#383 - [GH-ISSUE #583] Breach Report - HaveIBeenPwned APIv2 No Longer Works - starred/vaultwarden

kerem commented

2026-03-03 01:28:36 +03:00

Owner

Originally created by @Ayitaka on GitHub (Aug 20, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/583

[2019-08-20 15:36:37][bitwarden_rs::error][ERROR] ReqError. [CAUSE] Error( Status( 401, ), "https://haveibeenpwned.com/api/v2/breachedaccount/email@example.com", )

With regards to the HaveIBeenPwned developer's blog, as of August 18th HaveIBeenPwned no longer allows unauthenticated API requests based on email address and therefore the Data Breach Report no longer works without a paid account from HaveIBeenPwned.

Note: The "Exposed Passwords Report" section still functions properly as this was unaffected by the API v3 changes.

Since I assume we cannot utilize the bitwarden.com api calls, perhaps it would be a good idea to:

Switch the code/html to use the new API v3
Add configuration options to allow people to use their own HaveIBeenPwned api keys for HaveIBeenPwned API v3

(Edit: Upon further thinking, there has to be a way Bitwarden allows self-installations to utilize the bitwarden api for Breach Reports - maybe in conjunction with "Get an installation id and key from https://bitwarden.com/host." ?) Self-hosted official Bitwarden is the same as vaultwarden in that there is a config setting for adding your own HIBP API key - it does not utilize Bitwarden's API key.

Originally created by @Ayitaka on GitHub (Aug 20, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/583 `[2019-08-20 15:36:37][bitwarden_rs::error][ERROR] ReqError. [CAUSE] Error( Status( 401, ), "https://haveibeenpwned.com/api/v2/breachedaccount/email@example.com", )` With regards to the [HaveIBeenPwned developer's blog](https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/), as of August 18th HaveIBeenPwned no longer allows unauthenticated API requests based on email address and therefore the Data Breach Report no longer works without a paid account from HaveIBeenPwned. Note: The "Exposed Passwords Report" section still functions properly as this was unaffected by the API v3 changes. Since I assume we cannot utilize the bitwarden.com api calls, perhaps it would be a good idea to: - [ ] Switch the code/html to use the [new API v3](https://haveibeenpwned.com/API/v3) - [ ] Add configuration options to allow people to use their own HaveIBeenPwned api keys for HaveIBeenPwned API v3 ~~(Edit: Upon further thinking, there has to be a way Bitwarden allows self-installations to utilize the bitwarden api for Breach Reports - maybe in conjunction with "Get an installation id and key from https://bitwarden.com/host." ?)~~ Self-hosted official Bitwarden is the same as vaultwarden in that there is a config setting for adding your own HIBP API key - it does not utilize Bitwarden's API key.

kerem closed this issue

2026-03-03 01:28:36 +03:00

kerem commented

2026-03-03 01:28:37 +03:00

Author

Owner

@dani-garcia commented on GitHub (Aug 20, 2019):

As far as I know the official server seems to allow the self hosting installations to configure their own key, which is what we should do too. Should be an easy change, so I'll try to get it done today, though I don't have a key to test, it's not like I could break it more :).

@dani-garcia commented on GitHub (Aug 20, 2019): As far as I know the official server seems to allow the self hosting installations to configure their own key, which is what we should do too. Should be an easy change, so I'll try to get it done today, though I don't have a key to test, it's not like I could break it more :).

kerem commented

2026-03-03 01:28:37 +03:00

Author

Owner

@Ayitaka commented on GitHub (Aug 20, 2019):

I can provide you with a temporary api key to test with if that would help- I sent you a msg/chat invite on #bitwarden_rs:matrix.org

@Ayitaka commented on GitHub (Aug 20, 2019): I can provide you with a temporary api key to test with if that would help- I sent you a msg/chat invite on #bitwarden_rs:matrix.org

kerem commented

2026-03-03 01:28:37 +03:00

Author

Owner

@TomasTokaMrazek commented on GitHub (Sep 29, 2019):

Is this really fixed? The commit is tagged as 1.10.0, which I just updated to, yet I keep getting error about no API keys.
EDIT: My bad, API is paid now

@TomasTokaMrazek commented on GitHub (Sep 29, 2019): Is this really fixed? The commit is tagged as 1.10.0, which I just updated to, yet I keep getting error about no API keys. EDIT: My bad, API is paid now

kerem commented

2026-03-03 01:28:37 +03:00

Author

Owner

@Ayitaka commented on GitHub (Sep 29, 2019):

Yes, sorry that wasn't clearer in the initial post.

