FAQ

Frequently asked questions

Everything you need to know about Xpiry, from setting up domain verification to wiring up Slack alerts.

Getting started

What is Xpiry?
Xpiry monitors your SSL certificates, domain registrations, DNS records, redirects, and uptime on a schedule and alerts you before anything expires, or the moment your site stops responding. It validates certificate chains, runs security scans, pulls registrar data via WHOIS / RDAP, accepts heartbeat pings from your cron jobs, and can publish a public status page per domain, so you have one place to see the health of every domain you care about.
How do I add my first domain?
Sign up, head to your dashboard, and click Add domain. Enter the apex domain (e.g. example.com, not https://www.example.com/path). Once verified, Xpiry runs the first check almost immediately and then on a recurring schedule.
Should I add the apex domain or the www subdomain?
Add the apex domain (example.com). Xpiry checks the certificate served on HTTPS, which on most setups covers both example.com and www.example.com via SAN entries. If you serve a totally different cert on a subdomain, add the subdomain as its own domain. Its base domain needs to be in your account too, and each one counts toward your plan's domain limit.

Domain verification

Why do I have to verify a domain?
Verification proves you actually own, or are authorized to monitor, the domain. It prevents people from secretly tracking domains they don't control and from filling the system with junk. Monitoring only starts after a domain is verified.
How does verification work?
When you add a domain, Xpiry generates a unique token. You add a single TXT record at _xpiry.yourdomain.com with the value xpiry-verify=<your-token>. Click Verify now and Xpiry queries DNS to confirm the record. That's it.
Where do I add the TXT record?
Wherever you manage DNS for the domain: your registrar (Namecheap, GoDaddy, Porkbun, etc.) or your DNS host (Cloudflare, Route 53, DNSimple). Look for "DNS records" or "Advanced DNS." Create a new record with type TXT, host _xpiry (most providers append the domain automatically), and the value Xpiry shows you. TTL can stay at the default.
Verification keeps failing. What should I check?
A few common gotchas:
  • DNS propagation: records can take a few minutes (sometimes longer) to be visible globally. Wait a moment and try again.
  • Host name: enter _xpiry, not _xpiry.yourdomain.com, on providers that auto-append the domain.
  • Quotes: some control panels wrap TXT values in quotes automatically; that's fine. Don't add extra quotes yourself.
  • Whole value: the value must include the xpiry-verify= prefix.
  • Right zone: make sure you're editing DNS at the host that's actually authoritative for the domain (check your nameservers if unsure).
You can verify the record yourself with dig TXT _xpiry.yourdomain.com or nslookup -type=TXT _xpiry.yourdomain.com.
Can I remove the TXT record after verification?
You can. Once a domain is verified it stays verified; Xpiry does not currently re-check the record. We still recommend leaving it in place: the record is harmless and tiny, and if you ever delete and re-add the domain you'll need to verify again.

Monitoring & checks

What exactly does Xpiry check?
For every verified domain, Xpiry checks:
  • The SSL/TLS certificate served on port 443 (or your configured port): issuer, subject, validity dates, days until expiry.
  • The certificate chain, making sure intermediates and the root are valid.
  • Certificate identity and crypto: public key (SPKI) fingerprint, signature algorithm, key size, SAN list, key usage, extended key usage.
  • The domain registration: registrar, registered date, and expiry date via WHOIS / RDAP.
  • DNS records (opt-in per domain): A, AAAA, CNAME, MX, TXT, and nameserver snapshots, diffed against the previous check.
  • Redirect chains (opt-in per domain): every hop starting from the bare http:// URL, flagging loops, error endings, and missing HTTPS upgrades.
  • Uptime (opt-in per domain): an HTTP request to your site recording the status code and response time, with alerts when it goes down and when it recovers.
On every check, Xpiry also compares the new certificate to the previous one and records anything that changed, so you get a full audit trail per domain.
How does certificate change detection work?
Each time Xpiry fetches a certificate, it diffs the result against the previous one stored for that domain and records a classified change with a severity. The kinds of changes Xpiry flags include:
  • Rekeyed: the public key changed. This distinguishes a real rekey from a same-key renewal.
  • Issuer changed: the certificate was signed by a different CA.
  • SANs changed: hosts were added to or removed from the subject alternative name list.
  • Weakened crypto: the cert moved to a weaker signature algorithm (e.g. SHA-1) or smaller key (e.g. sub-2048 RSA).
  • Chain broken / restored: the trust chain became invalid or started validating again.
  • Renewed (same key): normal lifecycle renewal with the key reused.
The full history is visible on each domain's detail page, with the exact before/after for every field that changed.
Why does it matter if the SAN list or issuer changes?
Unexpected changes to a production certificate are one of the clearest signals that something is wrong: a misconfigured deployment that's covering more hostnames than it should, a CA that has been switched without coordination, or in the worst case an unauthorised reissuance. Catching those early is the difference between a quick rollback and an incident.
How often are checks run?
SSL and security checks run on a plan-based interval: every 24 hours on Free, 12 hours on Hobby, 6 hours on Pro, and every hour on Agency. Domain registration (WHOIS / RDAP) data refreshes on the same schedule for domains with expiry tracking enabled. Uptime checks run every 30 minutes on Free, 15 minutes on Hobby, 5 minutes on Pro, and every minute on Agency. Intervals are not user-configurable; pick a plan that matches the cadence you need.
How do I filter Xpiry's checks out of my logs and analytics?
Every HTTP request Xpiry sends (uptime probes, redirect checks, security scans, and webhook deliveries) identifies itself with a User-Agent containing +https://xpiry.dev, for example XpiryUptimeChecker/1.0 (+https://xpiry.dev). Match on xpiry.dev to exclude all monitoring traffic from your logs, metrics, or analytics, or on a specific component name to filter one kind of check.
Can I re-run domain verification on demand?
Yes. From a domain's detail page you can re-run the DNS TXT verification check at any time. SSL and security checks themselves run automatically on your plan's schedule.
Does Xpiry handle self-signed certificates?
Yes. If your server presents a self-signed certificate (one cert, issuer DN equal to subject DN, signature verifying with its own public key) Xpiry detects it, flags it on the domain page with a "Self-signed" badge, caps the security grade at an F, and fires a critical alert. The check itself still completes and records all the cert metadata. What Xpiry can't do is reach hosts behind a VPN or firewall; it has to be able to open a TCP connection to your server from the public internet.
Can I monitor a service on a non-standard port?
Yes. Each domain has a port setting (defaulting to 443). If you serve TLS on 8443, 9443, or anywhere else, set the port from the domain's Settings page and Xpiry will handshake there.

