API Documentation
Integrate password strength analysis and quantum resistance estimates into your applications with our simple REST API.
🚀 Quick Start
1. Get Your API Key
Register to receive your free API key:
curl -X POST https://mypasswordchecker.com/api/auth/register \
-H "Content-Type: application/json" \
-d '{"email":"[email protected]","name":"Your Name"}'
Response:
{
"success": true,
"api_key": "pk_abc123...",
"customer_id": "cus_...",
"plan": "free",
"quota": 50,
"message": "API key generated. Keep this secure!"
}
2. Make Your First Request
Use your API key to check password strength:
curl -X POST https://mypasswordchecker.com/api/v1/check-password \
-H "Content-Type: application/json" \
-H "X-API-Key: pk_abc123..." \
-d '{"password":"MyPassword123"}'
Response:
{
"success": true,
"message": "Request validated. Perform analysis client-side using zxcvbn.",
"usage": 1,
"remaining": 49
}
🔒 Privacy Note: Actual password analysis runs client-side in your application using zxcvbn. Our API validates requests and tracks usage without ever seeing the actual password.
🔑 Authentication
For API Requests (Programmatic Access)
All API requests require an API key sent in the X-API-Key header:
X-API-Key: pk_your_api_key_here
For Dashboard Access (Web Browser)
The Developer Dashboard uses secure session-based authentication with httpOnly cookies. To access your dashboard:
- Visit mypasswordchecker.com/dashboard
- Enter your API key to create a secure session
- Your session will last 24 hours
Dashboard authentication endpoints:
POST /api/auth/login - Create session with API key
GET /api/auth/me - Verify current session
POST /api/auth/logout - End session
🔒 Security: Sessions use httpOnly cookies that cannot be accessed by JavaScript, providing better security than storing API keys in localStorage.
⏱️ Rate Limiting
API responses include rate limit headers:
X-RateLimit-Limit: 50
X-RateLimit-Remaining: 42
X-RateLimit-Reset: 1699999999
| Plan | Tier 1 Quota | Tier 2 Quota |
|---|---|---|
| Free | 50/month | - |
| Standard ($19/mo) | 3,000/month + $0.09 overage | - |
| Quantum Monthly ($150/mo) | Included | 1,500/month + $0.09 overage |
📡 API Endpoints
POST /api/auth/register
Register for an API key (no authentication required)
Request Body:
{
"email": "string (required)",
"name": "string (optional)"
}
Response (201):
{
"success": true,
"api_key": "pk_...",
"customer_id": "cus_...",
"plan": "free",
"quota": 50
}
POST /api/v1/check-password
Tier 1 Endpoint - Validate password checking request
Headers:
X-API-Key: pk_your_key
Content-Type: application/json
Request Body:
{
"password": "string (required)"
}
Response (200):
{
"success": true,
"message": "Request validated. Perform analysis client-side using zxcvbn.",
"usage": 1,
"remaining": 49
}
Error Response (429 - Quota Exceeded):
{
"error": "Quota exceeded",
"usage": 50,
"quota": 50
}
POST /api/v1/quantum-estimate
Tier 2 Endpoint - Validate quantum resistance estimate request (requires paid plan)
Headers:
X-API-Key: pk_your_key
Content-Type: application/json
Request Body:
{
"password": "string (required)"
}
Response (200):
{
"success": true,
"message": "Quantum estimate request validated. Perform analysis client-side.",
"usage": 1,
"remaining": 1499,
"note": "Quantum estimates are theoretical and educational only."
}
Error Response (402 - Payment Required):
{
"error": "Tier 2 requires paid subscription",
"available_plans": ["quantum_monthly", "quantum_per_request"]
}
GET /api/dashboard/usage
Get current month's usage statistics
Authentication: Supports both API key header and session cookie
Headers (API Key Method):
X-API-Key: pk_your_key
Headers (Session Method):
Cookie: mpc_session=...
// Automatically sent by browser when logged into dashboard
Response (200):
{
"month": "2024-10",
"plan": "standard",
"tier1": {
"usage": 142,
"quota": 3000,
"remaining": 2858
},
"tier2": {
"usage": 0,
"quota": 0,
"remaining": 0
}
}
💻 Client-Side Implementation
After validating with our API, perform the actual password analysis client-side using zxcvbn:
// 1. Include zxcvbn
// 2. Validate with our API
const response = await fetch('https://mypasswordchecker.com/api/v1/check-password', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-API-Key': 'pk_your_key'
},
body: JSON.stringify({ password: 'user_password' })
});
if (response.ok) {
// 3. Analyze password client-side
const result = zxcvbn('user_password');
console.log('Score:', result.score); // 0-4
console.log('Crack time:', result.crack_times_display.online_no_throttling_10_per_second);
console.log('Feedback:', result.feedback);
}
For quantum estimates, use our quantum estimator module:
// Include our quantum estimator
// Validate Tier 2 access
const response = await fetch('https://mypasswordchecker.com/api/v1/quantum-estimate', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-API-Key': 'pk_your_key'
},
body: JSON.stringify({ password: 'user_password' })
});
if (response.ok) {
// Perform quantum analysis client-side
const result = QuantumEstimator.estimateTimes('user_password');
console.log('Classical time:', result.classical.human.label);
console.log('Quantum (pessimistic):', result.quantum.pessimistic.human.label);
console.log('Quantum (plausible):', result.quantum.plausible.human.label);
console.log('Quantum (optimistic):', result.quantum.optimistic.human.label);
}
⚠️ Error Codes
| Code | Meaning | Solution |
|---|---|---|
400 |
Bad Request | Check request format |
401 |
Unauthorized | Invalid or missing API key |
402 |
Payment Required | Upgrade plan to access endpoint |
429 |
Too Many Requests | Quota exceeded - upgrade or wait for reset |
500 |
Internal Error | Contact support |
✨ Best Practices
🔒 Security
- Never expose your API key in client-side code
- Store keys as environment variables
- Rotate keys if compromised
- Use HTTPS for all requests
⚡ Performance
- Cache validation responses when possible
- Perform analysis client-side after validation
- Monitor rate limit headers
- Implement exponential backoff for retries
🎯 Usage
- Validate once per user session, not per keystroke
- Display quota remaining to users
- Handle errors gracefully
- Upgrade before hitting quota limits