How to Use the Have I Been Pwned MCP in Claude

Q: How do I install the Have I Been Pwned MCP Server in Claude Desktop?

You edit your claudedesktopconfig.json file. Add the server command under the mcpServers key. Restart the app, and the tools will appear in your chat interface.

Q: How does this server handle data privacy for my passwords?

The checkpasswordsafety tool uses k-anonymity. It only transmits the first five characters of a SHA-1 password hash to the external API. The remaining 35 characters stay completely local to your machine, ensuring the full hash is never exposed over the network.

Claude Desktop connects to this MCP Server to check your credentials against known breaches before you deploy.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect Have I Been Pwned MCP to Claude Desktop

Create your Vinkius account to connect Have I Been Pwned to Claude Desktop and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup Have I Been Pwned with Claude Desktop

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Safe password verification in Claude Desktop

The `check_password_safety` tool verifies if a specific hash exists in known breach dumps. It uses k-anonymity. Your actual password never leaves your machine. Claude just sends the first five characters of the SHA-1 hash to the API and compares the results locally. You don't want to find out about a compromised admin credential after a breach happens. Ask your agent to run the check directly in your chat interface. It pulls the match count and tells you exactly how many times that hash appeared in the wild.

Map out exposed account footprints

The `search_account_breaches` tool finds every recorded data breach tied to a specific email address. You hand Claude an email, and it returns the exact list of compromised services. It cuts through the noise and shows you the raw exposure data. Attackers don't just use structured breach dumps — they scrape Pastebin. That is why the `search_account_pastes` tool exists. It hunts down public text dumps containing your target email. You get the paste titles and dates so you can see exactly when the exposure occurred.

Analyze global MCP Server breach data

The `list_all_breaches` tool dumps the entire catalog of recorded security incidents. You can ask Claude to filter this list by year or data type. It gives you a clear view of historical targets and the specific classes of data lost. When you need the specifics of a single incident, the `get_breach_details` tool pulls the exact record by name. It outputs the breach date, the total number of compromised accounts, and the exact data fields exposed. This is how you decide if a specific breach actually threatens your current infrastructure.

Setup guide

Set up Have I Been Pwned MCP in Claude Web or Desktop

1

Open Claude Settings

Go to claude.ai, click your profile icon, then navigate to Customize → Connectors.
2

Add Custom Connector

Click the "+" button and select Add custom connector. Paste your Vinkius endpoint URL: https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp Replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com. For OAuth-protected servers, expand Advanced settings to add credentials.
3

Start a conversation

Open a new chat. The Have I Been Pwned MCP tools are available immediately — no restart needed.

Endpoint URL

https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp

No configuration file needed — paste the URL directly in the Claude web interface.

Available on Free (1 connector), Pro, Max, Team, and Enterprise plans.

Prerequisites

Claude Desktop installed (macOS or Windows)
Active Vinkius subscription with a valid endpoint token

1

Open Claude Desktop Settings

Click the menu icon at the top-left corner, go to Settings → Developer → Edit Config. This opens claude_desktop_config.json in your default text editor.
2

Paste the Have I Been Pwned MCP configuration

Copy the JSON snippet on the right into the mcpServers object. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Restart Claude Desktop

Close and reopen the application. Claude needs a full restart to load new MCPs — refreshing a conversation is not enough.
4

Verify the connection

Open a new conversation. Click the 🔌 icon at the bottom of the message input. You should see tools listed under have-i-been-pwned-mcp.

json

{
  "mcpServers": {
    "have-i-been-pwned-mcp": {
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Have I Been Pwned. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect Have I Been Pwned now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about Have I Been Pwned MCP in Claude Desktop

You edit your claude_desktop_config.json file. Add the server command under the mcpServers key. Restart the app, and the tools will appear in your chat interface.

Yes, if you host the server remotely. Go to Settings, click Integrations, and paste the public HTTPS URL. You don't need to install anything locally.

The server itself is free. You will need a commercial API key from the HIBP service if you hit their rate limits.

Just ask Claude to check the email. It runs the search tools and outputs the exact breach history. If nothing comes back, the email isn't in their current database.

The check_password_safety tool uses k-anonymity. It only transmits the first five characters of a SHA-1 password hash to the external API. The remaining 35 characters stay completely local to your machine, ensuring the full hash is never exposed over the network.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript