{ "openapi": "3.0.3", "info": { "title": "Have I Been Pwned API v3", "description": "Version 3 of the Have I Been Pwned API. Authenticated APIs for breaches by account, pastes, domain search, domain verification, stealer logs, and subscription status require both the hibp-api-key and user-agent headers. Availability varies by subscription tier and is noted per operation. The Pwned Passwords range API is free and does not require authentication.", "version": "3.0.0", "license": { "name": "Creative Commons Attribution 4.0 International", "url": "https://creativecommons.org/licenses/by/4.0/" } }, "servers": [ { "url": "https://haveibeenpwned.com/api/v3", "description": "HIBP API v3 server" }, { "url": "https://api.pwnedpasswords.com", "description": "Pwned Passwords k-Anonymity API (no authentication required)" } ], "components": { "securitySchemes": { "HibpApiKey": { "type": "apiKey", "in": "header", "name": "hibp-api-key", "description": "HIBP API key passed in the hibp-api-key header. Paid APIs require a 32-character hexadecimal value. On supported test-only endpoints, any 32-character hexadecimal value can be used as a test key for the hibp-integration-tests.com domain." } }, "parameters": { "UserAgent": { "name": "user-agent", "in": "header", "required": true, "description": "User agent string identifying the consuming application. Required on all documented requests, including unauthenticated endpoints; missing user agents may receive HTTP 403 responses.", "schema": { "type": "string" } }, "AddPadding": { "name": "Add-Padding", "in": "header", "required": false, "description": "Adds random padding to Pwned Passwords responses (discard padded entries with count of 0).", "schema": { "type": "boolean" } } }, "schemas": { "Error": { "type": "object", "properties": { "statusCode": { "type": "integer" }, "message": { "type": "string" } }, "required": [ "statusCode", "message" ], "description": "Standard error response returned by most authenticated HIBP APIs." }, "BreachedAccountRangeResult": { "type": "object", "properties": { "hashSuffix": { "type": "string", "description": "The remaining 34 hexadecimal characters of the breached account's SHA-1 hash." }, "websites": { "type": "array", "items": { "type": "string" }, "description": "The breach names associated with the hashed account suffix after public API filtering. Sensitive breaches are never returned." } }, "required": [ "hashSuffix", "websites" ] }, "Breach": { "type": "object", "properties": { "Name": { "type": "string", "description": "A Pascal-cased name representing the breach which is unique across all other breaches. This value never changes and may be used to name dependent assets (such as images) but should not be shown directly to end users (see the 'Title' attribute instead)." }, "Title": { "type": "string", "description": "A descriptive title for the breach suitable for displaying to end users. It's unique across all breaches but individual values may change in the future (i.e. if another breach occurs against an organisation already in the system)." }, "Domain": { "type": "string", "description": "The domain of the primary website the breach occurred on. This may be used for identifying other assets external systems may have for the site." }, "BreachDate": { "type": "string", "format": "date", "description": "The date (with no time) the breach originally occurred on in ISO 8601 format. This is not always accurate — frequently breaches are discovered and reported long after the original incident. Use this attribute as a guide only." }, "AddedDate": { "type": "string", "format": "date-time", "description": "The date and time (precision to the minute) the breach was added to the system in ISO 8601 format." }, "ModifiedDate": { "type": "string", "format": "date-time", "description": "The date and time (precision to the minute) the breach was modified in ISO 8601 format. This will only differ from the AddedDate attribute if other attributes represented here are changed or data in the breach itself is changed (i.e. additional data is identified and loaded). It is always either equal to or greater then the AddedDate attribute, never less than." }, "PwnCount": { "type": "integer", "description": "The total number of accounts loaded into the system. This is usually less than the total number reported by the media due to duplication or other data integrity issues in the source data." }, "Description": { "type": "string", "description": "Contains an overview of the breach represented in HTML markup. The description may include markup such as emphasis and strong tags as well as hyperlinks." }, "DataClasses": { "type": "array", "items": { "type": "string" }, "description": "This attribute describes the nature of the data compromised in the breach and contains an alphabetically ordered string array of impacted data classes." }, "IsVerified": { "type": "boolean", "description": "Indicates that the breach is considered unverified. An unverified breach may not have been hacked from the indicated website. An unverified breach is still loaded into HIBP when there's sufficient confidence that a significant portion of the data is legitimate." }, "IsFabricated": { "type": "boolean", "description": "Indicates that the breach is considered fabricated. A fabricated breach is unlikely to have been hacked from the indicated website and usually contains a large amount of manufactured data. However, it still contains legitimate email addresses and asserts that the account owners were compromised in the alleged breach." }, "IsSensitive": { "type": "boolean", "description": "Indicates if the breach is considered sensitive. The public API