HaveIBeenPwned now requires a monthly API Key subscription to do email address checks through their API, which is how Bitwarden does the checks.

Password compromise checks are still free and work just fine within Bitwarden, only email checks no longer work without the API key.

You can get a subscription at the HaveIBeenPwned API page for $3.50USD/month.

You would then add the key to Bitwarden_rs using the .env setting: HIBP_API_KEY=apikeyhere

Alternatively, you can still do manual email address checks through the main HaveIBeenPwned website, but that isn't part of Bitwarden_rs.

@Ayitaka commented on GitHub (Sep 29, 2019): Yes, sorry that wasn't clearer in the initial post. HaveIBeenPwned now requires a monthly API Key subscription to do email address checks through their API, which is how Bitwarden does the checks. Password compromise checks are still free and work just fine within Bitwarden, only email checks no longer work without the API key. You can get a subscription at [the HaveIBeenPwned API page](https://haveibeenpwned.com/API/Key) for $3.50USD/month. You would then add the key to Bitwarden_rs using the .env setting: HIBP_API_KEY=apikeyhere Alternatively, you can still do manual email address checks through [the main HaveIBeenPwned website](https://haveibeenpwned.com/), but that isn't part of Bitwarden_rs.

kerem commented

2026-03-03 01:28:37 +03:00

Author

Owner

@Crush33 commented on GitHub (Jul 28, 2021):

You would then add the key to Bitwarden_rs using the .env setting: HIBP_API_KEY=apikeyhere

hi, could you please help me setting this up in docker environnement ? I dont really understand where to put the api key...
thx !

@Crush33 commented on GitHub (Jul 28, 2021): > You would then add the key to Bitwarden_rs using the .env setting: HIBP_API_KEY=apikeyhere hi, could you please help me setting this up in docker environnement ? I dont really understand where to put the api key... thx !

kerem commented

2026-03-03 01:28:37 +03:00

Author

Owner

@Saik0Shinigami commented on GitHub (Jul 28, 2021):

You would then add the key to Bitwarden_rs using the .env setting: HIBP_API_KEY=apikeyhere

hi, could you please help me setting this up in docker environnement ? I dont really understand where to put the api key...
thx !

In the /admin page under "general settings", or as an environmental variable in docker.

@Saik0Shinigami commented on GitHub (Jul 28, 2021): > > > > You would then add the key to Bitwarden_rs using the .env setting: HIBP_API_KEY=apikeyhere > > hi, could you please help me setting this up in docker environnement ? I dont really understand where to put the api key... > thx ! In the <domain>/admin page under "general settings", or as an environmental variable in docker.

kerem commented

2026-03-03 01:28:37 +03:00

Author

Owner

@d0x7 commented on GitHub (Oct 9, 2021):

(Edit: Upon further thinking, there has to be a way Bitwarden allows self-installations to utilize the bitwarden api for Breach Reports - maybe in conjunction with "Get an installation id and key from https://bitwarden.com/host." ?)

Just found this issue and thinking about what you said here. Did anyone look into this deeper? I mean, if the self hosted instances can use the email breach feature without supplying a key (even tho they apparently can, optionally?), therefore accessing the HIBP API directly or maybe even proxied through Bitwarden (self hosted calls Bitwarden.com with license which then calls HIBP with their API key), then it should be able to implement this into Vaultwarden aswell, you would only need to request a hosting installation key - even if it's morally questionable. But all that depends on whether the self hosted Bitwarden instances can use the email breach feature, or if the HIBP api key is absolutely mandatory (wasn't really clear for me what you guys said).

