Quickstart

Create a free account in the LeakJar Console. No credit card required — you start on the free tier and can make live checks right away.

Navigate to Projects in the console sidebar and click New Project. Give it a name (e.g. "Staging"). Each project gets its own API keys and configuration.

Open your project and navigate to Breached Password API. Click New key to create a new secret key (prefixed lj_). Copy it immediately—it will only be displayed once.

Hash the password using SHA-1, take the first 5 hex characters as the prefix, and query the range endpoint. The server returns all suffixes that match—you compare locally without ever sending the full hash.

# Hash the password and extract the 5-char prefix
PREFIX=$(printf '%s' "password123" | shasum -a 1 | \
  awk '{print toupper($1)}' | cut -c1-5)

# Query the range endpoint
curl -s \
  -H "Authorization: Bearer $LEAKJAR_API_KEY" \
  "https://api.leakjar.com/v1/passwords/range/$PREFIX"
# → text/plain, one "SUFFIX:COUNT" per line

Compare the remaining characters of your hash against the returned suffixes. A match means the password has appeared in a known breach.

Once you detect a breached password, decide what to do with the result. LeakJar supports four policy outcomes:

• Block— reject the password outright during signup or reset.
• Step-up MFA— allow the password but require multi-factor verification.
• Force Reset— require the user to choose a new password at next login.
• Notify— log the event and alert your security team without blocking the user.

See the Policies guide for implementation details and a decision matrix.