will not return any accounts for a breach flagged as sensitive." }, "IsRetired": { "type": "boolean", "description": "Indicates if the breach has been retired. This data has been permanently removed and will not be returned by the API." }, "IsSpamList": { "type": "boolean", "description": "Indicates if the breach is considered a spam list. This flag has no impact on any other attributes but it means that the data has not come as a result of a security compromise." }, "IsMalware": { "type": "boolean", "description": "Indicates if the breach is sourced from malware. This flag has no impact on any other attributes, it merely flags that the data was sourced from a malware campaign rather than a security compromise of an online service." }, "IsSubscriptionFree": { "type": "boolean", "description": "Indicates if the breach is subscription-free. This flag has no impact on any other attributes, it is only used when running a domain search where a sufficiently sized subscription isn't present." }, "IsStealerLog": { "type": "boolean", "description": "Indicates if the breach is sourced from stealer logs. A breach with this flag also has the domains that appear in the logs loaded against each email address. This data can be accessed via the stealer logs API." }, "LogoPath": { "type": "string", "format": "uri", "description": "A URI that specifies where a logo for the breached service can be found. Logos are always in PNG format." }, "Attribution": { "type": "string", "nullable": true, "description": "Sometimes requested by the party that provides the data to HIBP." } }, "required": [ "Name", "Title", "Domain", "BreachDate", "AddedDate", "ModifiedDate", "PwnCount", "Description", "DataClasses", "IsVerified", "IsFabricated", "IsSensitive", "IsRetired", "IsSpamList", "IsMalware", "IsSubscriptionFree", "IsStealerLog", "LogoPath" ] }, "Paste": { "type": "object", "properties": { "Source": { "type": "string", "description": "The paste service the record was retrieved from. Current values are: Pastebin, Pastie, Slexy, Ghostbin, QuickLeak, JustPaste, AdHocUrl, PermanentOptOut, OptOut." }, "Id": { "type": "string", "description": "The ID of the paste as it was given at the source service. Combined with the 'Source' attribute, this can be used to resolve the URL of the paste." }, "Title": { "type": "string", "nullable": true, "description": "The title of the paste as observed on the source site. This may be null and if so will be omitted from the response." }, "Date": { "type": "string", "format": "date-time", "nullable": true, "description": "The date and time (precision to the second) that the paste was posted. This is taken directly from the paste site when this information is available but may be null if no date is published." }, "EmailCount": { "type": "integer", "description": "The number of emails that were found when processing the paste." } }, "required": [ "Source", "Id", "EmailCount" ] }, "SubscribedDomain": { "type": "object", "properties": { "DomainName": { "type": "string", "description": "The full domain name that has been successfully verified." }, "PwnCount": { "type": "integer", "nullable": true, "description": "The total number of breached email addresses found on the domain at last search (will be null if no searches yet performed)." }, "PwnCountExcludingSpamLists": { "type": "integer", "nullable": true, "description": "The number of breached email addresses found on the domain at last search, excluding any breaches flagged as a spam list (will be null if no searches yet performed)." }, "PwnCountExcludingSpamListsAtLastSubscriptionRenewal": { "type": "integer", "nullable": true, "description": "The total number of breached email addresses found on the domain when the current subscription was taken out (will be null if no searches yet performed). This number ensures the domain remains searchable throughout the subscription period even if the volume of breached accounts grows beyond the subscription's scope." }, "NextSubscriptionRenewal": { "type": "string", "format": "date-time", "nullable": true, "description": "The date and time the current subscription ends in ISO 8601 format. The PwnCountExcludingSpamListsAtLastSubscriptionRenewal value is locked in until this time (will be null if there have been no subscriptions)." } }, "required": [ "DomainName" ] }, "SubscriptionStatus": { "type": "object", "properties": { "SubscriptionName": { "type": "string", "description": "The name representing the current plan and level, for example \"Core 1\", \"Pro 2\", or \"High RPM 12000\"." }, "Description": { "type": "string", "description": "A human-readable sentence explaining the scope of the subscription." }, "SubscribedUntil": { "type": "string", "format": "date-time", "description": "The date and time the current subscription ends in ISO 8601 format." }, "Rpm": { "type": "integer", "description": "The rate limit in requests per minute. This applies to the rate the breach search by email address API can be requested." }, "DomainSearchMaxBreachedAccounts": { "type": "integer", "nullable": true, "description": "The size of the largest domain the subscription can search. This is expressed in the total number of breached email addresses on the domain, excluding those that appear solely in spam lists." }, "MaxBreachedDomains": { "type": "integer", "nullable": true, "description": "The number of domains the subscription can add, regardless of their size. A null value indicates there is no max domain limit." }, "IncludesStealerLogs": { "type": "boolean", "description": "Indicates if the subscription includes access to the stealer logs APIs." }, "IncludesBulkDomainAdd": { "type": "boolean", "description": "Indicates