and MUST include an updated field which is an ISO 8601 date indicating when the database was last updated.

{
  "name": "hashcheck",
  "updated": "2023-09-29",
  "version": "1.1.0"
}

Example: hashcheck.saveoursecrets.com

Check Hash

The service MUST respond to a GET request to /:hash where :hash is a SHA-1 hash of a password. The :hash parameter is case-insensitive.

The response MUST be the JSON number 1 when the hash exists in the database and 0 otherwise.

Example: /A94A8FE5CCB19BA61C4C0873D391E987982FBBD3

Batch

The service MUST respond to a POST request to / where the body is a JSON array of hashes to check.

The response MUST be a JSON array of the same length as the request where each entry contains the number 1 when the hash exists in the database and 0 otherwise.

Source Code

The source code for the Hash Check service is available to fork or download.

Source Code