Six Sense Solutions
API Reference Developer Docs Pricing About Contact Trust Get Free API Key

Security primitives API for developers

Five endpoints: generate compliant credentials, validate strength and entropy, check breach exposure with k-anonymity, retrieve tamper-evident audit logs by date range (Pro tier and above), and issue free-tier API keys via signup. One integration, machine-readable documentation on every call.

Get Your API Key View on GitHub

The credential security problem developers inherit

Developers reach for Math.random() or weak generation functions because the secure path requires too much internal work. Auditors then find the gap six months later. The Six Sense API puts cryptographic security and compliance documentation at the point where credentials are first created, not after the audit starts.

POST /v1/generate

Base URL

https://api.sixsensesolutions.net

Authentication

Authorization: Bearer <api_key>

Endpoint

POST /v1/generate

Response

200 OK

Request example

{
  "length": 20,
  "quantity": 5,
  "options": {
    "uppercase": true,
    "lowercase": true,
    "numbers": true,
    "symbols": true,
    "exclude_ambiguous": true
  },
  "compliance": "NIST"
}

Success response example

{
  "passwords": [
    "xK9#mPqR2vHnYbL4wZ8j",
    "Tn5@cFwM7pBsXqJ3eR6y",
    "Hm2$kVzN8dGrPuL9wC4x"
  ],
  "meta": {
    "length": 20,
    "entropy_bits": 120,
    "generated_at": "2026-04-09T15:18:11.094Z",
    "compliance_profile": "NIST",
    "calls_remaining": 49998
  }
}

POST /v1/validate

Base URL

https://api.sixsensesolutions.net

Authentication

Authorization: Bearer <api_key>

Endpoint

POST /v1/validate

Response

200 OK

A 200 response means validation ran successfully. Check the passed field for the credential result.

Request example

{
  "credential": "MyStr0ng!Pass#2026",
  "policy": {
    "compliance": "NIST"
  }
}

Success response example

{
  "passed": true,
  "score": 100,
  "credential_analysis": {
    "length": 18,
    "entropy_bits": 118.3,
    "has_uppercase": true,
    "has_lowercase": true,
    "has_numbers": true,
    "has_symbols": true,
    "has_ambiguous": true,
    "charset_size": 95
  },
  "policy_results": {
    "length": { "required": 15, "actual": 18, "passed": true },
    "entropy_bits": { "required": 80, "actual": 118.3, "passed": true },
    "uppercase": { "required": true, "actual": true, "passed": true },
    "lowercase": { "required": true, "actual": true, "passed": true },
    "numbers": { "required": true, "actual": true, "passed": true },
    "symbols": { "required": true, "actual": true, "passed": true }
  },
  "compliance_profile": "NIST",
  "failures": [],
  "validated_at": "2026-04-11T20:17:51.859Z"
}

POST /v1/breach-check

Base URL

https://api.sixsensesolutions.net

Authentication

Authorization: Bearer <api_key>

Endpoint

POST /v1/breach-check

Response

200 OK

Request example

{
  "credential": "the_credential_to_check"
}

Success response (not exposed)

{
  "exposed": false,
  "exposure_count": 0,
  "risk_rating": "low",
  "checked_at": "2026-04-11T10:00:00.000Z",
  "note": "This credential does not appear in known breach databases. This does not guarantee it is secure."
}

Success response (exposed)

{
  "exposed": true,
  "exposure_count": 2254650,
  "risk_rating": "critical",
  "checked_at": "2026-04-11T20:17:54.352Z",
  "note": "This credential appears in known breach databases. Do not use it."
}

K-anonymity

The plaintext credential never leaves the caller's environment in a recoverable form: the API hashes the value and only transmits a short hash prefix to the external range service. Your credential is not stored by Six Sense Solutions.

GET /v1/audit-log

Base URL

https://api.sixsensesolutions.net

Authentication

Authorization: Bearer <api_key>

Pro tier and above. Free tier keys receive 403 AUDIT_LOG_NOT_AVAILABLE.

Endpoint

GET /v1/audit-log

Response

200 OK

Query parameters

Parameter Required Description
start_dateYesISO calendar date, e.g. 2026-04-01 (UTC day boundary).
end_dateYesISO calendar date, e.g. 2026-04-30. Must be on or after start_date.
event_typeNoFilter: generate or validate. Omit to return both.
limitNoMax items to return, 1–1000. Default 100.

