Skip to main content
import { useCallback } from 'react';
import { useStytch } from '@stytch/react';

export const Login = () => {
const stytch = useStytch();

const strengthCheck = useCallback(() => {
  stytch.passwords.strengthCheck({
    email: '${exampleEmail}',
    password: '${examplePassword}',
  });
}, [stytch]);

return <button onClick={strengthCheck}>Strength Check</button>;
};

{
    "breach_detection_on_create": true,
    "breached_password": false,
    "feedback": {
      "suggestions": null,
      "warning": null,
      "luds_requirements": {
        "has_digit": true,
        "has_lower_case": false,
        "has_symbol": false,
        "has_upper_case": false,
        "missing_characters": 6,
        "missing_complexity": 1
      }
    },
    "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
    "score": 0,
    "status_code": 200,
    "strength_policy": "luds",
    "valid_password": false
}
The strengthCheck method wraps the Strength Check Password API endpoint. This method allows you to check whether or not the user’s provided password is valid based on the configuration set in your Stytch Dashboard, and to provide feedback to the user on how to increase the strength of their password. All passwords must pass the strength requirements to be accepted as valid.

Parameters

password
string
required
The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc.
email
string
The email associated with the password. If the email address is included, it will be factored into strength evaluation via our password breach checks. If you do not include the email, it is possible that the strength check response will evaluate as valid – but the password will fail with a weak_password error when used in the Create password endpoint due to a breach check failure.

Response

breach_detection_on_create
boolean
Will return true if breach detection will be evaluated. By default this option is enabled. This option can be disabled in the dashboard. If this value is false then breached_password will always be false as well.
breached_password
boolean
Returns true if the password has been breached. Powered by HaveIBeenPwned.
score
int
The score of the password determined by zxcvbn. Values will be between 1 and 4, a 3 or greater is required to pass validation.
strength_policy
string
The strength policy type enforced, either zxcvbn or luds.
valid_password
boolean
Returns true if the password passes our password validation. We offer two validation options, zxcvbn is the default option which offers a high level of sophistication. We also offer LUDS which is less sophisticated but easier to understand. If an email address is included in the call we also require that the password hasn’t been compromised using built-in breach detection powered by HaveIBeenPwned.
feedback
object
Feedback for how to improve the password’s strength using zxcvbn.
request_id
string
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
status_code
number
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.