BaconHash API

BaconHash exposes a simple REST API at https://baconhash.pw/api. All endpoints require a Bearer token in the Authorization header. Contact me to obtain a token.

Authentication

Send your token as a standard HTTP Bearer header on every request:

Authorization: Bearer <your-token>

Endpoints

GET /search/{hash}

Look up a single hash. The hash is passed as a URL path segment and accepts any supported format.

# Plain MD5 hash
curl https://baconhash.pw/api/search/2707569be0aff4a956388a851c68b4c6 \
     -H "Authorization: Bearer <token>"

{
  "hash": "2707569be0aff4a956388a851c68b4c6",
  "found": true,
  "type": "md5",
  "plain": "potato123"
}

# user:hash format
curl "https://baconhash.pw/api/search/pcaro:2707569be0aff4a956388a851c68b4c6" \
     -H "Authorization: Bearer <token>"

{
  "hash": "2707569be0aff4a956388a851c68b4c6",
  "found": true,
  "type": "md5",
  "plain": "potato123",
  "user": "pcaro"
}

# Domain dump line (NTLM) – URL-encode the value
curl "https://baconhash.pw/api/search/DOMAIN%5CAdmin%3A500%3Aaad3b435b51404eeaad3b435b51404ee%3A2000c92a544e63c3345c2b4a4d2379de%3A%3A%3A" \
     -H "Authorization: Bearer <token>"

{
  "hash": "2000c92a544e63c3345c2b4a4d2379de",
  "found": true,
  "type": "ntlm",
  "plain": "potato123",
  "user": "Admin",
  "domain": "DOMAIN"
}

POST /search

Look up multiple hashes in a single request. Send a JSON body with a hashes array; results are returned in the same order as inputs.

curl -X POST https://baconhash.pw/api/search \
     -H "Authorization: Bearer <token>" \
     -H "Content-Type: application/json" \
     -d '{
       "hashes": [
         "2707569be0aff4a956388a851c68b4c6",
         "da39a3ee5e6b4b0d3255bfef95601890afd80709",
         "notahash"
       ]
     }'

{
  "results": [
    {"hash": "2707569be0aff4a956388a851c68b4c6", "found": true,  "type": "md5",  "plain": "potato123"},
    {"hash": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "found": true, "type": "sha1", "plain": ""},
    {"hash": "notahash", "found": false, "error": "Unrecognised hash format."}
  ]
}

POST /upload

Upload plaintext passwords. Their hashes are immediately searchable via the /search endpoints, just like any other password in the table. At most 10,000 passwords per request.

curl -X POST https://baconhash.pw/api/upload \
     -H "Authorization: Bearer <token>" \
     -H "Content-Type: application/json" \
     -d '{
       "passwords": ["potato123", "Summer2024!", "P@ssw0rd"]
     }'

{
  "total": 3,
  "existing": 0,
  "new": 3
}

Field	Type	Description
`total`	integer	Unique passwords in this request (duplicates within the same request counted once).
`existing`	integer	Passwords already known (found in binary database or previously uploaded).
`new`	integer	Passwords newly inserted into the database.

GET /stats

Return API usage and upload statistics for the authenticated token.

curl https://baconhash.pw/api/stats \
     -H "Authorization: Bearer <token>"

{
  "total_requests": 150,
  "total_found": 120,
  "total_upload_requests": 5,
  "total_uploaded": 500,
  "total_existing": 120,
  "total_new": 380
}

Field	Type	Description
`total_requests`	integer	Total API hash search requests made with this token.
`total_found`	integer	Search requests where a plaintext was found.
`total_upload_requests`	integer	Total `/upload` calls made with this token.
`total_uploaded`	integer	Sum of unique passwords across all upload calls.
`total_existing`	integer	Sum of already-known passwords across upload calls.
`total_new`	integer	Sum of newly inserted passwords across upload calls.

Supported hash formats

Format	Example
Plain MD5 / NTLM 32 hex chars	`2707569be0aff4a956388a851c68b4c6`
Plain SHA1 40 hex chars	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
`user:hash`	`pcaro:2707569be0aff4a956388a851c68b4c6`
Domain dump NTLM, with or without domain	Administrator:500:aad3b435…:2000c92a…::: DOMAIN\Admin:500:aad3b435…:2000c92a…:::
LDAP SHA1 base64-encoded	`{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=`

CLI client

The bacon client is a lightweight Bash script that wraps the API. Download it and store your token in ~/.baconhash:

# Download the client
curl -o bacon https://baconhash.pw/bacon && chmod +x bacon

# Store your token
echo "<your-token>" > ~/.baconhash

# Look up a single hash
./bacon 2707569be0aff4a956388a851c68b4c6

# Look up a file of hashes (one per line)
./bacon hashes.txt

Response fields

Field	Type	Description
`hash`	string	The normalised hex hash that was looked up.
`found`	boolean	Whether a matching plaintext was found.
`type`	string \| null	Hash algorithm (`md5`, `ntlm`, `sha1`) when found.
`plain`	string \| null	Plaintext if found.
`user`	string \| null	Username parsed from the input.
`domain`	string \| null	Domain parsed from the input.
`error`	string \| null	Error message if the input format was unrecognised.