if the subscription includes access to the APIs that add domains via DNS or email verification." }, "IncludesAutoSubdomainVerification": { "type": "boolean", "description": "Indicates if the subscription allows subdomains to be automatically added after the apex domain has already been verified." }, "IncludesCustomerDomains": { "type": "boolean", "description": "Indicates if the subscription allows the domains of customers to be added." }, "IncludesKAnon": { "type": "boolean", "description": "Indicates if the subscription includes access to the breached-account k-anonymity API." } }, "required": [ "SubscriptionName", "Description", "SubscribedUntil", "Rpm", "DomainSearchMaxBreachedAccounts", "MaxBreachedDomains", "IncludesStealerLogs", "IncludesBulkDomainAdd", "IncludesAutoSubdomainVerification", "IncludesCustomerDomains", "IncludesKAnon" ] }, "MessageOnlyError": { "type": "object", "description": "Simple error response used by the domain-verification APIs.", "properties": { "message": { "type": "string" } }, "required": [ "message" ] }, "TruncatedBreach": { "type": "object", "properties": { "Name": { "type": "string", "description": "The stable Pascal-cased breach name. This is the value returned by default from /breachedaccount and can be used to look up the full breach model via /breach/{name}." } }, "required": [ "Name" ] }, "DomainVerificationRequest": { "type": "object", "properties": { "DomainName": { "type": "string", "description": "Domain name to generate or verify a domain-verification token for." } }, "required": [ "DomainName" ] }, "DomainVerificationEmailRequest": { "type": "object", "properties": { "DomainName": { "type": "string", "description": "Domain name to send the verification email for." }, "EmailAlias": { "type": "string", "description": "One of the configured domain-verification aliases (for example admin or postmaster)." } }, "required": [ "DomainName", "EmailAlias" ] }, "DomainVerificationDnsTokenResponse": { "type": "object", "properties": { "txtRecordValue": { "type": "string", "description": "TXT record value to publish on the domain before calling verifydnstoken." } }, "required": [ "txtRecordValue" ] } } }, "paths": { "/breachedaccount/{account}": { "servers": [ { "url": "https://haveibeenpwned.com/api/v3" } ], "get": { "summary": "Get all breaches for an account", "description": "Available on Core, Pro, and High RPM subscriptions. Returns the breaches for the supplied account (email address, username, or phone number). The account is not case-sensitive and is trimmed of leading or trailing whitespace. The account should always be URL encoded. This is an authenticated API requiring both the hibp-api-key and user-agent headers. Test API keys can be used to query test accounts on the hibp-integration-tests.com domain.", "parameters": [ { "$ref": "#/components/parameters/UserAgent" }, { "name": "account", "in": "path", "required": true, "schema": { "type": "string" }, "description": "URL-encoded account to search for (email address, username, or phone number)" }, { "name": "truncateResponse", "in": "query", "schema": { "type": "boolean", "default": true }, "description": "Returns the full breach model when false. By default, only the name of the breach is returned rather than the complete breach data." }, { "name": "domain", "in": "query", "schema": { "type": "string" }, "description": "Filters the result set to only breaches against the domain specified. It is possible that one site (and consequently domain), is compromised on multiple occasions." }, { "name": "includeUnverified", "in": "query", "schema": { "type": "boolean", "default": true }, "description": "Returns breaches that have been flagged as 'unverified'. By default, both verified and unverified breaches are returned when performing a search." } ], "security": [ { "HibpApiKey": [] } ], "responses": { "200": { "description": "A list of breaches for the account. By default the response is truncated to only the breach name. Set truncateResponse=false to receive the full breach model. Sensitive and retired breaches are not returned by the public API.", "content": { "application/json": { "schema": { "oneOf": [ { "type": "array", "items": { "$ref": "#/components/schemas/TruncatedBreach" } }, { "type": "array", "items": { "$ref": "#/components/schemas/Breach" } } ] } } } }, "400": { "description": "Bad request — the account does not comply with an acceptable format (i.e. it's an empty string)", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "401": { "description": "Unauthorized — the API key provided was not valid", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" }, "examples": { "missing": { "value": { "statusCode": 401, "message": "Access denied due to missing hibp-api-key." } }, "malformed": { "value": { "statusCode": 401, "message": "Access denied due to improperly formed hibp-api-key." } }, "invalid": { "value": { "statusCode": 401, "message": "Access denied due to invalid hibp-api-key." } } } } } }, "403": { "description": "Forbidden — no user agent has been specified in the request.