Quickstart

Create a free account in the LeakJar Console. No credit card required for the demo environment. You'll get access to a sandbox project with mock data pre-loaded.

Navigate to Projects in the console sidebar and click New Project. Give it a name (e.g. "Staging") and select the Demo environment. Each project gets its own API keys and configuration.

Open your project settings and navigate to API Keys. Click Generate Key to create a new secret key. Copy it immediately—it will only be displayed once.

Hash the password using SHA-1, take the first 5 hex characters as the prefix, and query the range endpoint. The server returns all suffixes that match—you compare locally without ever sending the full hash.

# Hash the password and extract the 5-char prefix
PREFIX=$(echo -n "password123" | shasum -a 1 | \
  awk '{print toupper($1)}' | cut -c1-5)

# Query the range endpoint
curl -s \
  -H "Authorization: Bearer YOUR_API_KEY" \
  "https://api.leakjar.com/api/demo/passwords/range/$PREFIX"

# Response: list of matching hash suffixes + exposure counts
# {
#   "prefix": "CBFDA",
#   "suffixes": [
#     { "suffix": "C09E6A76...", "count": 3861493 },
#     { "suffix": "D9B2A1F4...", "count": 12 },
#     ...
#   ]
# }

Compare the remaining characters of your hash against the returned suffixes. A match means the password has appeared in a known breach.

Once you detect a breached password, decide what to do with the result. LeakJar supports four policy outcomes:

• Block — reject the password outright during signup or reset.
• Step-up MFA — allow the password but require multi-factor verification.
• Force Reset — require the user to choose a new password at next login.
• Notify — log the event and alert your security team without blocking the user.

See the Policies guide for implementation details and a decision matrix.