Integration

Datadog

LeakJar webhooks are delivered as JSON that Datadog Logs parses out of the box. Once ingested, events can feed monitors, SLOs, or Security Signals.

1. Create a Datadog Logs endpoint

Use Datadog's HTTP intake for logs:

urltext

https://http-intake.logs.datadoghq.com/api/v2/logs?ddsource=leakjar&ddtags=env:prod,service:leakjar

Datadog requires DD-API-KEYas a header; LeakJar webhooks don't support custom headers on the outbound side, so route the webhook through an AWS Lambda / Cloudflare Worker / Vercel Edge Function that injects your Datadog API key and forwards the payload.

2. Minimal forwarder (Cloudflare Worker)

forwarder.tstypescript

export default {
  async fetch(req: Request, env: { DD_API_KEY: string; LEAKJAR_SECRET: string }) {
    const body = await req.text();
    const sig = req.headers.get("X-LeakJar-Signature") ?? "";
    if (!(await verify(body, sig, env.LEAKJAR_SECRET))) {
      return new Response("invalid signature", { status: 401 });
    }

    return fetch("https://http-intake.logs.datadoghq.com/api/v2/logs", {
      method: "POST",
      headers: {
        "DD-API-KEY": env.DD_API_KEY,
        "Content-Type": "application/json",
      },
      body,
    });
  },
};

// verify() as in /docs/webhooks

3. Monitor example

monitor.yamlyaml

name: "LeakJar — critical exposure detected"
type: log alert
query: "logs(\"source:leakjar @event:exposureAlert.created @data.severity:critical\").index(\"*\").rollup(\"count\").last(\"5m\") > 0"
message: |
  {{#is_alert}}
  A critical-severity credential exposure was detected for user
  {{log.attributes.data.email}} (monitored domain
  {{log.attributes.data.monitoredDomainId}}).
  {{/is_alert}}
notify: ["@slack-security-alerts"]