Stytch – The most powerful identity platform built for developers

Strength check

POST

https://test.stytch.com/v1/passwords/strength_check

This API allows you to check whether or not the user’s provided password is valid, and to provide feedback to the user on how to increase the strength of their password.

This endpoint adapts to your Project's password strength configuration. If you're using zxcvbn, the default, your passwords are considered valid if the strength score is >= 3. If you're using LUDS, your passwords are considered valid if they meet the requirements that you've set with Stytch. You may update your password strength configuration in the Stytch Dashboard.

Password feedback

The feedback object contains relevant fields for you to relay feedback to users that failed to create a strong enough password.

If you're using zxcvbn, the feedback object will contain warning and suggestions for any password that does not meet the zxcvbn strength requirements. You can return these strings directly to the user to help them craft a strong password.

If you're using LUDS, the feedback object will contain an object named luds_requirements which contain a collection of fields that the user failed or passed. You'll want to prompt the user to create a password that meets all of the requirements that they failed.

Body parameters

password* string

The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc.

email string

The email address of the end user.

Response fields

status_code int

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

request_id string

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

breach_detection_on_create boolean

Will return true if breach detection will be evaluated. By default this option is enabled. This option can be disabled by contacting support@stytch.com. If this value is false then breached_password will always be false as well.

breached_password boolean

Returns true if the password has been breached. Powered by HaveIBeenPwned.

feedback object

Feedback for how to improve the password's strength HaveIBeenPwned.

luds_requirements object

Contains which LUDS properties are fulfilled by the password and which are missing to convert an invalid password into a valid one. You'll use these fields to provide feedback to the user on how to improve the password.

has_digit boolean

For LUDS validation, whether the password contains at least one digit.

has_lower_case boolean

For LUDS validation, whether the password contains at least one lowercase letter.

has_symbol boolean

For LUDS validation, whether the password contains at least one symbol. Any UTF8 character outside of a-z or A-Z may count as a valid symbol.

has_symbol boolean

For LUDS validation, whether the password contains at least one symbol. Any UTF8 character outside of a-z or A-Z may count as a valid symbol.

has_upper_case boolean

For LUDS validation, whether the password contains at least one uppercase letter.

missing_characters int

For LUDS validation, this is the required length of the password that you've set minus the length of the password being checked. The user will need to add this many characters to the password to make it valid.

missing_complexity int

For LUDS validation, the number of complexity requirements that are missing from the password. Check the complexity fields to see which requirements are missing.

suggestions array

For zxcvbn validation, contains end user consumable suggestions on how to improve the strength of the password.

warning string

For zxcvbn validation, contains an end user consumable warning if the password is valid but not strong enough.

score int

The score of the password determined by zxcvbn. Values will be between 1 and 4, a 3 or greater is required to pass validation.

strength_policy string

The strength policy type enforced, either zxcvbn or luds.

valid_password boolean

Returns true if the password passes our password validation. We offer two validation options, zxcvbn is the default option which offers a high level of sophistication. We also offer LUDS. If an email address is included in the call we also require that the password hasn't been compromised using built-in breach detection powered by HaveIBeenPwned.

const stytch = require('stytch');

const client = new stytch.Client({
  project_id: 'PROJECT_ID',
  secret: 'SECRET',
});

const params = {
  password: "xuEvs9sBi8I4x8rCXJPZ",
};

client.passwords.strengthCheck(params)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });

RESPONSE 200 - LUDS invalid

{
	"breach_detection_on_create": true,
	"breached_password": false,
	"feedback": {
		"suggestions": null,
		"warning": null,
		"has_digit": true,
		"has_lower_case": false,
		"has_symbol": false,
		"has_upper_case": false,
		"missing_characters": 6,
		"missing_complexity": 1
	},
	"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
	"score": 0,
	"status_code": 200,
	"strength_policy": "luds",
	"valid_password": false
}

RESPONSE 200 - LUDS valid

{
	"breach_detection_on_create": true,
	"breached_password": false,
	"feedback": {
		"suggestions": null,
		"warning": null,
		"has_digit": true,
		"has_lower_case": true,
		"has_symbol": true,
		"has_upper_case": true,
		"missing_characters": 0,
		"missing_complexity": 0
	},
	"request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
	"score": 0,
	"status_code": 200,
	"strength_policy": "luds",
	"valid_password": true
}

RESPONSE 200 - zxcvbn invalid

{
  "breach_detection_on_create": true,
  "breached_password": false,
  "feedback": {
    "luds_requirements": null,
    "suggestions": [
      "Add another word or two. Uncommon words are better."
    ],
    "warning": "This is a top-100 common password."
  },
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "score": 0,
  "status_code": 200,
  "strength_policy": "zxcvbn",
  "valid_password": false
}

RESPONSE 200 - zxcvbn valid

{
  "breach_detection_on_create": true,
  "breached_password": false,
  "feedback": {
    "luds_requirements": null,
    "suggestions": [],
    "warning": null
  },
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "score": 4,
  "status_code": 200,
  "strength_policy": "zxcvbn",
  "valid_password": true
}

RESPONSE 500 - failure

{
  "status_code": 500,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "error_type": "internal_server_error",
  "error_message": "Oops, something seems to have gone wrong, please reach out to support@stytch.com to let us know what went wrong.",
  "error_url": "https://stytch.com/docs/api/errors/500"
}

Delete

Via email

Embeddable

Start

Reset options

Via SMS

Via Whatsapp

Via email

Register

Authenticate

Token

M2M Client

Rotate secret

Tokens

Configuration

Methods

Consent Management

Application Management

Rotate secret

Strength check

Password feedback

Body parameters

Response fields

Common Error Types