Maximum date span is 90 days. Events are ordered newest first.

Example request

GET /v1/audit-log?start_date=2026-04-01&end_date=2026-04-30&event_type=generate&limit=100

Success response example

{
  "events": [
    {
      "event_id": "uuid",
      "event_type": "generate",
      "created_at": "2026-04-11T20:17:51Z",
      "request": {
        "length": 20,
        "quantity": 1,
        "compliance_profile": "NIST"
      },
      "result": {
        "entropy_bits": 120.4,
        "compliance_profile": "NIST",
        "quantity_generated": 1
      }
    }
  ],
  "count": 1,
  "start_date": "2026-04-01",
  "end_date": "2026-04-30",
  "api_key_id": "abcd1234"
}

Audit log errors are listed in the global error codes table: MISSING_DATE_RANGE, INVALID_DATE_FORMAT, INVALID_DATE_RANGE, and AUDIT_LOG_NOT_AVAILABLE (403, Pro tier required).

Compliance profiles

Profile Minimum Length Character Requirements Excludes Ambiguous Use Case
NIST 15 Uppercase, lowercase, numbers, symbols Yes Regulated teams and audit-heavy environments
SOC2 12 Uppercase, lowercase, numbers Yes SaaS security controls and SOC2-aligned programs
strong 8 Caller-defined Caller-defined General product and internal credential workflows

Error codes

Code HTTP Status Meaning
INVALID_LENGTH400Length is outside allowed bounds.
INVALID_QUANTITY400Quantity is outside allowed bounds.
NO_CHARSET400No character set options were enabled.
INVALID_COMPLIANCE400Requested compliance profile is not recognized.
INVALID_BODY400Request body is missing or malformed.
INVALID_CREDENTIAL400Credential field is missing or not a string (validate and breach-check).
MISSING_DATE_RANGE400start_date or end_date missing (audit-log).
INVALID_DATE_FORMAT400Invalid ISO date format (audit-log).
INVALID_DATE_RANGE400Invalid or too-wide date range (audit-log).
MISSING_AUTH401Authorization header is missing or malformed.
INVALID_KEY401API key is not valid.
AUDIT_LOG_NOT_AVAILABLE403Audit log access requires Pro tier or above.
SERVICE_UNAVAILABLE503Upstream breach database unreachable (breach-check).
RATE_LIMIT_EXCEEDED429Monthly usage limit for the key has been reached.

Pricing tiers

Free

500 calls/month

No credit card

Pro

$29/month

50,000 calls/month

Business

$149/month

500,000 calls/month

Enterprise

Custom pricing

Unlimited calls, compliance documentation, priority support

Code examples

const response = await fetch("https://api.sixsensesolutions.net/v1/generate", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    "Authorization": "Bearer test_pro_key"
  },
  body: JSON.stringify({
    length: 20,
    quantity: 1,
    options: {
      uppercase: true,
      lowercase: true,
      numbers: true,
      symbols: true,
      exclude_ambiguous: true
    },
    compliance: "NIST"
  })
});

const json = await response.json();
console.log(response.status, json.meta.entropy_bits);
import requests

url = "https://api.sixsensesolutions.net/v1/generate"
headers = {
    "Content-Type": "application/json",
    "Authorization": "Bearer test_pro_key"
}
payload = {
    "length": 20,
    "quantity": 1,
    "options": {
        "uppercase": True,
        "lowercase": True,
        "numbers": True,
        "symbols": True,
        "exclude_ambiguous": True
    },
    "compliance": "NIST"
}

r = requests.post(url, json=payload, headers=headers, timeout=15)
print(r.status_code, r.json()["meta"]["calls_remaining"])
curl -X POST "https://api.sixsensesolutions.net/v1/generate" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer test_pro_key" \
  -d '{
    "length": 20,
    "quantity": 1,
    "options": {
      "uppercase": true,
      "lowercase": true,
      "numbers": true,
      "symbols": true,
      "exclude_ambiguous": true
    },
    "compliance": "NIST"
  }'