REST API · v1 · JSON

Generate secure passwords
from any app. In 3 lines.

One REST endpoint. No SDK, no install, no account required for the free tier. Send JSON, get passwords back. Works with any language, any framework, any no-code tool.

Base URL
https://passgeni.ai/api
Method
POST
Format
JSON
Free tier
50 calls/day

Getting started

From zero to working code in 30 seconds.

No account. No signup. No API key needed to try it. Just send a POST request.

1
Pick your language

Choose any language below. The API accepts plain JSON — no SDK, no library required.

2
Send one POST request

POST to https://passgeni.ai/api/generate with a JSON body. That's it.

3
Use the passwords array

The response contains a passwords array, entropy bits, and an audit object. Done.

JavaScript
const res = await fetch("https://passgeni.ai/api/generate", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ apiKey: process.env.PASSGENI_API_KEY, profession: "developer", length: 20, count: 5, compliance: "hipaa", // team plan only }), }); const { passwords, entropy } = await res.json(); // passwords → ["nX9#kT2@mP5!qR8$", ...] // entropy → 131 bits

Smallest possible request — no API key needed

curl -X POST https://passgeni.ai/api/generate -H "Content-Type: application/json" -d '{}'

Returns 1 password, 18 chars. No account, no key, no setup. Free tier: 50 requests/day per IP.

Architecture

What actually happens when you call the API?

You send JSON

A POST request with optional parameters. No SDK, no special headers beyond Content-Type.

Server generates

Node.js crypto.randomInt() — the same FIPS 140-3 primitive used in TLS — builds your password on our server.

Standards applied

If you pass compliance:'hipaa', we enforce HIPAA §164.312(d) minimum requirements before returning.

You get passwords

A JSON array of passwords plus entropy bits, crack time, and an audit object with the character pool used.

API generation is server-side — your password transits our server over HTTPS. For zero-knowledge, client-side generation use the web generator.

What can you build with it?

Plug PassGeni into anything.

Because it's plain JSON over HTTPS, PassGeni works with every language, platform, and no-code tool that can make an HTTP request — which is all of them. Click any integration below to see a working code example.

Also works with

ZapierMaken8nGitHub ActionsAWS LambdaVercel EdgeCloudflare WorkersPostmanInsomniaLaravelDjangoRailsSpring BootGo stdlibRust reqwest

Security

Authentication

Pass your API key as apiKey in the request body. Free tier requests need no key at all.

Authentication — body field
// Authenticated (Assurance or Authority plan) { "apiKey": "pg_live_abc123...", "count": 10 } // Anonymous (free tier — no key needed, 50 calls/day) { "count": 1 }

Never put your API key in front-end code, browser JS, or a public GitHub repo. Use an environment variable (process.env.PASSGENI_API_KEY). Rotate from your dashboard if compromised.

Quotas

Rate limits

PlanCalls/dayPer requestComplianceCost
Free50/day (IP)10$0
Assurance1,000/day500All 6$19/mo
Authority5,000/day500All 6$59/mo
Rate limit headers (every response)
X-RateLimit-Limit: 5000 X-RateLimit-Remaining: 4995 X-RateLimit-Reset: 1735689600000 // Unix ms — midnight UTC

Request body

Parameters

All parameters are optional. An empty body {} returns one 18-character password with sensible defaults.

apiKeystring
default: null

Your Team key. Leave blank for free tier (50 calls/day).

professionstring
default: "developer"

Seeds the generator: developer · doctor · finance · designer · legal · educator

lengthnumber
default: 18

Password length. Range 8–32. Compliance presets enforce a higher minimum.

countnumber
default: 1

How many passwords to return. Free: max 10. Team: max 500 per request.

compliancestring
default: null

hipaa · pci · soc2 · iso · nist · dod — Assurance or Authority plan only. Enforces the exact standard.

modestring
default: "password"

"password" for standard, "passphrase" for memorable word-based credentials.

quantumboolean
default: false

Post-quantum mode: 512-bit entropy, expanded symbol set, 20-char minimum.

Response format

Response schema

Every successful response is HTTP 200 with this JSON structure:

200 OK — example response
{
"passwords": ["nX9#kT2@mP5!qR8$vZ", "Bz7!deploy#K3@stack9"],
"count": 2,
"entropy": 131,
"length": 20,
"compliance": "hipaa",
"mode": "password",
"quantum": false,
"tier": "team",
"generated": "2026-04-11T14: 23: 11.442Z",
"audit": {
"entropySource": "Node.js crypto.randomInt() — FIPS 140-3 aligned",
"characterPool": "lower+upper+numbers+symbols",
"clientSide": false,
"serverContact": true
}
}
passwords

Array of generated password strings

entropy

Bits of entropy in the first password

tier

"free" or "team" — shows which rate limit applied

audit

Character pool and entropy source for compliance evidence

Error handling

Error codes

StatusErrorWhat to do
400Bad requestCheck that length and count are numbers, not strings.
403ForbiddenYou passed a compliance preset without a Team API key.
405Method not allowedUse POST. GET is not accepted on this endpoint.
429Rate limit exceededWait for X-RateLimit-Reset, or upgrade for 5,000/day.
500Generation failedRetry once. If it persists, email hello@passgeni.ai.
429 — rate limit response body
{
"error": "Rate limit exceeded",
"limit": 50,
"resetAt": "2026-04-12T00: 00: 00.000Z",
"upgrade": "https://passgeni.ai/pricing"
}

Ready-to-run examples

Code examples

All examples work out of the box. Replace pg_live_your_key_here with your API key for Team features.

JavaScript
const res = await fetch("https://passgeni.ai/api/generate", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ apiKey: process.env.PASSGENI_API_KEY, profession: "developer", length: 20, count: 5, compliance: "hipaa", // team plan only }), }); const { passwords, entropy } = await res.json(); // passwords → ["nX9#kT2@mP5!qR8$", ...] // entropy → 131 bits

Interactive

Live tester — run a real request

This sends a real API request right now. Free tier: no key needed. The response is the actual JSON your code would receive.

LIVE API TESTER — runs a real request

Plans

Plans & pricing

Free
$0forever
50 API calls / day
Max 10 per request
No API key needed
Password mode only
All 6 profession seeds
No compliance presets
14-DAY FREE TRIAL
Assurance
$19/month
1,000 API calls / day
Max 500 per request
All 6 compliance presets
Passphrase mode
Post-quantum mode
Compliance dashboard
Certificates (50/mo)
API key rotation
Start free trial →
Authority
$59/month
5,000 API calls / day
Max 500 per request
All 6 compliance presets
Team workspaces (10 seats)
Unlimited certificates
Org policy engine
CSV bulk export
Priority support

Certificate API

Compliance Certificates

Issue and manage ES256-signed compliance certificates programmatically. Accepts Authorization: Bearer pk_live_… or a session cookie. Get your API key from the dashboard.

POST
/api/generate-certificate

Issue an ES256-signed compliance certificate for a generated password.

GET
/api/audit

List your certificates with filtering and pagination. Query params: limit, offset, standard (e.g. HIPAA, NIST-800-63B), date_from (ISO), date_to (ISO), status (valid|revoked|expired).

POST
/api/revoke/[id]

Revoke a certificate by ID. Only the owner can revoke.

GET
/api/keys

List your active API keys (session cookie required).

POST
/api/keys

Create an API key — returns the raw key once only (session cookie required).

DELETE
/api/keys?id=uuid

Revoke an API key by ID (session cookie required).

Questions? Email hello@passgeni.ai — we reply within 24 hours.