Does HaveIBeenPwned offer official SDKs?

HaveIBeenPwned primarily provides a well-documented RESTful API. While formal, extensively maintained official SDKs are not directly listed by HIBP, the project encourages direct API interaction and has a strong ecosystem of community-driven libraries across various languages that function as SDKs.

What programming languages are supported by HIBP libraries?

Community libraries and direct API integration methods are available for many popular languages, including Python, JavaScript (Node.js), PHP, C#/.NET, Go, and Ruby. These libraries wrap the HIBP API to provide language-specific interfaces.

How do I install an HIBP library?

Installation typically involves using the respective language's package manager, such as `pip` for Python, `npm` for Node.js, `composer` for PHP, or `dotnet add package` for C#/.NET. Specific commands vary by library and language.

Can I use HaveIBeenPwned libraries for free?

Yes, personal and non-commercial use of certain HIBP API endpoints, particularly the Pwned Passwords API, is available for free with rate limits. Organizational and higher-volume commercial use typically requires an API key and a paid subscription.

How does the Pwned Passwords API ensure privacy when checking passwords?

The Pwned Passwords API uses k-anonymity. Client-side libraries or direct implementations send only the first five characters of the SHA-1 hash of a password to the HIBP service. The server returns all hashes matching that prefix, and the client then locally compares the full hash without ever sending the complete password or its full hash.

What information can I retrieve using HIBP SDKs?

You can check if an email address or username has been involved in data breaches, retrieve details about those breaches (domain, date, compromised data types), and verify if a password appears in the database of known pwned passwords.

Do I need an API key to use HIBP libraries?

For personal and non-commercial use of the Pwned Passwords API, an API key is generally not required. However, for organizational use, accessing the Breaches API, or exceeding free tier limits, an API key obtained through a paid subscription is typically mandatory.

HaveIBeenPwned SDKs & Libraries: Official & Community (2026)

HaveIBeenPwned SDKs & libraries provide programmatic access to breach data and pwned passwords, enabling developers to integrate compromise checking directly into applications. These tools abstract the API's HTTP requests and response parsing, offering language-specific interfaces for streamlined development and enhanced security integrations.

SDKs overview

HaveIBeenPwned (HIBP) offers various software development kits (SDKs) and libraries that facilitate interaction with its API endpoints. These tools are designed to simplify the process of checking if an email address, username, or password has appeared in a known data breach. By abstracting the underlying HTTP requests and response handling, SDKs enable developers to integrate HIBP's services into their applications with language-specific convenience. The primary APIs accessible via these SDKs are the Pwned Passwords API, which allows for secure checking of passwords using k-anonymity, and the Breach API, which retrieves breach data associated with specific accounts or domains.

Developing with HIBP SDKs often involves obtaining an API key for organizational use, although personal and non-commercial use might not always require one for certain endpoints like Pwned Passwords. The SDKs typically handle API key authentication, request formatting, and error handling, allowing developers to focus on integrating the breach checking functionality into their application logic. Different SDKs cater to various programming languages, reflecting the diverse development environments where HIBP's services are utilized.

Official SDKs by language

While HaveIBeenPwned primarily provides a well-documented RESTful API, its core maintainers and the broader community have developed libraries across several languages. The official API documentation serves as the canonical source for integration patterns. For personal use of the Pwned Passwords API, it's possible to query without an API key by fetching hash prefixes directly, which some community libraries implement. Formal official SDKs are not extensively listed for direct download on the HIBP site in the manner of some other API providers, but the community has widely adopted methods that conform to the API's structure. Below is a representation of common approaches and widely used community-supported libraries that effectively serve as SDKs.

Note on Official SDKs: HaveIBeenPwned adopts a model where the API documentation itself is the primary integration guide, often relying on the community to build language-specific wrappers. The project encourages direct API interaction for maximum flexibility and control, especially for the authenticated endpoints that require an API key.

Official API Integration Approach

Developers are encouraged to interact directly with the HIBP API endpoints using standard HTTP client libraries available in their chosen programming language. This approach provides direct control over requests and responses. For example, in Python, one might use the requests library; in JavaScript, fetch or axios. The HIBP documentation details the specific HTTP methods, headers, and response formats for each endpoint.

Installation

Since HIBP's model leans towards direct API interaction and community-driven libraries, installation typically involves adding a third-party package via a language's package manager. The following table outlines common approaches and popular community libraries for various languages.

Language	Common Package/Method	Installation Command	Maturity/Notes
Python	`hibp-api`	`pip install hibp-api`	Community-maintained, actively developed for Pwned Passwords and Breaches.
JavaScript (Node.js)	`haveibeenpwned`	`npm install haveibeenpwned`	Community-maintained, widely used for various HIBP endpoints.
PHP	`hibp/hibp` (via Composer)	`composer require hibp/hibp`	Community, provides interfaces for breaches and passwords.
C#/.NET	`PwnedPasswords.Client`	`dotnet add package PwnedPasswords.Client`	Community-maintained, specialized for Pwned Passwords API.
Go	`go-hibp`	`go get github.com/mat/go-hibp`	Community, covers various HIBP lookups.

