> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Strength Check

> Checks the strength of a password according to your Project's password strength configuration.

Determines if a password matches the password strength configuration set in your [Stytch Dashboard](https://stytch.com/dashboard/password-strength-config).

If your Stytch project is configured to use [zxcvbn](/multi-tenant-auth/authentication/passwords/strength-policy#zxcvbn), the default, passwords are considered valid if the strength score is >= 3. If [LUDS](/multi-tenant-auth/authentication/passwords/strength-policy#luds), your passwords are considered valid if they meet the requirements that you've set in your Stytch Dashboard.

#### Password feedback

The `zxcvbn_feedback` and `luds_feedback` objects contains relevant information to relay to users that failed to create a strong enough password.

If using [zxcvbn](/multi-tenant-auth/authentication/passwords/strength-policy#zxcvbn), the feedback object will contain warning and suggestions for any password that does not meet the [zxcvbn](/multi-tenant-auth/authentication/passwords/strength-policy#zxcvbn) strength requirements. You can return these strings directly to the user to help them craft a strong password.

If using [LUDS](/multi-tenant-auth/authentication/passwords/strength-policy#luds), the feedback object will contain a collection of fields that the user failed or passed. You should prompt the user to create a password that meets all requirements that they failed.


## OpenAPI

````yaml POST /v1/b2b/passwords/strength_check
openapi: 3.0.3
info:
  title: Stytch API
  description: The Stytch API provides endpoints for authentication and user management.
  version: 2.1.1
  contact:
    name: Stytch Support
    url: https://stytch.com/docs
    email: support@stytch.com
servers:
  - url: https://api.stytch.com
    description: Production server
  - url: https://test.stytch.com
    description: Test server
security:
  - basicAuth: []
paths:
  /v1/b2b/passwords/strength_check:
    post:
      tags:
        - Password
      summary: Strengthcheck
      description: >-
        This API allows you to check whether the user’s provided password is
        valid, and to provide feedback to the user on how to increase the
        strength of their password.


        This endpoint adapts to your Project's password strength configuration.

        If you're using
        [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the
        default, your passwords are considered valid if the strength score is >=
        3.

        If you're using
        [LUDS](https://stytch.com/docs/guides/passwords/strength-policy), your
        passwords are considered valid if they meet the requirements that you've
        set with Stytch.

        You may update your password strength configuration on the [Passwords
        Policy page](https://stytch.com/dashboard/password-strength-config) in
        the Stytch Dashboard.


        ## Password feedback

        The `zxcvbn_feedback` and `luds_feedback` objects contains relevant
        fields for you to relay feedback to users that failed to create a strong
        enough password.


        If you're using
        [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the
        feedback object will contain warning and suggestions for any password
        that does not meet the
        [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy)
        strength requirements. You can return these strings directly to the user
        to help them craft a strong password.


        If you're using
        [LUDS](https://stytch.com/docs/guides/passwords/strength-policy), the
        feedback object will contain a collection of fields that the user failed
        or passed. You'll want to prompt the user to create a password that
        meets all requirements that they failed.
      operationId: api_b2b_password_v1_StrengthCheck
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/api_b2b_password_v1_StrengthCheckRequest'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/api_b2b_password_v1_StrengthCheckResponse'
        '400':
          description: Bad request
        '401':
          description: Unauthorized
          content:
            application/json:
              example:
                status_code: 401
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: unauthorized_credentials
                error_message: Unauthorized credentials.
                error_url: https://stytch.com/docs/api/errors/401
        '429':
          description: Too Many Requests
          content:
            application/json:
              example:
                status_code: 429
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: too_many_requests
                error_message: Too many requests have been made.
                error_url: https://stytch.com/docs/api/errors/429
        '500':
          description: Internal server error
          content:
            application/json:
              example:
                status_code: 500
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: internal_server_error
                error_message: >-
                  Oops, something seems to have gone wrong, please reach out to
                  support@stytch.com to let us know what went wrong.
                error_url: https://stytch.com/docs/api/errors/500
      x-code-samples:
        - lang: csharp
          label: C#
          source: |-
            // POST /v1/b2b/passwords/strength_check
            const stytch = require('stytch');

            const client = new stytch.B2BClient({
              project_id: '${projectId}',
              secret: '${secret}',
            });

            const params = {
              password: "xuEvs9sBi8I4x8rCXJPZ",
            };

            client.Passwords.StrengthCheck(params)
