Skip to main content
POST
/
v1
/
b2b
/
passwords
/
strength_check
C#
// POST /v1/b2b/passwords/strength_check
const stytch = require('stytch');

const client = new stytch.B2BClient({
  project_id: '${projectId}',
  secret: '${secret}',
});

const params = {
  password: "${examplePassword}",
};

client.Passwords.StrengthCheck(params)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });
{
  "request_id": "<string>",
  "valid_password": true,
  "score": 123,
  "breached_password": true,
  "strength_policy": "<string>",
  "breach_detection_on_create": true,
  "status_code": 123,
  "luds_feedback": {
    "has_lower_case": true,
    "has_upper_case": true,
    "has_digit": true,
    "has_symbol": true,
    "missing_complexity": 123,
    "missing_characters": 123
  },
  "zxcvbn_feedback": {
    "warning": "<string>",
    "suggestions": [
      "<string>"
    ]
  }
}
Determines if a password matches the password strength configuration set in your Stytch Dashboard. If your Stytch project is configured to use zxcvbn, the default, passwords are considered valid if the strength score is >= 3. If LUDS, your passwords are considered valid if they meet the requirements that you’ve set in your Stytch Dashboard.

Password feedback

The zxcvbn_feedback and luds_feedback objects contains relevant information to relay to users that failed to create a strong enough password. If using zxcvbn, the feedback object will contain warning and suggestions for any password that does not meet the zxcvbn strength requirements. You can return these strings directly to the user to help them craft a strong password. If using LUDS, the feedback object will contain a collection of fields that the user failed or passed. You should prompt the user to create a password that meets all requirements that they failed.

Authorizations

Authorization
string
header
required

Basic authentication header of the form Basic <encoded-value>, where <encoded-value> is the base64-encoded string username:password.

Body

application/json

Request type

password
string
required

The password to authenticate, reset, or set for the first time. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc.

email_address
string

The email address of the Member.

Response

Successful response

request_id
string
required

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

valid_password
boolean
required

Returns true if the password passes our password validation. We offer two validation options, zxcvbn is the default option which offers a high level of sophistication. We also offer LUDS which is less sophisticated but easier to understand. If an email address is included in the call we also require that the password hasn't been compromised using built-in breach detection powered by HaveIBeenPwned

score
integer<int32>
required

The score of the password determined by zxcvbn. Values will be between 1 and 4, a 3 or greater is required to pass validation.

breached_password
boolean
required

Returns true if the password has been breached. Powered by HaveIBeenPwned.

strength_policy
string
required

The strength policy type enforced, either zxcvbn or luds.

breach_detection_on_create
boolean
required

Will return true if breach detection will be evaluated. By default this option is enabled. This option can be disabled in the dashboard. If this value is false then breached_password will always be false as well.

status_code
integer<int32>
required

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

luds_feedback
object

Feedback for how to improve the password's strength using luds.

zxcvbn_feedback
object

Feedback for how to improve the password's strength using zxcvbn.