> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Strength Check

> Test a password's strength

This API allows you to check whether or not the user's provided password is valid, and to provide feedback to the user on how to increase the strength of their password.

This endpoint adapts to your Project's password strength configuration. If you're using [zxcvbn](/consumer-auth/authentication/passwords/strength-policy#zxcvbn), the default, your passwords are considered valid if the strength score is >= 3. If you're using [LUDS](/consumer-auth/authentication/passwords/strength-policy#luds), your passwords are considered valid if they meet the requirements that you've set with Stytch. Update your password strength configuration in the [Stytch Dashboard](https://stytch.com/dashboard/password-strength-config).


## OpenAPI

````yaml POST /v1/passwords/strength_check
openapi: 3.0.3
info:
  title: Stytch API
  description: The Stytch API provides endpoints for authentication and user management.
  version: 2.1.1
  contact:
    name: Stytch Support
    url: https://stytch.com/docs
    email: support@stytch.com
servers:
  - url: https://api.stytch.com
    description: Production server
  - url: https://test.stytch.com
    description: Test server
security:
  - basicAuth: []
paths:
  /v1/passwords/strength_check:
    post:
      tags:
        - Password
      summary: Strengthcheck
      description: >-
        This API allows you to check whether or not the user’s provided password
        is valid, and to provide feedback to the user on how to increase the
        strength of their password.


        This endpoint adapts to your Project's password strength configuration.
        If you're using
        [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy), the
        default, your passwords are considered valid if the strength score is >=
        3. If you're using
        [LUDS](https://stytch.com/docs/guides/passwords/strength-policy), your
        passwords are considered valid if they meet the requirements that you've
        set with Stytch. You may update your password strength configuration in
        the [Stytch
        Dashboard](https://stytch.com/dashboard/password-strength-config).



        ### Password feedback


        The `feedback` object contains relevant fields for you to relay feedback
        to users that failed to create a strong enough password.


        If you're using zxcvbn, the `feedback` object will contain `warning` and
        `suggestions` for any password that does not meet the zxcvbn strength
        requirements. You can return these strings directly to the user to help
        them craft a strong password.


        If you're using LUDS, the `feedback` object will contain an object named
        `luds_requirements` which contain a collection of fields that the user
        failed or passed. You'll want to prompt the user to create a password
        that meets all of the requirements that they failed.
      operationId: api_password_v1_StrengthCheck
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/api_password_v1_StrengthCheckRequest'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/api_password_v1_StrengthCheckResponse'
        '400':
          description: Bad request
        '401':
          description: Unauthorized
          content:
            application/json:
              example:
                status_code: 401
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: unauthorized_credentials
                error_message: Unauthorized credentials.
                error_url: https://stytch.com/docs/api/errors/401
        '429':
          description: Too Many Requests
          content:
            application/json:
              example:
                status_code: 429
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: too_many_requests
                error_message: Too many requests have been made.
                error_url: https://stytch.com/docs/api/errors/429
        '500':
          description: Internal server error
          content:
            application/json:
              example:
                status_code: 500
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: internal_server_error
                error_message: >-
                  Oops, something seems to have gone wrong, please reach out to
                  support@stytch.com to let us know what went wrong.
                error_url: https://stytch.com/docs/api/errors/500
      x-code-samples:
        - lang: csharp
          label: C#
          source: |-
            // POST /v1/passwords/strength_check
            const stytch = require('stytch');

            const client = new stytch.Client({
              project_id: '${projectId}',
              secret: '${secret}',
            });

            const params = {
              password: "xuEvs9sBi8I4x8rCXJPZ",
            };

            client.Passwords.StrengthCheck(params)
              .then(resp => { console.log(resp) })
              .catch(err => { console.log(err) });
        - lang: go
          label: Go
          source: "// POST /v1/passwords/strength_check\npackage main\n\nimport (\n\t\"context\"\n\t\"log\"\n\n\t\"github.com/stytchauth/stytch-go/v18/stytch/consumer/passwords\"\n\t\"github.com/stytchauth/stytch-go/v18/stytch/consumer/stytchapi\"\n)\n\nfunc main() {\n\tclient, err := stytchapi.NewClient(\n\t\t\"${projectId}\",\n\t\t\"${secret}\",\n\t)\n\tif err != nil {\n\t\tlog.Fatalf(\"error instantiating client: %v\", err)\n\t}\n\n\tparams := &passwords.StrengthCheckParams{\n\t\tPassword: \"xuEvs9sBi8I4x8rCXJPZ\",\n\t}\n\n\tresp, err := client.Passwords.StrengthCheck(context.Background(), params)\n\tif err != nil {\n\t\tlog.Fatalf(\"error in method call: %v\", err)\n\t}\n\n\tlog.Println(resp)\n}\n"
