While the email breach API requires a key, the pwnedpasswords endpoint uses k-anonymity and is completely open to check if a password hash has been leaked.