🔐

Verify Password

Verify a plaintext password against a bcrypt, argon2, or scrypt hash.

POST 1 credit /v1/auth/verify-password

curl -X POST "https://auth.toolkitapi.io/v1/auth/verify-password" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "password": "my-secure-password",
    "hash": "$2b$12$LJ3m4ys3Lg3Lg3Lg3Lg3LuKvYfW8XYZ1234567890abcdefghijk"
  }'

import httpx

resp = httpx.post(
    "https://auth.toolkitapi.io/v1/auth/verify-password",
    json={
    "password": "my-secure-password",
    "hash": "$2b$12$LJ3m4ys3Lg3Lg3Lg3Lg3LuKvYfW8XYZ1234567890abcdefghijk"
  },
)
print(resp.json())

const resp = await fetch("https://auth.toolkitapi.io/v1/auth/verify-password", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    "password": "my-secure-password",
    "hash": "$2b$12$LJ3m4ys3Lg3Lg3Lg3Lg3LuKvYfW8XYZ1234567890abcdefghijk"
  }),
});
const data = await resp.json();
console.log(data);

# See curl example

Response 200 OK

{
  "valid": true,
  "algorithm_detected": "bcrypt",
  "needs_rehash": false
}

Try It Live

Description

Verify a plaintext password against a bcrypt, argon2, or scrypt hash.

How to Use

1

1. Provide the `password` the user entered and the `hash` stored in your database.

2

2. Send a POST request. The response tells you if the password is valid.

3

3. If `needs_rehash` is `true`, re-hash the password with updated parameters and store the new hash.

About This Tool

The Verify Password endpoint checks whether a plaintext password matches a stored hash. It automatically detects the hashing algorithm (bcrypt, argon2, or scrypt) from the hash format, so you don't need to track which algorithm was used.

The endpoint also checks whether the hash should be regenerated with stronger parameters via the `needs_rehash` flag. For bcrypt, this triggers if the cost factor is below 12. For argon2, it uses the library's built-in rehash check. This supports transparent password hash upgrades during normal login flows.

Verification uses constant-time comparison internally to prevent timing attacks.

Why Use This Tool

User login — Verify passwords during authentication flows
Password change validation — Confirm the current password before allowing changes
Hash migration — Verify passwords hashed with different algorithms during migration
Rehash detection — Identify and upgrade weak hashes transparently during login
Account recovery — Verify security answers or backup codes stored as hashes

Frequently Asked Questions

How does algorithm detection work?

The endpoint inspects the hash prefix: `$2b$`/`$2a$`/`$2y$` for bcrypt, `$argon2` for argon2, and `$scrypt$` for scrypt. If the format is unrecognized, a 400 error is returned.

When does needs_rehash return true?

For bcrypt: when the cost factor is below 12. For argon2: when the hash parameters don't match current recommended defaults. For scrypt: when the ln parameter is below 14.

Can I verify hashes from other programming languages?

Yes, as long as they use standard bcrypt, argon2, or scrypt hash formats. These formats are interoperable across languages and libraries.

Is the comparison timing-safe?

Yes. The endpoint uses `bcrypt.checkpw`, argon2's built-in verify, or `secrets.compare_digest` for scrypt — all provide constant-time comparison to prevent timing side-channel attacks.

Start using Verify Password now

Get your free API key and make your first request in under a minute.

Get Free API Key View Docs