        - lang: java
          label: Java
          source: >-
            // POST /v1/passwords/strength_check

            package com.example;


            import com.stytch.java.common.StytchResult;

            import
            com.stytch.java.consumer.models.passwords.StrengthCheckRequest;

            import com.stytch.java.consumer.StytchClient;


            public class Main {
                public static void main(String[] args) {
                    StytchClient.configure("${projectId}", "${secret}");

                    StrengthCheckRequest params = new StrengthCheckRequest();
                    params.setPassword("xuEvs9sBi8I4x8rCXJPZ");

                    Object result = StytchClient.getPasswords().strengthCheck(params);
                    if (result instanceof StytchResult.Success) {
                      System.out.println(((StytchResult.Success) result).getValue());
                    } else {
                      System.out.println(((StytchResult.Error) result).getException());
                    }
                }
            }
        - lang: kotlin
          label: Kotlin
          source: >
            // POST /v1/passwords/strength_check

            package com.example


            import com.stytch.java.consumer.StytchClient

            import
            com.stytch.java.consumer.models.passwords.StrengthCheckRequest


            fun main() {
                StytchClient.configure(
                    projectId = "${projectId}",
                    secret = "${secret}",
                )

                when (
                    val result =
                        StytchClient.passwords.strengthCheck(
                            StrengthCheckRequest(
                                password = "xuEvs9sBi8I4x8rCXJPZ",
                            ),
                        )
                ) {
                    is StytchResult.Success -> println(result.value)
                    is StytchResult.Error -> println(result.exception)
                }
            }
        - lang: javascript
          label: Node.js
          source: |-
            // POST /v1/passwords/strength_check
            const stytch = require('stytch');

            const client = new stytch.Client({
              project_id: '${projectId}',
              secret: '${secret}',
            });

            const params = {
              password: "xuEvs9sBi8I4x8rCXJPZ",
            };

            client.passwords.strengthCheck(params)
              .then(resp => { console.log(resp) })
              .catch(err => { console.log(err) });
        - lang: php
          label: PHP
          source: |-
            $response = $client->passwords->strength_check([
                'password' => 'xuEvs9sBi8I4x8rCXJPZ',
            ]);
        - lang: python
          label: Python
          source: |
            # POST /v1/passwords/strength_check
            from stytch import Client

            client = Client(
                project_id="${projectId}",
                secret="${secret}",
            )

            resp = client.passwords.strength_check(
                password="xuEvs9sBi8I4x8rCXJPZ",
            )

            print(resp)
        - lang: ruby
          label: Ruby
          source: |-
            # frozen_string_literal: true

            # POST /v1/passwords/strength_check
            require 'stytch'

            client = Stytch::Client.new(
              project_id: "${projectId}",
              secret: "${secret}"
            )

            resp = client.passwords.strength_check(
              password: "xuEvs9sBi8I4x8rCXJPZ"
              
            )

            puts resp
        - lang: rust
          label: Rust
          source: |-
            // POST /v1/passwords/strength_check
            use stytch::consumer::client::Client;
            use stytch::consumer::passwords::StrengthCheckRequest;

            fn main() {
                let client = Client::new("${projectId}", "${secret}").unwrap();
                let resp = client.passwords.strength_check(
                    StrengthCheckRequest{
                        password: "xuEvs9sBi8I4x8rCXJPZ",
                        ..Default::default()
                    }
                ).await;
                println!("The response is {:?}", resp);
            }
        - lang: bash
          label: cURL
          source: |-
            # POST /v1/passwords/strength_check
            curl --request POST \
              --url https://test.stytch.com/v1/passwords/strength_check \
              -u '${projectId}:${secret}' \
              -H 'Content-Type: application/json' \
              -d '{
                "password": "xuEvs9sBi8I4x8rCXJPZ"
              }'
components:
  schemas:
    api_password_v1_StrengthCheckRequest:
      type: object
      properties:
        password:
          type: string
          description: >-
            The password for the user. Any UTF8 character is allowed, e.g.
            spaces, emojis, non-English characters, etc.
        email:
          type: string
          description: The email address of the end user.
      description: Request type
      required:
        - password
    api_password_v1_StrengthCheckResponse:
      type: object
      properties:
        request_id:
          type: string
          description: >-
