Check if credentials have been compromised in real-time without exposing sensitive data. Our cryptographically secure API allows anonymous verification against billions of breached records.
Node.js, Python, Rust, Go, C#, Java
Simple, well-documented endpoints
Private k-anonymity checks
Lightning-fast responses
Comprehensive database, updated daily
Your users stay protected. Their credentials stay private.
Your application receives login credentials: [email protected] : password123
// Hash the credential pair
const hash = SHA256(email + ':' + password)
// → 5baa61e4c9b93f3f0682250b6cf8331b...Extract the first 5 characters of the hash and send only the prefix to our API.
const prefix = hash.substring(0, 5)
// → "5baa6"
await fetch('/credential-check/query', { prefix })Our API finds all matching hashes and scrambles them with HMAC encryption before sending back.
// Server generates HMAC key
results = matchingHashes.map(h => HMAC(h, key))
return { results, key }Your app applies the same HMAC to your full hash and checks if it's in the results - all client-side.
if (hmacResults.includes(hmac(fullHash, key))) {
// Credential found in breach database!
// → Go to Step 5A (Breach Detected)
} else {
// Credentials are safe
// → Go to Step 5B (All Clear)
}SOC analyst response options - automate or trigger manually:
Credentials not found in any known breaches - proceed safely:
Your users' credentials are never exposed to DarkStrata or anyone else. The two-layer privacy approach means even we can't see what you're checking — only you know if there's a match.
Get up and running in minutes with our open-source SDKs
// One call to check if credentials are compromised
const isBreached = await darkstrata.check('[email protected]', password);<dependency>io.darkstrata:credential-check</dependency>The most private credential verification API available
| Feature | DarkStrata | Traditional APIs | In-House Database |
|---|---|---|---|
| Privacy Protection | K-Anonymity + HMACTwo-layer cryptographic privacy | Basic k-anonymity only Single layer protection | None Full credential exposure |
| Data Sent to API | 5-character prefix1 in 1 million anonymity set | Full hash or email Linkable across requests | Full credentials Complete exposure risk |
| Response Speed | <200msHighly optimised edge workers | 500ms+ Centralised servers | Variable Depends on infrastructure |
| Database Coverage | Billions of recordsConstantly updated | Millions of records Periodic updates | Manual effort required Expensive to maintain |
| Maintenance Burden | ZeroFully managed service | Low SaaS integration | HighStorage, updates, security |
| Official SDKs | 6 Languages SupportedNode.js, Python, Rust, Go, C#, Java | Limited or none REST only, DIY integration | N/A Build everything yourself |
| Compliance Friendly | GDPR ReadyZero PII transmitted | Depends on implementation May require DPA | Complex Full data protection burden |
| Diff Files | AvailableEnterprise tier only * | Not available API-only access | Manual processBuild your own system |
Get enterprise-grade breach protection without compromising your users' privacy or building expensive infrastructure.
* Diff files enable offline bulk processing for password vaults, enterprise password managers, and large-scale credential audits without API rate limits.
Protect your users across the entire authentication lifecycle
Verify credentials at login time to detect compromised accounts before they can be exploited. Force password resets for affected users automatically.
Check new user registrations to ensure they aren't using previously breached credentials. Protect your platform from credential stuffing attacks from day one.
Validate that new passwords haven't been compromised in data breaches. Ensure users choose strong, uncompromised passwords when updating their credentials.
Periodically check your user database against new breaches. Proactively notify users when their credentials appear in newly discovered data leaks.
Get up and running in minutes with our official SDKs for Node.js, Python, Rust, Go, C#, and Java. Credential checking is a one-liner — no complex setup or cryptography knowledge required.
Access large HMAC-anonymised hash files for offline credential checking. Ideal for password vaults, enterprise password managers, and bulk credential audits.
Export credential exposure intelligence directly to your security tools
DarkStrata is the only credential exposure platform with native STIX/TAXII support. Feed structured threat intelligence directly into Splunk, Microsoft Sentinel, and other SIEM platforms without custom parsing or transformation.
Export credential exposure alerts as STIX Report objects with full context and relationships.
Compromised credentials as STIX Indicators with patterns for automated detection in your SIEM.
Compromised users as STIX Identity objects for correlation with your existing user directories.
| Endpoint | STIX Objects | Description |
|---|---|---|
/api/v1/stix/alerts | Report, Indicator, Identity, Relationship | Alert bundles with full credential context |
/api/v1/stix/alerts/:id | Report, Indicator, Identity, Relationship | Single alert as STIX bundle |
/api/v1/stix/indicators | Indicator, Observed-Data | Flat credential indicators for bulk import |
Splunk ES
Microsoft Sentinel
IBM QRadar
Any STIX 2.1
Get your API key and start checking credentials in minutes