Check if credentials have been compromised in real-time without exposing sensitive data. Our cryptographically secure API allows anonymous verification against billions of breached records.
Simple, well-documented endpoints
Private k-anonymity checks
Lightning-fast responses
Comprehensive database, updated daily
Your users stay protected. Their credentials stay private.
Your application receives login credentials: [email protected] : password123
// Hash the credential pair
const hash = SHA256(email + ':' + password)
// → 5baa61e4c9b93f3f0682250b6cf8331b...Extract the first 5 characters of the hash and send only the prefix to our API.
const prefix = hash.substring(0, 5)
// → "5baa6"
await fetch('/credential-check/query', { prefix })Our API finds all matching hashes and scrambles them with HMAC encryption before sending back.
// Server generates HMAC key
results = matchingHashes.map(h => HMAC(h, key))
return { results, key }Your app applies the same HMAC to your full hash and checks if it's in the results - all client-side.
if (hmacResults.includes(hmac(fullHash, key))) {
// Credential found in breach database!
// → Go to Step 5A (Breach Detected)
} else {
// Credentials are safe
// → Go to Step 5B (All Clear)
}SOC analyst response options - automate or trigger manually:
Credentials not found in any known breaches - proceed safely:
Your users' credentials are never exposed to DarkStrata or anyone else. The two-layer privacy approach means even we can't see what you're checking — only you know if there's a match.
The most private credential verification API available
| Feature | DarkStrata | Traditional APIs | In-House Database |
|---|---|---|---|
| Privacy Protection | K-Anonymity + HMACTwo-layer cryptographic privacy | Basic k-anonymity only Single layer protection | None Full credential exposure |
| Data Sent to API | 5-character prefix1 in 1 million anonymity set | Full hash or email Linkable across requests | Full credentials Complete exposure risk |
| Response Speed | <100msHighly optimised edge workers | 200-500ms Centralised servers | Variable Depends on infrastructure |
| Database Coverage | Billions of recordsConstantly updated | Millions of records Periodic updates | Manual effort required Expensive to maintain |
| Maintenance Burden | ZeroFully managed service | Low SaaS integration | HighStorage, updates, security |
| Compliance Friendly | GDPR ReadyZero PII transmitted | Depends on implementation May require DPA | Complex Full data protection burden |
| Diff Files | AvailableEnterprise tier only * | Not available API-only access | Manual processBuild your own system |
Get enterprise-grade breach protection without compromising your users' privacy or building expensive infrastructure.
* Diff files enable offline bulk processing for password vaults, enterprise password managers, and large-scale credential audits without API rate limits.
Protect your users across the entire authentication lifecycle
Verify credentials at login time to detect compromised accounts before they can be exploited. Force password resets for affected users automatically.
Check new user registrations to ensure they aren't using previously breached credentials. Protect your platform from credential stuffing attacks from day one.
Validate that new passwords haven't been compromised in data breaches. Ensure users choose strong, uncompromised passwords when updating their credentials.
Periodically check your user database against new breaches. Proactively notify users when their credentials appear in newly discovered data leaks.
Access large HMAC-anonymised hash files for offline credential checking. Ideal for password vaults, enterprise password managers, and bulk credential audits.
Get your API key and start checking credentials in minutes