Free SSL Certificate API · Live TLS handshake · JSON

SSL Certificate API — live data, never cached scanner output.

Get the live TLS certificate for any domain in JSON: issuer, validity dates, SANs, signature algorithm, key bits, and days until expiry. Every response from a real TLS handshake — not a third-party scanner that may be days out of date.

Start free → See code examples Live sample (stripe.com)
1,000 free requests/mo No credit card required Live TLS handshake
Try it

See it work with any domain.

Type any domain to see the live SSL certificate response from the API. Free, no signup — rate-limited to 5 lookups/day per browser.

GET /domain/{d}/ssl
Try: stripe.comvercel.comopenai.comcloudflare.com 0 / 5 today 
// Click "Run lookup" to see the live API response for this endpoint
Want everything in one call?
Use /lookup/{domain} to get WHOIS + DNS + SSL + subdomains + email security in a single REST call. Same API key, same pricing, same response format — just bundled. Great for lead enrichment, fraud detection, full domain audits.
See the all-in-one endpoint →
Why this SSL API

Live data. No third-party scanners.

Most SSL "APIs" are wrappers around periodic scanner data that's hours or days old. This API performs a real TLS handshake on every uncached request — the data is fresh from the live server.

Live TLS handshake
Each uncached request performs a real TLS connection to port 443 of the target host. The cert returned is whatever the host is actually serving right now — not a snapshot from a scheduled scan hours or days ago.
Pre-computed expiry
days_until_expiry returned as an integer. No date parsing, no timezone math — just check the number and alert when it crosses your threshold (typically 30 or 7).
Full SAN list
Subject Alternative Names returned as an array. Useful for verifying that a cert covers all the hostnames you expect, or detecting unexpected hostnames added to a shared cert.
Signature algorithm + key bits
Useful for compliance audits or supply-chain checks. Catch weak algorithms (sha1, md5), short keys (RSA-1024), or ECDSA curve choices that don't match your policy.
Issuer normalized
Issuer string normalized so you can easily group certs by CA (Let's Encrypt, Google Trust Services, DigiCert, Sectigo, ZeroSSL, etc.). Useful for migration tracking or vendor consolidation.
Bundled with full domain intel
Get just SSL via /domain/{d}/ssl, or grab SSL + DNS + WHOIS + subdomains + email security in a single /lookup/{d} call. Same API key, same pricing.
Response shape

Everything you need to act on. Clean JSON.

Below: a real response for cloudflare.com. days_until_expiry is the field most monitoring code cares about.

GET/domain/cloudflare.com/ssl
{
  "domain": "cloudflare.com",
  "issuer": "Google Trust Services",
  "subject": "cloudflare.com",
  "valid_from": "2026-03-12T00:00:00Z",
  "valid_to": "2026-06-10T23:59:59Z",
  "days_until_expiry": 19,         // alert when this drops below 30
  "sans": [
    "cloudflare.com",
    "*.cloudflare.com"
  ],
  "signature_algorithm": "sha256WithRSAEncryption",
  "key_bits": 2048,
  "serial_number": "0a1b2c3d..."
}
Code examples

Drop it into your monitoring stack.

The Python example below is the canonical "alert on certs expiring within 30 days" pattern. Drop it in cron, pipe alerts to Slack/PagerDuty/email.

curl "https://domain-intelligence-api.p.rapidapi.com/domain/cloudflare.com/ssl" \
  -H "X-RapidAPI-Host: domain-intelligence-api.p.rapidapi.com" \
  -H "X-RapidAPI-Key: YOUR_RAPIDAPI_KEY"
import requests

DOMAINS = ["yourapp.com", "api.yourapp.com", "marketing.yourapp.com"]
ALERT_THRESHOLD = 30

headers = {
    "X-RapidAPI-Host": "domain-intelligence-api.p.rapidapi.com",
    "X-RapidAPI-Key": "YOUR_RAPIDAPI_KEY",
}

for domain in DOMAINS:
    r = requests.get(
        f"https://domain-intelligence-api.p.rapidapi.com/domain/{domain}/ssl",
        headers=headers, timeout=15,
    )
    data = r.json()
    days = data.get("days_until_expiry")
    if days is None:
        print(f"{domain}: could not fetch cert")
    elif days <= ALERT_THRESHOLD:
        print(f"{domain}: ALERT — cert expires in {days} days ({data['valid_to']})")
    else:
        print(f"{domain}: OK — {days} days remaining")
// Node 18+ has built-in fetch — no import needed
const DOMAINS = ["yourapp.com", "api.yourapp.com"];
const ALERT_THRESHOLD = 30;
const headers = {
  "X-RapidAPI-Host": "domain-intelligence-api.p.rapidapi.com",
  "X-RapidAPI-Key": "YOUR_RAPIDAPI_KEY",
};

