Subscribe to the HIBP API at haveibeenpwned.com/Subscription and obtain an API key; include it as the hibp-api-key: YOUR_API_KEY header on all authenticated endpoints.
Retrieve all breached email addresses for a monitored domain with GET https://haveibeenpwned.com/api/v3/breacheddomain/{domain}; the response is a JSON object mapping each breached email address to an array of breach names.
Cross-reference breach names against the full breach catalog (GET /api/v3/breaches) to enrich each breach with date, description, data classes exposed, and whether the breach is verified.
Automate scheduled polling (daily or after HIBP announces new data loads) and diff the results against a stored baseline to identify newly breached accounts since the last run.
Feed newly identified breached accounts into your identity provider or IAM system to trigger password-reset flows or account review tickets.
Known gotchas
Domain search is a premium feature requiring a paid subscription; the free tier only supports individual email lookups via the k-anonymity pwned passwords endpoint, not full domain sweeps.
The domain search API is designed for infrequent use (after new breach announcements); aggressive automated polling may trigger HTTP 429 rate-limiting responses and potential account measures.
The response maps each email address to breach names only, not to full breach metadata; a second call per breach name to /api/v3/breaches/{breachName} is required to get data classes and severity details.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp