Have I Been Pwned

live Security

Password breach checks (k-anonymity, no key) + breach catalog (no key) + breached-account lookup (paid BYO key).

6 tools
0ms auth
free tier 50 calls/day
🔑 Authentication

Password checks and breach-catalog tools are free with no key. check_account requires a paid HIBP subscription key passed as _apiKey.

Config with credentials 
{
  "mcpServers": {
    "pipeworx-hibp": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote@latest",
        "https://gateway.pipeworx.io/hibp/mcp?_apiKey=your_hibp_key"
      ]
    }
  }
}

Generate an app password →

Tools

check_password required: password

k-anonymity password check; only the first 5 hex chars of the SHA-1 leave the worker.

Parameters
Name Type Description
password req string Password to check
Try it
check_password_prefix required: sha1_prefix

Direct k-anonymity: send a 5-char SHA-1 prefix, receive suffixes and counts.

Parameters
Name Type Description
sha1_prefix req string 5 hex chars
Try it
list_breaches

All publicly-known breaches, optionally filtered by domain.

Parameters
Name Type Description
domain opt string Optional domain
Try it
get_breach required: name

Single breach by name.

Parameters
Name Type Description
name req string Breach name
Try it
list_data_classes

Canonical data-class tags.

No parameters required.

Try it
check_account required: account

REQUIRES PAID KEY. Breaches an email account appears in.

Parameters
Name Type Description
account req string Email address
truncate opt boolean Return only breach names (default true)
Try it

Test with curl

The gateway speaks JSON-RPC 2.0 over HTTP POST. You can test any pack directly from the terminal.

List available tools
bash 
curl -X POST https://gateway.pipeworx.io/hibp/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'
Call a tool
bash 
curl -X POST https://gateway.pipeworx.io/hibp/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"check_password","arguments":{"password": "example"}}}'

Use with the SDK

Install @pipeworx/sdk to call tools from any TypeScript/Node project.

TypeScript 
import { Pipeworx } from '@pipeworx/sdk';
const px = new Pipeworx();
const result = await px.call("check_password", {"password":"example"});
ask_pipeworx 
// Or ask in plain English:
const answer = await px.ask("password breach checks (k-anonymity, no key) + breach catalog (no key) + breached-account lookup (paid byo key)");