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "404": { "description": "Not found — the account could not be found and has therefore not been pwned", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "429": { "description": "Too many requests — the rate limit has been exceeded", "headers": { "Retry-After": { "description": "Seconds until retry (rounded up to the next whole second)", "schema": { "type": "integer" } } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" }, "example": { "statusCode": 429, "message": "Rate limit is exceeded. Try again in 2 seconds." } } } }, "503": { "description": "Service unavailable — usually returned by Cloudflare if the underlying service is not available", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } }, "x-hibp-subscription-tiers": [ "Core", "Pro", "High RPM" ] } }, "/breachedaccount/range/{prefix}": { "servers": [ { "url": "https://haveibeenpwned.com/api/v3" } ], "get": { "summary": "Get all breached account hashes for a range", "description": "Available on Pro and High RPM subscriptions. Search breached accounts via k-anonymity by providing the first 6 characters of the SHA-1 hash of a normalised email address. The response contains matching hash suffixes and associated breach names after public filtering. Sensitive and retired breaches are not returned. Per the terms of use, any results that do not match the target account being searched must be discarded immediately and not stored or further processed.", "parameters": [ { "$ref": "#/components/parameters/UserAgent" }, { "name": "prefix", "in": "path", "required": true, "schema": { "type": "string", "minLength": 6, "maxLength": 6, "pattern": "^[0-9A-Fa-f]{6}$" }, "description": "First 6 characters of the SHA-1 hash of the email address to search for (hexadecimal, not case-sensitive)" } ], "security": [ { "HibpApiKey": [] } ], "responses": { "200": { "description": "Hash suffixes and breach names for accounts in the requested range. Sensitive breaches are removed and any suffix with no remaining public breaches is omitted.", "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/BreachedAccountRangeResult" } }, "example": [ { "hashSuffix": "D95E127BD0C0455D0CF3CEE15022BA020D", "websites": [ "Adobe" ] } ] } } }, "400": { "description": "Bad request — the prefix was not a 6-character hexadecimal string.", "content": { "text/plain": { "schema": { "type": "string" }, "example": "Invalid hex prefix" } } }, "401": { "description": "Unauthorized — the API key provided was not valid", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" }, "examples": { "missing": { "value": { "statusCode": 401, "message": "Access denied due to missing hibp-api-key." } }, "malformed": { "value": { "statusCode": 401, "message": "Access denied due to improperly formed hibp-api-key." } }, "invalid": { "value": { "statusCode": 401, "message": "Access denied due to invalid hibp-api-key." } } } } } }, "403": { "description": "Forbidden — no user agent has been specified in the request, or the current subscription does not include access to the breached-account k-anonymity API.", "content": { "text/plain": { "schema": { "type": "string" }, "examples": { "missingUserAgent": { "value": "API request must include a user agent" }, "insufficientTier": { "value": "Your HIBP API key does not have access to this resource" } } } } }, "404": { "description": "Not found — no public breached-account hashes remain for the requested range after filtering.", "content": { "text/plain": { "schema": { "type": "string" }, "example": "There are no hashes beginning with that prefix" } } }, "429": { "description": "Too many requests — the rate limit has been exceeded", "headers": { "Retry-After": { "description": "Seconds until retry (rounded up to the next whole second)", "schema": { "type": "integer" } } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" }, "example": { "statusCode": 429, "message": "Rate limit is exceeded. Try again in 2 seconds." } } } }, "503": { "description": "Service unavailable — usually returned by Cloudflare if the underlying service is not available", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } }, "x-hibp-subscription-tiers": [ "Pro", "High RPM" ] } }, "/breacheddomain/{domain}": { "servers": [ { "url": "https://haveibeenpwned.com/api/v3" } ], "get": { "summary": "Get all breached email addresses for a domain", "description": "Available on Core and Pro subscriptions. Returns all breached email aliases on a verified domain and the breach names they have appeared in. The domain must already have been added to the domain search dashboard and successfully verified. Sensitive breaches are returned because this API is only available after domain control has been demonstrated.", "parameters": [ { "$ref": "#/components/parameters/UserAgent" }, { "name": "domain", "in": "path", "required": true, "schema": { "type": "string" }, "description": "The domain to be searched for. Must be a verified domain in the domain search dashboard." } ], "security": [ { "HibpApiKey": [] } ], "responses": { "200": { "description": "Mapping of email aliases to breach names. For each breached email address on the domain, only the alias is returned along with each breach it has appeared in. Only the name attribute of the breach is returned.", "content": { "application/json": { "schema": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "example": { "alias1": [ "Adobe" ], "alias2": [ "Adobe", "Gawker", "Stratfor" ], "alias3": [ "AshleyMadison" ] } } } }, "400": { "description": "Bad request — invalid domain format", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "401": { "description": "Unauthorized — the hibp-api-key header was missing, malformed, or invalid.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "403": { "description": "Forbidden — no user agent has been specified in the request, the domain has not been verified in the domain search dashboard, or the current subscription is out of scope for the domain size or monitored-domain count.