How Does the Secret Check Work?
Why?
Given the nature of leaked credentials, it's not always possible to connect them back to an email address. We introduced this feature so you can check individual secrets directly. If you suspect a specific API key, token, or password may have been leaked, you can confirm it here.
Step by step
When you use the secret check, here is exactly what happens:
1. You paste your secret into the form on the check page.
2. Your browser computes a SHA-256 hash of the secret using the built-in Web Crypto API. This happens entirely in your browser — no network request is made yet.
3. Only the resulting hash (a 64-character hex string) is sent to our server over HTTPS.
4. Our server compares the hash against pre-computed hashes of known leaked secrets and returns a simple yes or no.
5. Your raw secret is never transmitted, logged, or stored by BreachClaw.
What is a hash?
A cryptographic hash is a one-way mathematical function that turns any input into a fixed-length string of characters. Think of it like a fingerprint: you can verify a match, but you cannot reconstruct the original from the fingerprint. SHA-256 is the industry standard used by security tools worldwide.
Can BreachClaw see my secret?
No. We receive only the hash, which is irreversible. For high-entropy secrets like API keys and tokens, brute-forcing a SHA-256 hash is computationally infeasible. We do not log or store the hash you submit.
Is HTTPS enough?
HTTPS encrypts the hash in transit, so a network observer sees nothing. The only party that receives the hash is our server — and since the hash is irreversible, it reveals nothing about your secret beyond whether it matches something already in our database (which we already have).
What about browser extensions?
Browser extensions with DOM access can read input fields before hashing occurs. We cannot prevent this — it is a limitation of the browser security model. For maximum safety, use an extension-free browser profile or an incognito/private window with extensions disabled when checking secrets. Alternatively, hash your secret via the command line (see below) so it never enters a browser at all.
What if I don't trust browser JavaScript?
You can hash your secret in your terminal and paste the resulting 64-character hex string directly. Your secret never touches a browser or a network.
Mac / Linux:
printf '%s' 'YOUR_SECRET' | shasum -a 256 | cut -d' ' -f1Windows (PowerShell):
(Get-FileHash -InputStream ([IO.MemoryStream]::new([Text.Encoding]::UTF8.GetBytes('YOUR_SECRET'))) -Algorithm SHA256).Hash.ToLower()Replace YOUR_SECRET with your actual credential. Paste the resulting hash on the check page.