How do I authenticate to the LoginGuards API?

Authenticate by passing your API key in the x-api-key header for every request to the LoginGuards REST endpoints.

Which endpoints can I use to check passwords?

Use POST /check/plain for plaintext passwords, POST /check/sha1 for SHA-1 hashes, or POST /check/sha512_30 for SHA-512 fragments.

What happens when my free trial ends?

After 30 days or 50 requests, your trial pauses automatically. Upgrade to a paid plan to continue making requests without losing data.

Build confidently with LoginGuards

Documentation

Everything you need to integrate password breach protection into your product.

Step 1

Create an account

Step 2

Generate an API key

Head to the dashboard API Keys page and create a key. The secret value powers calls via the X-API-Key header.

Step 3

Call the breach check endpoint

POST to /check/plain with a password, /check/sha1 with a SHA-1 hash, or /check/sha512_30 with a 30-char SHA-512 fragment.

Step 4

Enforce outcomes

Block, reset, or step-up authenticate users when LoginGuards returns compromised credentials.

Prefer the command line?

Install the LoginGuards CLI for instant breach checks, usage logs, and account insights straight from your terminal. Visit theTools page to download binaries and view examples.

API Reference

LoginGuards exposes a JSON REST API secured by API keys. Pass your key in thex-api-key header for every request.

Base URL: https://api.loginguards.com/v1

POST/check/plain

Check a plaintext password against breaches.

Sample request body

{"password": "hunter2"}

POST/check/sha1

Submit a SHA-1 hash to search breach records.

Sample request body

{"sha1_hex": "5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8"}

POST/check/sha512_30

Submit the first 30 chars of a SHA-512 hash for privacy-preserving lookups.

Sample request body

{"sha512_30": "F7C3BC1D808E04732ADF679965CCC34CA7AE3441"}

GET/user/plan

Retrieve plan limits, remaining quota, and reset schedule for the authenticated user.

Multi-language request examples

The snippets below demonstrate calling POST /check/plain with a bearer token.

Guides & Best Practices

Walk through complete implementations and operational patterns designed to keep your users safe from credential stuffing and breach reuse attacks.

Integrate with Next.js

• Use our React hooks and protected routes to guard sensitive pages.
• Set up incremental static regeneration for breach status dashboards.
• Leverage the dashboard quota metrics to alert users proactively.

Operational best practices

• Rotate API keys quarterly and store only hashed copies.
• Enable rate limiting in your reverse proxy to shield against credential stuffing.
• Stream LoginGuards logs into your SIEM for unified alerting.

Data workflows

• Sync breach decisions back into your user metadata store.
• Trigger password reset emails automatically when `breached` is true.
• Track key analytics (breach rate, most affected org units) in BI dashboards.

Create an account

Generate an API key

Call the breach check endpoint

Enforce outcomes

Prefer the command line?

API Reference

Multi-language request examples

JavaScript (Fetch)

Node.js (Axios)

PHP (cURL)

Ruby (net/http)

Go (net/http)

Java (HttpClient)

Swift (URLSession)

Python (Requests)

C# (HttpClient)

Guides & Best Practices

Integrate with Next.js

Operational best practices

Data workflows

What are the rate limits?

How should I handle errors?

Can I subscribe to breach events?