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "404": { "description": "Not found — the domain does not have any email addresses in any breaches", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "429": { "description": "Too many requests — the rate limit has been exceeded. Typically, there is no need to query a domain unless a new breach has been added since the last query.", "headers": { "Retry-After": { "description": "Seconds until retry", "schema": { "type": "integer" } } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "503": { "description": "Service unavailable", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } }, "x-hibp-subscription-tiers": [ "Core", "Pro" ] } }, "/subscribeddomains": { "servers": [ { "url": "https://haveibeenpwned.com/api/v3" } ], "get": { "summary": "Get all subscribed domains for API key", "description": "Available on Core and Pro subscriptions. Returns the domains associated with the supplied hibp-api-key after they have been added to the domain search dashboard and verified.", "parameters": [ { "$ref": "#/components/parameters/UserAgent" } ], "security": [ { "HibpApiKey": [] } ], "responses": { "200": { "description": "List of subscribed domains", "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/SubscribedDomain" } } } } }, "401": { "description": "Unauthorized — the hibp-api-key header was missing, malformed, or invalid.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "403": { "description": "Forbidden — no user agent has been specified in the request.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } }, "x-hibp-subscription-tiers": [ "Core", "Pro" ] } }, "/domainverification/generatednstoken": { "servers": [ { "url": "https://haveibeenpwned.com/api/v3" } ], "post": { "summary": "Generate a DNS verification token for a domain", "description": "Available on Pro subscriptions. Generates the domain-specific TXT record value used to verify control of a domain via DNS before it can be searched through the domain search APIs.", "x-hibp-subscription-tiers": [ "Pro" ], "parameters": [ { "$ref": "#/components/parameters/UserAgent" } ], "security": [ { "HibpApiKey": [] } ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/DomainVerificationRequest" }, "example": { "DomainName": "example.com" } } } }, "responses": { "200": { "description": "The TXT record value to publish on the domain.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/DomainVerificationDnsTokenResponse" }, "example": { "txtRecordValue": "hibp-verify=dweb_abc123xyz" } } } }, "400": { "description": "Bad request — the request body was invalid, the domain was invalid, or the domain cannot be verified.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MessageOnlyError" }, "examples": { "invalidDomain": { "value": { "message": "An invalid domain was provided with the request" } }, "alreadyVerified": { "value": { "message": "Domain has already been verified." } }, "invalidJson": { "value": { "message": "Invalid JSON" } } } } } }, "401": { "description": "Unauthorized — the hibp-api-key header was missing, malformed, or invalid.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "403": { "description": "Forbidden — no user agent has been specified in the request, or the current subscription does not include permission to add domains via the API.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MessageOnlyError" }, "examples": { "insufficientSubscription": { "value": { "message": "Your subscription does not have permission to add domains. Please contact support if you believe this is an error." } } } } } } } } }, "/domainverification/verifydnstoken": { "servers": [ { "url": "https://haveibeenpwned.com/api/v3" } ], "post": { "summary": "Verify a DNS token for a domain", "description": "Available on Pro subscriptions. Checks the hibp-verify TXT record on the requested domain and, if it matches the previously generated token, marks the domain as verified for domain search.", "x-hibp-subscription-tiers": [ "Pro" ], "parameters": [ { "$ref": "#/components/parameters/UserAgent" } ], "security": [ { "HibpApiKey": [] } ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/DomainVerificationRequest" }, "example": { "DomainName": "example.com" } } } }, "responses": { "200": { "description": "The domain was successfully verified." }, "400": { "description": "Bad request — the request body was invalid, the domain was invalid, or the domain cannot be verified.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MessageOnlyError" }, "examples": { "invalidDomain": { "value": { "message": "An invalid domain was provided with the request" } }, "invalidJson": { "value": { "message": "Invalid JSON" } } } } } }, "401": { "description": "Unauthorized — the hibp-api-key header was missing, malformed, or invalid.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "403": { "description": "Forbidden — no user agent has been specified in the request, or the current subscription does not include permission to add domains via the API.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MessageOnlyError" }, "examples": { "insufficientSubscription": { "value": { "message": "Your subscription does not have permission to add domains. Please contact support if you believe this is an error." } } } } } }, "404": { "description": "Not found — no matching hibp-verify TXT record was found on the domain.