            Globally unique UUID that is returned with every API call. This
            value is important to log for debugging purposes; we may ask for
            this value to help identify a specific API call when helping you
            debug an issue.
        valid_password:
          type: boolean
          description: >-
            Returns `true` if the password passes our password validation. We
            offer two validation options,
            [zxcvbn](https://stytch.com/docs/guides/passwords/strength-policy)
            is the default option which offers a high level of sophistication.
            We also offer
            [LUDS](https://stytch.com/docs/guides/passwords/strength-policy)
            which is less sophisticated but easier to understand. If an email
            address is included in the call we also require that the password
            hasn't been compromised using built-in breach detection powered by
            [HaveIBeenPwned](https://haveibeenpwned.com/).
        score:
          type: integer
          format: int32
          description: >-
            The score of the password determined by
            [zxcvbn](https://github.com/dropbox/zxcvbn). Values will be between
            1 and 4, a 3 or greater is required to pass validation.
        breached_password:
          type: boolean
          description: >-
            Returns `true` if the password has been breached. Powered by
            [HaveIBeenPwned](https://haveibeenpwned.com/).
        strength_policy:
          type: string
          description: The strength policy type enforced, either `zxcvbn` or `luds`.
        breach_detection_on_create:
          type: boolean
          description: >-
            Will return `true` if breach detection will be evaluated. By default
            this option is enabled. This option can be disabled in the
            [dashboard](https://stytch.com/dashboard/password-strength-config#breach-detection).
            If this value is `false` then `breached_password` will always be
            `false` as well.
        status_code:
          type: integer
          format: int32
          description: >-
            The HTTP status code of the response. Stytch follows standard HTTP
            response status code patterns, e.g. 2XX values equate to success,
            3XX values are redirects, 4XX are client errors, and 5XX are server
            errors.
        feedback:
          $ref: '#/components/schemas/api_password_v1_Feedback'
          description: >-
            Feedback for how to improve the password's strength
            [HaveIBeenPwned](https://haveibeenpwned.com/).
      required:
        - request_id
        - valid_password
        - score
        - breached_password
        - strength_policy
        - breach_detection_on_create
        - status_code
    api_password_v1_Feedback:
      type: object
      properties:
        warning:
          type: string
          description: >-
            For `zxcvbn` validation, contains an end user consumable warning if
            the password is valid but not strong enough.
        suggestions:
          type: array
          items:
            type: string
          description: >-
            For `zxcvbn` validation, contains end user consumable suggestions on
            how to improve the strength of the password.
        luds_requirements:
          $ref: '#/components/schemas/api_password_v1_LUDSRequirements'
          description: >-
            Contains which LUDS properties are fulfilled by the password and
            which are missing to convert an invalid password into a valid one.
            You'll use these fields to provide feedback to the user on how to
            improve the password.
      required:
        - warning
        - suggestions
    api_password_v1_LUDSRequirements:
      type: object
      properties:
        has_lower_case:
          type: boolean
          description: >-
            For LUDS validation, whether the password contains at least one
            lowercase letter.
        has_upper_case:
          type: boolean
          description: >-
            For LUDS validation, whether the password contains at least one
            uppercase letter.
        has_digit:
          type: boolean
          description: >-
            For LUDS validation, whether the password contains at least one
            digit.
        has_symbol:
          type: boolean
          description: >-
            For LUDS validation, whether the password contains at least one
            symbol. Any UTF8 character outside of a-z or A-Z may count as a
            valid symbol.
        missing_complexity:
          type: integer
          format: int32
          description: >-
            For LUDS validation, the number of complexity requirements that are
            missing from the password. Check the complexity fields to see which
            requirements are missing.
        missing_characters:
          type: integer
          format: int32
          description: >-
            For LUDS validation, this is the required length of the password
            that you've set minus the length of the password being checked. The
            user will need to add this many characters to the password to make
            it valid.
      required:
        - has_lower_case
        - has_upper_case
        - has_digit
        - has_symbol
        - missing_complexity
        - missing_characters
  securitySchemes:
    basicAuth:
      type: http
      scheme: basic

````