for (const domain of DOMAINS) {
  const res = await fetch(
    `https://domain-intelligence-api.p.rapidapi.com/domain/${domain}/ssl`,
    { headers }
  );
  const data = await res.json();
  if (data.days_until_expiry <= ALERT_THRESHOLD) {
    console.log(`ALERT: ${domain} cert expires in ${data.days_until_expiry} days`);
  }
}
<?php
$domain = "cloudflare.com";
$ch = curl_init("https://domain-intelligence-api.p.rapidapi.com/domain/$domain/ssl");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    "X-RapidAPI-Host: domain-intelligence-api.p.rapidapi.com",
    "X-RapidAPI-Key: YOUR_RAPIDAPI_KEY",
]);
$data = json_decode(curl_exec($ch), true);
curl_close($ch);
echo "Days until expiry: " . $data["days_until_expiry"];
Use cases

Common things people build with this SSL API.

Production-grade workflows for cert monitoring, compliance, and security.

Cert expiry alerting
Daily cron job checks all your domains. Alert at 30 days, panic at 7. Prevent the 3 AM page when a cert silently expires. Free tier covers ~30 domains daily.
Compliance & weak-algorithm audits
Catch certs using deprecated algorithms (sha1, md5) or short keys (RSA-1024) across your infrastructure. Required for SOC 2, PCI-DSS, and many internal security baselines.
SAN coverage verification
When deploying a new subdomain, verify the cert's SANs cover it before going live. Avoid the embarrassment of a cert mismatch on launch day.
Migration tracking
Watch as your fleet migrates from one CA to another (e.g., paid DigiCert to free Let's Encrypt). Track issuer field over time to confirm rollouts complete.
SaaS customer health
If your platform lets customers add custom domains, periodically verify their SSL setup. Catch broken renewals before customers complain.
Supply chain monitoring
Watch certs of critical third-party services (payment processors, identity providers, CDN). Alert on unexpected issuer changes that could signal MitM or supply chain compromise.
Pricing

Pay only for what you use.

Billed monthly via RapidAPI. Same pricing across all endpoints (SSL, DNS, WHOIS, subdomains, email security, and bundled /lookup). Cancel anytime.

BASIC
$0/mo
For evaluation, side projects, and small-domain monitoring.
  • 1,000 requests / month
  • All endpoints included
  • No credit card required
Start free
Most popular
PRO
$9.99/mo
For production apps doing real volume. Sweet spot for most teams.
  • 50,000 requests / month
  • Higher rate limits
  • Email support
Choose PRO
ULTRA
$39.99/mo
For SaaS platforms with embedded domain features.
  • 500,000 requests / month
  • SLA: 99.9% uptime
  • Priority support
Choose ULTRA
MEGA
$149.99/mo
For data platforms, security vendors, and high-volume workloads.
  • 5,000,000 requests / month
  • Highest concurrency
  • Dedicated support
Choose MEGA
FAQ

Frequently asked questions.

Quick answers to common developer questions about the SSL API.

Is your SSL Certificate API free?+
Yes. Free tier includes 1,000 requests per month with no credit card required. Paid tiers start at $9.99/mo for 50,000 requests.
Is the data from a live TLS handshake or a cached scanner?+
Live by default. Every request performs a real TLS handshake against port 443 of the target host. We cache successful responses for 6 hours to reduce latency, but the first call always hits the live server — not a third-party scanner that might be days old.
What fields are returned?+
issuer, subject, valid_from, valid_to, days_until_expiry, sans (Subject Alternative Names), signature_algorithm, key_bits, and serial_number. Enough to monitor expiry, check for weak algorithms, and verify SAN coverage.
Does this work for wildcard certs?+
Yes. Wildcards appear as SANs in the response (e.g. *.example.com). The cert object reflects whatever the TLS handshake returns for the requested hostname.
What about Certificate Transparency events?+
This endpoint returns the currently-deployed cert, not CT log events. For CT log monitoring (when ANY new cert is issued for a domain), use our subdomain enumeration endpoint which aggregates crt.sh and certspotter CT log data.
Can I check certs that aren't deployed publicly?+
No — the API performs a TLS handshake to the target host on port 443, so it only sees certs deployed on publicly reachable infrastructure. For internal certs, run the check from inside your own network using openssl s_client or a self-hosted version of the API (MIT-licensed, source on GitHub).
What's the rate limit?+
Free tier: 1,000 requests per month. Pro: 50,000/mo. Ultra: 500,000/mo. Mega: 5M/mo. Per-second rate limits are generous on all tiers.
How fast does this respond?+
Cached responses return in under 100ms. Fresh TLS handshakes typically complete in 200-800ms depending on target host latency and TLS negotiation time (slower for hosts with under-tuned TLS configs or distant geographic locations).

Stop being surprised by expiring certs.

Free tier · No credit card · All endpoints included

Get your API key →