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MessageOnlyError" }, "examples": { "noTxtRecords": { "value": { "message": "No hibp-verify TXT records were found on the domain." } }, "wrongTxtRecord": { "value": { "message": "Expected a TXT record of hibp-verify=dweb_abc123xyz but instead found hibp-verify=dweb_othercode" } } } } } } } } }, "/domainverification/sendemail": { "servers": [ { "url": "https://haveibeenpwned.com/api/v3" } ], "post": { "summary": "Send a domain verification approval email", "description": "Available on Pro subscriptions. Sends a verification email to one of the configured aliases on the target domain so that domain control can be approved via a link in the email.", "x-hibp-subscription-tiers": [ "Pro" ], "parameters": [ { "$ref": "#/components/parameters/UserAgent" } ], "security": [ { "HibpApiKey": [] } ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/DomainVerificationEmailRequest" }, "example": { "DomainName": "example.com", "EmailAlias": "admin" } } } }, "responses": { "200": { "description": "The verification email was sent successfully." }, "400": { "description": "Bad request — the request body was invalid, the domain was invalid, the alias was invalid, or the verification email could not be sent.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MessageOnlyError" }, "examples": { "missingAlias": { "value": { "message": "No emailAlias field was passed in the request body." } }, "invalidDomain": { "value": { "message": "An invalid domain was provided with the request" } }, "invalidJson": { "value": { "message": "Invalid JSON" } } } } } }, "401": { "description": "Unauthorized — the hibp-api-key header was missing, malformed, or invalid.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "403": { "description": "Forbidden — no user agent has been specified in the request, or the current subscription does not include permission to add domains via the API.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MessageOnlyError" }, "examples": { "insufficientSubscription": { "value": { "message": "Your subscription does not have permission to add domains. Please contact support if you believe this is an error." } } } } } } } } }, "/breaches": { "servers": [ { "url": "https://haveibeenpwned.com/api/v3" } ], "get": { "summary": "Get all breaches in the system", "description": "Returns the full breach catalogue. This endpoint is unauthenticated, but it still requires a user-agent header.", "parameters": [ { "$ref": "#/components/parameters/UserAgent" }, { "name": "domain", "in": "query", "schema": { "type": "string" }, "description": "Filters the result set to only breaches against the domain specified. It is possible that one site (and consequently domain), is compromised on multiple occasions." }, { "name": "isSpamList", "in": "query", "schema": { "type": "boolean" }, "description": "Filters the result set to only breaches that either are or are not flagged as a spam list." } ], "responses": { "200": { "description": "List of all breaches, sorted alphabetically by the title of the breach", "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/Breach" } } } } }, "403": { "description": "Forbidden — missing user agent", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } } } }, "/breach/{name}": { "servers": [ { "url": "https://haveibeenpwned.com/api/v3" } ], "get": { "summary": "Get a single breach by name", "description": "Returns the full breach model for a single breach identified by its stable Name value. This endpoint is unauthenticated, but it still requires a user-agent header.", "parameters": [ { "$ref": "#/components/parameters/UserAgent" }, { "name": "name", "in": "path", "required": true, "schema": { "type": "string" }, "description": "Unique breach name (Pascal-cased, stable identifier)" } ], "responses": { "200": { "description": "A single breach object", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Breach" } } } }, "403": { "description": "Forbidden — missing user agent", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "404": { "description": "Not found — breach name invalid", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } } } }, "/latestbreach": { "servers": [ { "url": "https://haveibeenpwned.com/api/v3" } ], "get": { "summary": "Get the most recently added breach", "description": "Returns the most recently added breach based on AddedDate. This endpoint is unauthenticated, but it still requires a user-agent header.", "parameters": [ { "$ref": "#/components/parameters/UserAgent" } ], "responses": { "200": { "description": "The latest breach based on AddedDate", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Breach" } } } }, "403": { "description": "Forbidden — missing user agent", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } } } }, "/dataclasses": { "servers": [ { "url": "https://haveibeenpwned.com/api/v3" } ], "get": { "summary": "Get all data classes in the system", "description": "Returns the alphabetically ordered list of data classes seen across breaches in the system. This endpoint is unauthenticated, but it still requires a user-agent header.", "parameters": [ { "$ref": "#/components/parameters/UserAgent" } ], "responses": { "200": { "description": "Alphabetically ordered list of data classes", "content": { "application/json": { "schema": { "type": "array", "items": { "type": "string" } } } } }, "403": { "description": "Forbidden — missing user agent", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } } } }, "/stealerlogsbyemail/{email}": { "servers": [ { "url": "https://haveibeenpwned.com/api/v3" } ], "get": { "summary": "Get all stealer log domains for an email address", "description": "Available on Pro subscriptions. Searches stealer-log data by the full email address captured by an info stealer. The email address must be on a domain already added to the domain search dashboard and successfully verified. The current subscription must include stealer-log access.", "parameters": [ { "$ref": "#/components/parameters/UserAgent" }, { "name": "email", "in": "path", "required": true, "schema": { "type": "string" }, "description": "URL-encoded email address to search for stealer logs. Must be on a verified domain in the domain search dashboard." } ], "security": [ { "HibpApiKey": [] } ], "responses": { "200": { "description": "List of website domains sorted alphabetically where this email address appeared in stealer logs", "content": { "application/json": { "schema": { "type": "array", "items": { "type": "string" } }, "example": [ "netflix.com", "spotify.com" ] } } }, "401": { "description": "Unauthorized — the hibp-api-key header was missing, malformed, or invalid.