Have I Been Pwned API

API for checking whether email addresses, usernames, or passwords have appeared in known data breaches, built and maintained by Troy Hunt. Covers billions of breached credentials.

Evaluated Mar 07, 2026 (0d ago) vcurrent
Homepage ↗ Security hibp breach passwords security credential-stuffing data-leak rest-api
⚙ Agent Friendliness
58
/ 100
Can an agent use this?
🔒 Security
83
/ 100
Is it safe for agents?
⚡ Reliability
84
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
90
Error Messages
75
Auth Simplicity
85
Rate Limits
50

🔒 Security

TLS Enforcement
100
Auth Strength
80
Scope Granularity
60
Dep. Hygiene
88
Secret Handling
90

API key passed via hibp-api-key header. Password endpoint uses k-anonymity — only the first 5 chars of a SHA-1 hash are ever transmitted, a strong privacy design. No scope granularity. Operated by a single trusted security researcher (Troy Hunt). TLS enforced. Minimal attack surface by design.

⚡ Reliability

Uptime/SLA
80
Version Stability
90
Breaking Changes
88
Error Recovery
80
AF Security Reliability

Best When

An agent needs to check whether credentials or email addresses have been compromised in public data breaches, especially during account creation or login risk evaluation.

Avoid When

You need broader threat intelligence beyond breach data, or you need real-time fraud scoring.

Use Cases

  • Checking if user email addresses were exposed in known data breaches
  • Password hygiene enforcement by checking against breached passwords (k-anonymity model)
  • Alerting users when their credentials appear in new breaches
  • Security awareness tooling and compliance reporting
  • Enriching identity risk assessments in security pipelines

Not For

  • Real-time fraud prevention (not a fraud scoring API)
  • IP reputation or network-level threat intelligence
  • Comprehensive identity verification
  • Automated bulk account scanning without subscription

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
No
SDK
No
Webhooks
No

Authentication

Methods: api_key
OAuth: No Scopes: No

API key required for breach search and paste search endpoints. Password range endpoint (k-anonymity) is free with no key. Key passed via hibp-api-key header.

Pricing

Model: subscription
Free tier: Yes
Requires CC: Yes

Pricing is tiered by number of breach searches per month. The k-anonymity password endpoint remains free for all users. Very affordable for modest use.

Agent Metadata

Pagination
none
Idempotent
Full
Retry Guidance
Documented

Known Gotchas

  • Rate limit of 1 req/1500ms means agents must throttle breach lookups significantly
  • Password check uses k-anonymity — send only first 5 chars of SHA-1 hash, never the full hash
  • 404 response means 'not found/not pwned' — agents must not treat 404 as an error
  • Breach data updates are not real-time — new breaches take time to be processed
  • Paste search is separate endpoint from breach search — requires separate calls

Alternatives

{'id': 'abuseipdb-api', 'reason': 'For IP reputation rather than credential/email breach checking'} {'id': 'virustotal-api', 'reason': 'Broader threat intelligence including file, URL, and domain analysis beyond breach data'}

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for Have I Been Pwned API.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

$3

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-07.

6470
Packages Evaluated
26150
Need Evaluation
173
Need Re-evaluation
Community Powered