Have I Been Pwned API v3

REST API for searching breached accounts, pastes, breach metadata, domain breach data, and stealer log entries. Authentication requires an hibp-api-key header (32-character key) along with a descriptive user-agent header. Most endpoints require a paid subscription; rate limits range from 600 to 100,000 requests per minute depending on tier.

OpenAPI Specification

have-i-been-pwned-openapi.json Raw ↑