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "403": { "description": "Forbidden — no user agent has been specified in the request, the email domain has not been verified for this subscription, or the current subscription product does not include access to stealer logs.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "404": { "description": "Not found — there are no stealer logs for that email address.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "429": { "description": "Too many requests — the rate limit has been exceeded.", "headers": { "Retry-After": { "description": "Seconds until retry (rounded up to the next whole second)", "schema": { "type": "integer" } } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" }, "example": { "statusCode": 429, "message": "Rate limit is exceeded. Try again in 2 seconds." } } } }, "503": { "description": "Service unavailable — usually returned by Cloudflare if the underlying service is not available.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } }, "x-hibp-subscription-tiers": [ "Pro" ] } }, "/stealerlogsbywebsitedomain/{domain}": { "servers": [ { "url": "https://haveibeenpwned.com/api/v3" } ], "get": { "summary": "Get all stealer log email addresses for a website domain", "description": "Available on Pro subscriptions. Searches stealer-log data by the website domain victims were authenticating to when their credentials were captured. The domain must already be added to the domain search dashboard and successfully verified. The current subscription must include stealer-log access.", "parameters": [ { "$ref": "#/components/parameters/UserAgent" }, { "name": "domain", "in": "path", "required": true, "schema": { "type": "string" }, "description": "Website domain to search for in stealer logs. Must be a verified domain in the domain search dashboard." } ], "security": [ { "HibpApiKey": [] } ], "responses": { "200": { "description": "List of email addresses sorted alphabetically", "content": { "application/json": { "schema": { "type": "array", "items": { "type": "string" } }, "example": [ "andy@gmail.com", "jane@gmail.com" ] } } }, "401": { "description": "Unauthorized — the hibp-api-key header was missing, malformed, or invalid.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "403": { "description": "Forbidden — no user agent has been specified in the request, the domain has not been verified for this subscription, or the current subscription product does not include access to stealer logs.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "404": { "description": "Not found — there are no email addresses in stealer logs for that website domain.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "429": { "description": "Too many requests — the domain-based stealer-log rate limit has been exceeded. This limit is independent of the subscription RPM.", "headers": { "Retry-After": { "description": "Seconds until retry (rounded up to the next whole second)", "schema": { "type": "integer" } } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" }, "example": { "statusCode": 429, "message": "Rate limit is exceeded. Try again in 2 seconds." } } } }, "503": { "description": "Service unavailable — usually returned by Cloudflare if the underlying service is not available.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } }, "x-hibp-subscription-tiers": [ "Pro" ] } }, "/stealerlogsbyemaildomain/{domain}": { "servers": [ { "url": "https://haveibeenpwned.com/api/v3" } ], "get": { "summary": "Get all stealer log email aliases for an email domain", "description": "Available on Pro subscriptions. Searches stealer-log data by the domain portion of the email address and returns aliases mapped to the website domains where those credentials appeared. The domain must already be added to the domain search dashboard and successfully verified. The current subscription must include stealer-log access.", "parameters": [ { "$ref": "#/components/parameters/UserAgent" }, { "name": "domain", "in": "path", "required": true, "schema": { "type": "string" }, "description": "Email domain to search for stealer logs. Must be a verified domain in the domain search dashboard." } ], "security": [ { "HibpApiKey": [] } ], "responses": { "200": { "description": "Map of email aliases to website domains, both sorted alphabetically", "content": { "application/json": { "schema": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "example": { "andy": [ "netflix.com" ], "jane": [ "netflix.com", "spotify.com" ] } } } }, "401": { "description": "Unauthorized — the hibp-api-key header was missing, malformed, or invalid.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "403": { "description": "Forbidden — no user agent has been specified in the request, the domain has not been verified for this subscription, or the current subscription product does not include access to stealer logs.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "404": { "description": "Not found — there are no stealer-log results for that email domain.