@d0x7 commented on GitHub (Oct 9, 2021): > (Edit: Upon further thinking, there has to be a way Bitwarden allows self-installations to utilize the bitwarden api for Breach Reports - maybe in conjunction with "Get an installation id and key from https://bitwarden.com/host." ?) Just found this issue and thinking about what you said here. Did anyone look into this deeper? I mean, if the self hosted instances can use the email breach feature without supplying a key (even tho they apparently can, optionally?), therefore accessing the HIBP API directly or maybe even proxied through Bitwarden (self hosted calls Bitwarden.com with license which then calls HIBP with their API key), then it should be able to implement this into Vaultwarden aswell, you would only need to request a hosting installation key - even if it's morally questionable. But all that depends on whether the self hosted Bitwarden instances can use the email breach feature, or if the HIBP api key is absolutely mandatory (wasn't really clear for me what you guys said).

kerem commented

2026-03-03 01:28:37 +03:00

Author

Owner

@Ayitaka commented on GitHub (Oct 9, 2021):

Self-hosted official Bitwarden is the same as vaultwarden: there is a place to add your HIBP API key to enable checking breach reports for email addresses.

A HIBP API key costs $3.50US per month. So if the convenience of allowing you and your users to check email addresses against HIBP is worthwhile, an API key is about half the price of a Starbucks coffee every month. Otherwise, you can still go directly to HaveIBeenPwned and enter email addresses into their webpage to check them manually.

@Ayitaka commented on GitHub (Oct 9, 2021): Self-hosted official Bitwarden is the same as vaultwarden: there is a place to add your HIBP API key to enable checking breach reports for email addresses. A HIBP API key costs [$3.50US per month](https://haveibeenpwned.com/API/Key). So if the convenience of allowing you and your users to check email addresses against HIBP is worthwhile, an API key is about half the price of a Starbucks coffee every month. Otherwise, you can still go directly to [HaveIBeenPwned](https://haveibeenpwned.com/) and enter email addresses into their webpage to check them manually.

kerem commented

2026-03-03 01:28:37 +03:00

Author

Owner

@BlackDex commented on GitHub (Oct 9, 2021):

Just found this issue and thinking about what you said here. Did anyone look into this deeper? I mean, if the self hosted instances can use the email breach feature without supplying a key (even tho they apparently can, optionally?), therefore accessing the HIBP API directly or maybe even proxied through Bitwarden (self hosted calls Bitwarden.com with license which then calls HIBP with their API key), then it should be able to implement this into Vaultwarden aswell, you would only need to request a hosting installation key - even if it's morally questionable. But all that depends on whether the self hosted Bitwarden instances can use the email breach feature, or if the HIBP api key is absolutely mandatory (wasn't really clear for me what you guys said).

I don't know why you think self-hosted can use this feature without any api-key, because that isn't true.
The only place where you can use this feature for 'free' is on vault.bitwarden.com, which provide this feature for they customers.
Self-Hosted still needs a key to have this working from the web-vault.

I think vaultwarden has made a simple compromise which takes just 3 clicks from doing the same.
If you wish it to be just one click, i suggest to buy an api-key and use that.

@BlackDex commented on GitHub (Oct 9, 2021): > Just found this issue and thinking about what you said here. Did anyone look into this deeper? I mean, if the self hosted instances can use the email breach feature without supplying a key (even tho they apparently can, optionally?), therefore accessing the HIBP API directly or maybe even proxied through Bitwarden (self hosted calls Bitwarden.com with license which then calls HIBP with their API key), then it should be able to implement this into Vaultwarden aswell, you would only need to request a hosting installation key - even if it's morally questionable. But all that depends on whether the self hosted Bitwarden instances can use the email breach feature, or if the HIBP api key is absolutely mandatory (wasn't really clear for me what you guys said). I don't know why you think self-hosted can use this feature without any api-key, because that isn't true. The only place where you can use this feature for 'free' is on vault.bitwarden.com, which provide this feature for they customers. Self-Hosted still needs a key to have this working from the web-vault. I think vaultwarden has made a simple compromise which takes just 3 clicks from doing the same. If you wish it to be just one click, i suggest to buy an api-key and use that.

kerem referenced this issue

2026-03-03 08:36:40 +03:00

[PR #385] [MERGED] Retry updating revision - fixes #383 #2721

Rows
Columns

[GH-ISSUE #583] Breach Report - HaveIBeenPwned APIv2 No Longer Works #383