Bad Passwords

Register an email address with a URL that serves a plaintext Argon2 password hash, then test login against the current remote hash.

JWT Public Key

API Docs

The API accepts either HTML form posts or JSON requests. For API use, send Accept: application/json. For JSON bodies, also send Content-Type: application/json.

Environment

Setting	Details
JWT_ISSUER	Required. Used for the JWT `iss` claim.

POST /register

Field	Required	Description
email	yes	Email address to register. Must be unique.
password_hash_url	yes	URL that returns a plaintext Argon2 password hash.
password	yes	Plaintext password used to prove the remote hash belongs to the registrant.

Example JSON request:

{
  "email": "user@example.com",
  "password_hash_url": "https://example.com/hash.txt",
  "password": "correct horse battery staple"
}

Successful JSON response:

{
  "email": "user@example.com",
  "password_hash_url": "https://example.com/hash.txt"
}

Error JSON response:

{
  "error": "Password does not match the remote Argon2 hash."
}

POST /login

Field	Required	Description
email	yes	Registered email address.
password	yes	Plaintext password to verify against the current remote Argon2 hash.

Example JSON request:

{
  "email": "user@example.com",
  "password": "correct horse battery staple"
}

Successful JSON response:

{
  "token": "JWT_TOKEN_HERE",
  "token_type": "Bearer",
  "email": "user@example.com"
}

Decoded JWT payload fields:

Claim	Description
sub	User email.
email	User email.
iss	Value of `JWT_ISSUER`.
iat	Issued-at timestamp.
exp	Expiry timestamp, one hour after issue.

Error JSON response:

{
  "error": "Invalid email or password."
}