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "429": { "description": "Too many requests — the domain-based stealer-log rate limit has been exceeded. This limit is independent of the subscription RPM.", "headers": { "Retry-After": { "description": "Seconds until retry (rounded up to the next whole second)", "schema": { "type": "integer" } } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" }, "example": { "statusCode": 429, "message": "Rate limit is exceeded. Try again in 2 seconds." } } } }, "503": { "description": "Service unavailable — usually returned by Cloudflare if the underlying service is not available.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } }, "x-hibp-subscription-tiers": [ "Pro" ] } }, "/pasteaccount/{account}": { "servers": [ { "url": "https://haveibeenpwned.com/api/v3" } ], "get": { "summary": "Get all pastes for an account", "description": "Available on Core, Pro, and High RPM subscriptions. Searches for pastes containing the supplied email address. The address is not case-sensitive, is trimmed of leading or trailing whitespace, and should always be URL encoded. This is an authenticated API requiring both the hibp-api-key and user-agent headers.", "parameters": [ { "$ref": "#/components/parameters/UserAgent" }, { "name": "account", "in": "path", "required": true, "schema": { "type": "string" }, "description": "URL-encoded email address to search for pastes" } ], "security": [ { "HibpApiKey": [] } ], "responses": { "200": { "description": "List of pastes, sorted chronologically with the newest paste first", "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/Paste" } } } } }, "400": { "description": "Bad request — invalid account format", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "401": { "description": "Unauthorized — the hibp-api-key header was missing, malformed, or invalid.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "403": { "description": "Forbidden — no user agent has been specified in the request.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "404": { "description": "Not found — no pastes for account", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "429": { "description": "Too many requests — rate limit exceeded", "headers": { "Retry-After": { "description": "Seconds until retry", "schema": { "type": "integer" } } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "503": { "description": "Service unavailable", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } }, "x-hibp-subscription-tiers": [ "Core", "Pro", "High RPM" ] } }, "/subscription/status": { "servers": [ { "url": "https://haveibeenpwned.com/api/v3" } ], "get": { "summary": "Get current subscription status", "description": "Available on Core, Pro, and High RPM subscriptions. Returns details of the current subscription represented by the supplied hibp-api-key, including plan capabilities such as stealer-log access, breached-account k-anonymity access, bulk domain add features, and monitored-domain limits.", "parameters": [ { "$ref": "#/components/parameters/UserAgent" } ], "security": [ { "HibpApiKey": [] } ], "responses": { "200": { "description": "Current subscription capabilities and limits for the supplied API key.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/SubscriptionStatus" } } } }, "401": { "description": "Unauthorized — the hibp-api-key header was missing, malformed, or invalid.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "403": { "description": "Forbidden — no user agent has been specified in the request.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "404": { "description": "Not found — no active subscription was found for the supplied API key.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" }, "example": { "statusCode": 404, "message": "No active subscription found." } } } } }, "x-hibp-subscription-tiers": [ "Core", "Pro", "High RPM" ] } }, "/range/{prefix}": { "servers": [ { "url": "https://api.pwnedpasswords.com" } ], "get": { "summary": "Pwned Passwords range search (k-Anonymity)", "description": "Free Pwned Passwords range search using k-anonymity. This endpoint does not require authentication and is not rate limited, but it still requires a user-agent header. Provide the first 5 characters of either a SHA-1 or NTLM hash to receive matching suffixes and prevalence counts.", "parameters": [ { "$ref": "#/components/parameters/UserAgent" }, { "$ref": "#/components/parameters/AddPadding" }, { "name": "prefix", "in": "path", "required": true, "schema": { "type": "string", "minLength": 5, "maxLength": 5, "pattern": "^[0-9A-Fa-f]{5}$" }, "description": "First 5 characters of a SHA-1 or NTLM hash (hexadecimal, not case-sensitive)" }, { "name": "mode", "in": "query", "schema": { "type": "string", "enum": [ "ntlm" ] }, "description": "Returns NTLM hash suffixes when set to 'ntlm'. When the mode is not specified or is any value other than 'ntlm', the resulting hashes will be in SHA-1 form." } ], "responses": { "200": { "description": "Hash suffixes and prevalence counts. Each line contains a hash suffix followed by a colon and the count of how many times the password appears in the data set. Padded entries (when Add-Padding is used) always have a count of 0 and should be discarded.", "content": { "text/plain": { "schema": { "type": "string" }, "example": "0018A45C4D1DEF81644B54AB7F969B88D65:1\n00D4F6E8FA6EECAD2A3AA415EEC418D38EC:2\n011053FD0102E94D6AE2F8B83D76FAF94F6:1\n012A7CA357541F0AC487871FEEC1891C49C:2\n0136E006E24E7D152139815FB0FC6A50B15:2" } } }, "403": { "description": "Forbidden — missing or invalid user agent", "content": { "text/plain": { "schema": { "type": "string" } } } } }, "security": [] } } }, "externalDocs": { "description": "Full API documentation and acceptable use policy", "url": "https://haveibeenpwned.com/API/v3" } }