How to Use the Have I Been Pwned MCP in VS Code Copilot

Q: What data privacy protections apply to my code?

The checkpasswordsafety tool strictly uses k-anonymity for password checks. It sends only a five-character SHA-1 prefix over the network. Your source code and full credentials never leave your local environment during this check.

VS Code Copilot integrates this MCP Server directly into your team's shared development environment.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect Have I Been Pwned MCP to VS Code Copilot

Create your Vinkius account to connect Have I Been Pwned to VS Code Copilot and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup Have I Been Pwned with VS Code Copilot

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Audit team accounts in VS Code Copilot

The `search_account_breaches` tool checks any email against a massive database of compromised services. You can open a list of employee emails in your editor and ask Copilot to run the check. It returns a plain list of which accounts are exposed. Once you find a hit, the `get_breach_details` tool provides the context. It tells you exactly when the breach happened and what data types were stolen. Your engineering team can use this data to force targeted password resets without guessing.

Verify shared credentials safely

The `check_password_safety` tool confirms if a password is burned. It uses a k-anonymity model to check the hash prefix against a remote database. The full password stays inside your local VS Code instance. Shared staging passwords often end up in public repositories. Copilot can scan your configuration files and warn you if those credentials are known to attackers. You fix the vulnerability before the code hits production.

Monitor public MCP Server exposures

The `search_account_pastes` tool scans sites like Pastebin for your corporate domains. Attackers frequently dump raw text files containing scraped credentials. This tool lets your agent find those dumps so you can invalidate the accounts immediately. To understand the broader threat, the `list_all_breaches` tool pulls the entire catalog of known incidents. You can ask Copilot to filter this data to see if any of your supply chain vendors were recently compromised. It is a direct line to historical threat intelligence.

Setup guide

Set up Have I Been Pwned MCP in VS Code Copilot

Prerequisites

VS Code 1.99 or later with GitHub Copilot extension
Active Vinkius subscription with a valid endpoint token

1

Open MCP configuration

Open the Command Palette (Cmd+Shift+P / Ctrl+Shift+P) and run "MCP: Add Server". Select HTTP (Streamable) as the server type. VS Code will create .vscode/mcp.json in your workspace.
2

Add the Have I Been Pwned MCP

Paste the JSON snippet shown on the right into your .vscode/mcp.json. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Switch to Agent mode

Open Copilot Chat (Cmd+Shift+I / Ctrl+Shift+I) and switch to Agent mode using the dropdown. MCP tools are only available in Agent mode — they do not appear in Edit or Ask modes.
4

Verify the connection

In the Copilot Chat input, type # to list available tools. You should see the Have I Been Pwned tools listed. Try asking: "List my recent Have I Been Pwned transactions" and Copilot will invoke them automatically.

.vscode/mcp.json

{
  "mcpServers": {
    "have-i-been-pwned-mcp": {
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Have I Been Pwned. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect Have I Been Pwned now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about Have I Been Pwned MCP in VS Code Copilot

Create a .vscode/mcp.json file in your repository root. Add the server details and commit the file. Everyone who pulls the repo gets the tools automatically.

No. The tools require an active internet connection to query the external breach database.

Yes. You can prompt Copilot to read specific files and verify the emails within them. The agent will iterate through the list using the provided tools.

The API will return a 429 error. You will need to wait before making another request. A commercial API key increases your limits.

The check_password_safety tool strictly uses k-anonymity for password checks. It sends only a five-character SHA-1 prefix over the network. Your source code and full credentials never leave your local environment during this check.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript