Check whether a password has appeared in known data breaches, using Have I Been Pwned's Pwned Passwords k-anonymity model — only the first 5 characters of the password's SHA-1 hash are ever sent upstream, so the service never sees the password or the full hash. POST { password } (hashed server-side) OR { sha1 } (the 40-hex SHA-1, for true zero-knowledge — hash it client-side and send only that). Returns breached (boolean), count (how many times it appears in breach corpora), and the sha1Prefix used. Backed by a 900M+ breached-credential corpus an LLM cannot know. For signup/password-policy enforcement and credential-hygiene checks. Absence is not a guarantee of strength.
/api/security/password-exposurePAYMENT-SIGNATURE.The password exposure API is a pay-per-call security endpoint built for AI agents and autonomous software. Check whether a password has appeared in known data breaches, using Have I Been Pwned's Pwned Passwords k-anonymity model — only the first 5 characters of the password's SHA-1 hash are ever sent upstream, so the service never sees the password or the full hash.
There is no signup and no API key. An agent (or any HTTP client) hits the endpoint, receives an x402 "402 Payment Required" challenge, signs a sub-cent USDC payment on Base or Solana, and retries — the data comes back on the paid request. That makes it a drop-in password exposure data source for an agent tool-use loop, an MCP host, or a backend that needs security data on demand without onboarding to yet another vendor portal.
| Name | Type | Description |
|---|---|---|
password | string | min 1 chars · max 512 chars |
sha1 | string | min 40 chars · max 40 chars |
# 1. Probe the endpoint with no auth — receive 402 with PaymentRequirements
curl -sS -X POST 'https://2s.io/api/security/password-exposure' \
-H 'Content-Type: application/json' \
-d '{"password":"example","sha1":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}'
# 2. Sign the EIP-3009 transferWithAuthorization for the advertised price +
# payTo from the 402 envelope, then retry with PAYMENT-SIGNATURE:
curl -sS -X POST 'https://2s.io/api/security/password-exposure' \
-H 'Content-Type: application/json' \
-H 'PAYMENT-SIGNATURE: <base64-json-payload>' \
-d '{"password":"example","sha1":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}'
# Or just use the canonical runner — it handles the whole loop:
# EVM_PRIVATE_KEY=0x... node --env-file=.env.local \
# --experimental-strip-types scripts/x402-pay.ts \
# 'https://2s.io/api/security/password-exposure'import { TwoS } from '@2sio/sdk'
const client = new TwoS({
privateKey: process.env.EVM_PRIVATE_KEY as `0x${string}`,
})
const result = await client.security.passwordExposure({
"password": "example",
"sha1": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
})
console.log('endpoint:', result.endpoint)
console.log('cost:', result.costUsd, 'USDC')
console.log('tx:', result.settlement?.txHash)
console.log('data:', result.data)import os
from twosio import TwoS
client = TwoS(private_key=os.environ["EVM_PRIVATE_KEY"])
result = client.security.password_exposure(password="example", sha1="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx")
print("endpoint:", result.endpoint)
print("cost:", result.cost_usd, "USDC")
print("tx:", (result.settlement or {}).get("tx_hash"))
print("data:", result.data)// 1. Add @2sio/mcp to your MCP host config (Claude Desktop example below).
// EVM_PRIVATE_KEY funds x402 payments per call.
// claude_desktop_config.json
{
"mcpServers": {
"2sio": {
"command": "npx",
"args": ["-y", "@2sio/mcp"],
"env": { "EVM_PRIVATE_KEY": "0x..." }
}
}
}
// 2. Once the server is running, agents call this tool via standard MCP:
{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "security.password-exposure",
"arguments": {
"password": "example",
"sha1": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
}
}| Field | Type | Description |
|---|---|---|
ok | boolean | one of: true |
items | array | |
total | integer | Total matching rows upstream; null when unknown. |
source | object |
{
"ok": true,
"items": [
{
"breached": false,
"count": 1,
"sha1Prefix": "example",
"inputMode": "example",
"note": "example"
}
],
"total": 1,
"source": {
"provider": "example",
"url": "example",
"license": "example"
}
}