              .then(resp => { console.log(resp) })
              .catch(err => { console.log(err) });
        - lang: go
          label: Go
          source: "// POST /v1/b2b/passwords/strength_check\npackage main\n\nimport (\n\t\"context\"\n\t\"log\"\n\n\t\"github.com/stytchauth/stytch-go/v18/stytch/b2b/b2bstytchapi\"\n\t\"github.com/stytchauth/stytch-go/v18/stytch/b2b/passwords\"\n)\n\nfunc main() {\n\tclient, err := b2bstytchapi.NewClient(\n\t\t\"${projectId}\",\n\t\t\"${secret}\",\n\t)\n\tif err != nil {\n\t\tlog.Fatalf(\"error instantiating client: %v\", err)\n\t}\n\n\tparams := &passwords.StrengthCheckParams{\n\t\tPassword: \"xuEvs9sBi8I4x8rCXJPZ\",\n\t}\n\n\tresp, err := client.Passwords.StrengthCheck(context.Background(), params)\n\tif err != nil {\n\t\tlog.Fatalf(\"error in method call: %v\", err)\n\t}\n\n\tlog.Println(resp)\n}\n"
        - lang: java
          label: Java
          source: |-
            // POST /v1/b2b/passwords/strength_check
            package com.example;

            import com.stytch.java.b2b.models.passwords.StrengthCheckRequest;
            import com.stytch.java.b2b.StytchB2BClient;
            import com.stytch.java.common.StytchResult;

            public class Main {
                public static void main(String[] args) {
                    StytchB2BClient.configure("${projectId}", "${secret}");

                    StrengthCheckRequest params = new StrengthCheckRequest();
                    params.setPassword("xuEvs9sBi8I4x8rCXJPZ");

                    Object result = StytchB2BClient.getPasswords().strengthCheck(params);
                    if (result instanceof StytchResult.Success) {
                      System.out.println(((StytchResult.Success) result).getValue());
                    } else {
                      System.out.println(((StytchResult.Error) result).getException());
                    }
                }
            }
        - lang: kotlin
          label: Kotlin
          source: |
            // POST /v1/b2b/passwords/strength_check
            package com.example

            import com.stytch.java.b2b.StytchB2BClient
            import com.stytch.java.b2b.models.passwords.StrengthCheckRequest

            fun main() {
                StytchB2BClient.configure(
                    projectId = "${projectId}",
                    secret = "${secret}",
                )

                when (
                    val result =
                        StytchB2BClient.passwords.strengthCheck(
                            StrengthCheckRequest(
                                password = "xuEvs9sBi8I4x8rCXJPZ",
                            ),
                        )
                ) {
                    is StytchResult.Success -> println(result.value)
                    is StytchResult.Error -> println(result.exception)
                }
            }
        - lang: javascript
          label: Node.js
          source: |-
            // POST /v1/b2b/passwords/strength_check
            const stytch = require('stytch');

            const client = new stytch.B2BClient({
              project_id: '${projectId}',
              secret: '${secret}',
            });

            const params = {
              password: "xuEvs9sBi8I4x8rCXJPZ",
            };

            client.passwords.strengthCheck(params)
              .then(resp => { console.log(resp) })
              .catch(err => { console.log(err) });
        - lang: php
          label: PHP
          source: |-
            $response = $client->passwords->strength_check([
                'password' => 'xuEvs9sBi8I4x8rCXJPZ',
            ]);
        - lang: python
          label: Python
          source: |
            # POST /v1/b2b/passwords/strength_check
            from stytch import B2BClient

            client = B2BClient(
                project_id="${projectId}",
                secret="${secret}",
            )

            resp = client.passwords.strength_check(
                password="xuEvs9sBi8I4x8rCXJPZ",
            )

            print(resp)
        - lang: ruby
          label: Ruby
          source: |-
            # frozen_string_literal: true

            # POST /v1/b2b/passwords/strength_check
            require 'stytch'

            client = StytchB2B::Client.new(
              project_id: "${projectId}",
              secret: "${secret}"
            )

            resp = client.passwords.strength_check(
              password: "xuEvs9sBi8I4x8rCXJPZ"
              
            )

            puts resp
        - lang: rust
          label: Rust
          source: |-
            // POST /v1/b2b/passwords/strength_check
            use stytch::b2b::client::Client;
            use stytch::b2b::passwords::StrengthCheckRequest;

            fn main() {
                let client = Client::new("${projectId}", "${secret}").unwrap();
                let resp = client.passwords.strength_check(
                    StrengthCheckRequest{
                        password: "xuEvs9sBi8I4x8rCXJPZ",
                        ..Default::default()
                    }
                ).await;
                println!("The response is {:?}", resp);
            }
        - lang: bash
          label: cURL
          source: |-
            # POST /v1/b2b/passwords/strength_check
            curl --request POST \
              --url https://test.stytch.com/v1/b2b/passwords/strength_check \
              -u '${projectId}:${secret}' \
              -H 'Content-Type: application/json' \
              -d '{
                "password": "xuEvs9sBi8I4x8rCXJPZ"
              }'
components:
  schemas:
    api_b2b_password_v1_StrengthCheckRequest:
      type: object
      properties:
        password:
          type: string
          description: >-
            The password to authenticate, reset, or set for the first time. Any