Developers should verify the latest versions, documentation, and maintenance status of community libraries on their respective package repositories (e.g., PyPI for Python, npm for JavaScript) before integrating them into production environments. Always review the source code for security implications, especially when dealing with sensitive operations like password checking.

Quickstart example

This quickstart demonstrates how to use a popular community Python library, hibp-api, to check if an email address has been involved in any data breaches. This example assumes you have Python and pip installed.

Python Quickstart

# 1. Install the library
# pip install hibp-api

# 2. Import necessary modules
import asyncio
from hibp import HackedEmailChecker

# 3. Create an instance of the checker
# For personal/non-commercial use, an API key is not strictly required for some endpoints,
# but for organizational use, it's highly recommended and often mandatory.
# Replace 'YOUR_API_KEY' with your actual HIBP API key if you have one for organizational use.
# See: https://haveibeenpwned.com/API/v3#Authentication
checker = HackedEmailChecker(api_key="YOUR_API_KEY") # API key is optional for unauthenticated public endpoints

async def check_email_breaches(email_address):
    print(f"Checking breaches for: {email_address}")
    try:
        # The `get_breaches_for_account` method fetches breach data.
        # It returns a list of dictionaries, one for each breach found.
        breaches = await checker.get_breaches_for_account(email_address)

        if breaches:
            print(f"\n{email_address} found in the following breaches:")
            for breach in breaches:
                print(f"  - Breach Name: {breach.get('Title')}")
                print(f"    Domain: {breach.get('Domain')}")
                print(f"    Date: {breach.get('BreachDate')}")
                print(f"    Compromised Data: {', '.join(breach.get('DataClasses', []))}\n")
        else:
            print(f"\nGood news — {email_address} was not found in any known breaches.")
    except Exception as e:
        print(f"An error occurred: {e}")

# Example usage
if __name__ == "__main__":
    target_email = "[email protected]" # Replace with an email to check
    asyncio.run(check_email_breaches(target_email))

    # Example for Pwned Passwords (using the same library structure)
    from hibp import PwnedPasswordChecker
    password_checker = PwnedPasswordChecker()

    async def check_password(password):
        print(f"Checking password: {'*' * len(password)}")
        try:
            count = await password_checker.check_password_hash_prefix(password)
            if count > 0:
                print(f"\nThis password has been pwned {count} times. You should change it.")
            else:
                print(f"\nGood news — this password was not found in the pwned passwords list.")
        except Exception as e:
            print(f"An error occurred during password check: {e}")

    # Replace with a password to check (e.g., 'password', '123456')
    # Ensure sensitive passwords are not hardcoded in production.
    target_password = "password"
    asyncio.run(check_password(target_password))

This example demonstrates two core functionalities: checking email breaches and checking password compromise. For the Pwned Passwords API, the library handles the k-anonymity protocol, sending only the first five characters of the password hash and then filtering results locally to ensure the full password is never transmitted to the HIBP server, as detailed in the Pwned Passwords API specification.

Community libraries

The developer community has created numerous libraries and wrappers for HaveIBeenPwned's API across a variety of programming languages. These libraries often wrap the API's functionality into more idiomatic constructs for their respective languages, handling common tasks such as HTTP requests, response parsing, and error management.

Python: Beyond hibp-api, other Python libraries like pyhibp and direct implementations using requests are common for integrating HIBP services. These often support both the Breaches and Pwned Passwords APIs.
JavaScript/Node.js: Libraries like haveibeenpwned (npm) provide functionalities for checking email breaches, domain breaches, and pwned passwords, suitable for server-side Node.js applications or client-side use (with caution regarding API key exposure).
PHP: Composer packages exist that offer object-oriented interfaces to the HIBP API, allowing PHP developers to easily query for compromised accounts or passwords within their web applications.
Ruby: Gems like hibp-ruby provide similar functionality for Ruby on Rails or other Ruby applications.
Go: Several Go modules are available, providing concise ways to interact with HIBP endpoints, often focusing on performance and concurrency.
C#/.NET: NuGet packages, such as those that specifically target the Pwned Passwords API, offer .NET developers robust tools for integration.

When selecting a community library, consider factors such as:

Active Maintenance: Libraries that are regularly updated tend to be more reliable and compatible with the latest API versions.
Documentation: Clear and comprehensive documentation simplifies integration and troubleshooting.
Community Support: A vibrant community around a library can provide assistance and contribute to its improvement.
Security Practices: Especially for password-related APIs, verify that the library correctly implements security protocols like k-anonymity to protect sensitive data. The OAuth 2.0 framework, while not directly related to HIBP's primary authentication for its core API, illustrates general principles of secure API access.

Always refer to the official HaveIBeenPwned API documentation for the definitive details on endpoint behavior, authentication, and rate limits, as community libraries are wrappers around this core functionality.

HaveIBeenPwned SDKs & Libraries: Official & Community (2026)

SDKs overview

Official SDKs by language

Official API Integration Approach

Installation

Quickstart example

Python Quickstart

Community libraries

Frequently asked questions

Reviews

Discussion

Written by