            UTF8 character is allowed, e.g. spaces, emojis, non-English
            characters, etc.
        email_address:
          type: string
          description: The email address of the Member.
      description: Request type
      required:
        - password
    api_b2b_password_v1_StrengthCheckResponse:
      type: object
      properties:
        request_id:
          type: string
          description: >-
            Globally unique UUID that is returned with every API call. This
            value is important to log for debugging purposes; we may ask for
            this value to help identify a specific API call when helping you
            debug an issue.
        valid_password:
          type: boolean
          description: >-
            Returns `true` if the password passes our password validation. We
            offer two validation options,
              [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy) is the default option which offers a high level of sophistication.
              We also offer [LUDS](https://stytch.com/docs/b2b/guides/passwords/strength-policy) which is less sophisticated 
              but easier to understand. If an email address is included in the call we also
              require that the password hasn't been compromised using built-in breach detection powered by [HaveIBeenPwned](https://haveibeenpwned.com/)
        score:
          type: integer
          format: int32
          description: >-
            The score of the password determined by
            [zxcvbn](https://github.com/dropbox/zxcvbn). Values will be between
            1 and 4, a 3 or greater is required to pass validation.
        breached_password:
          type: boolean
          description: >-
            Returns `true` if the password has been breached. Powered by
            [HaveIBeenPwned](https://haveibeenpwned.com/).
        strength_policy:
          type: string
          description: The strength policy type enforced, either `zxcvbn` or `luds`.
        breach_detection_on_create:
          type: boolean
          description: >-
            Will return `true` if breach detection will be evaluated. By default
            this option is enabled.
              This option can be disabled in the [dashboard](https://stytch.com/dashboard/password-strength-config#breach-detection).
              If this value is false then `breached_password` will always be `false` as well.
        status_code:
          type: integer
          format: int32
          description: >-
            The HTTP status code of the response. Stytch follows standard HTTP
            response status code patterns, e.g. 2XX values equate to success,
            3XX values are redirects, 4XX are client errors, and 5XX are server
            errors.
        luds_feedback:
          $ref: '#/components/schemas/api_b2b_password_v1_LudsFeedback'
          description: >-
            Feedback for how to improve the password's strength using
            [luds](https://stytch.com/docs/guides/passwords/strength-policy).
        zxcvbn_feedback:
          $ref: '#/components/schemas/api_b2b_password_v1_ZxcvbnFeedback'
          description: >-
            Feedback for how to improve the password's strength using
            [zxcvbn](https://stytch.com/docs/b2b/guides/passwords/strength-policy).
      required:
        - request_id
        - valid_password
        - score
        - breached_password
        - strength_policy
        - breach_detection_on_create
        - status_code
    api_b2b_password_v1_LudsFeedback:
      type: object
      properties:
        has_lower_case:
          type: boolean
          description: >-
            For LUDS validation, whether the password contains at least one
            lowercase letter.
        has_upper_case:
          type: boolean
          description: >-
            For LUDS validation, whether the password contains at least one
            uppercase letter.
        has_digit:
          type: boolean
          description: >-
            For LUDS validation, whether the password contains at least one
            digit.
        has_symbol:
          type: boolean
          description: >-
            For LUDS validation, whether the password contains at least one
            symbol. Any UTF8 character outside of a-z or A-Z may count as a
            valid symbol.
        missing_complexity:
          type: integer
          format: int32
          description: >-
            For LUDS validation, the number of complexity requirements that are
            missing from the password.
                  Check the complexity fields to see which requirements are missing.
        missing_characters:
          type: integer
          format: int32
          description: >-
            For LUDS validation, this is the required length of the password
            that you've set minus the length of the password being checked.
                  The user will need to add this many characters to the password to make it valid.
      required:
        - has_lower_case
        - has_upper_case
        - has_digit
        - has_symbol
        - missing_complexity
        - missing_characters
    api_b2b_password_v1_ZxcvbnFeedback:
      type: object
      properties:
        warning:
          type: string
          description: >-
            For zxcvbn validation, contains an end user consumable warning if
            the password is valid but not strong enough.
        suggestions:
          type: array
          items:
            type: string
          description: >-
            For zxcvbn validation, contains end user consumable suggestions on
            how to improve the strength of the password.
      required:
        - warning
        - suggestions
  securitySchemes:
    basicAuth:
      type: http
      scheme: basic

````