Security scanning

Beyond the certificate, what does Xpiry inspect?
Every check also runs a full TLS and security scan. Xpiry records:
  • TLS version & cipher: what was negotiated, which versions your server still supports, whether deprecated TLS 1.0/1.1/SSL 3 are still enabled, and whether the negotiated suite provides forward secrecy.
  • Security headers: HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
  • CAA records: your DNS-level CA authorization.
  • DNSSEC: whether your zone is signed and valid.
  • Certificate Transparency: that your cert is logged where browsers expect it.
  • OCSP stapling: whether your server is stapling a fresh OCSP response.
All of this rolls up into a single security grade you can read at a glance.
What does the security grade mean?
Xpiry assigns each domain a letter grade from A+ down to F based on certificate health, TLS version support, cipher strength, security headers, CAA, DNSSEC, and OCSP stapling. The grade is hard-capped for serious issues: a self-signed certificate caps the score at 20 out of 100 (an F), and a revoked or expired certificate scores 0. You can see the exact reasons that contributed to your grade on the domain detail page.

Uptime & status pages

How does uptime monitoring work?
Turn on Check uptime in a domain's settings and Xpiry sends an HTTP request to your site on your plan's interval, recording the status code and response time. A failed probe is re-checked twice over the next half minute before anything is marked down, and when checks run from multiple regions, a majority of recently reporting regions must agree the site is unreachable, so a single network blip won't page you. Server errors (5xx), timeouts, and connection failures count as down; 4xx responses mean the server answered, so they count as up.
What happens when my site goes down?
You get a critical alert on every channel you've configured the moment the outage is confirmed. While the site stays down, the alert re-fires every 30 minutes so it can't slip by unnoticed. Acknowledging the outage from the domain page pauses re-alerts for 30 minutes to 24 hours, your choice. When the site recovers you get a recovery notification that includes how long it was down.
What is the public status page?
Every domain can publish a status page at an unguessable URL that anyone can visit, with no login required. It shows live up/down status, uptime percentages for the last 24 hours, 7 days, and 30 days, average response time, and a 90-day history strip, and it auto-refreshes for live viewing. The page is included on every plan, as are theme and logo customization and serving from a custom subdomain like status.example.com.
Can I post updates during an incident?
Yes. From the domain page you can open an incident and post short updates as you work it: investigating, identified, monitoring, resolved, or a general update. They appear on the public status page as a timeline, and resolved incidents stay visible there for 90 days. It's the easiest way to keep users informed while you work through an outage.

Alerts & notifications

When will I get alerted?
You choose. Expiry alerts default to 30, 7, and 1 day before expiry, and you can adjust the thresholds per account from the Notifications page. Available thresholds depend on your plan. On top of expiry alerts, Xpiry also sends a certificate change alert any time a cert is rekeyed, reissued by a different CA, has SANs added or removed, weakens its crypto, or breaks its trust chain. When uptime monitoring is enabled you also get downtime and recovery alerts.
What channels are supported?
Four: email, Slack, Discord, and generic webhooks, available on every plan. For paging a human when something breaks, Xpiry has built-in on-call schedules and escalation policies with phone and SMS. Set up channels under Notifications, give each one a name (like #engineering-alerts or Customer X), and enable the ones you want. You can have multiple channels of the same type.
How do I set up Slack alerts?
In Slack, create an Incoming Webhook for the channel you want to post into. Copy the webhook URL, paste it into a new Slack channel inside Xpiry, and save. Use the Test button on a domain to send a test message and confirm everything works.
How do webhooks work?
Add an HTTPS URL (webhooks are an Agency feature) and Xpiry will POST a JSON payload to it whenever an alert fires. Every delivery carries an X-Xpiry-Signature header, an HMAC-SHA256 over the request id, timestamp, and body, so you can verify it really came from Xpiry. Failed deliveries are retried with backoff on 5xx and 429 responses. Your endpoint should respond with a 2xx status. Webhooks are great for piping events into Linear, your own incident pipeline, or anything else that speaks HTTP.
Why didn't I get an email?
Check your spam folder first, then make sure the email channel is enabled on the Notifications page. Alert emails go to every user on the account. Whitelisting @xpiry.dev in your mail client also helps.

Plans & billing

Is there a free plan?
Yes. The Free plan lets you monitor a single domain so you can try Xpiry on something real before upgrading. See the pricing page for the current limits.
How does upgrading or downgrading work?
You can change plans at any time from Billing. Plan switches take effect immediately, with Stripe prorating the difference. If you cancel, your paid plan runs to the end of the billing period and then drops to Free. If a change leaves you over the new plan's domain limit, the newest domains over the limit are paused, never deleted, so monitoring continues on your longest-standing domains.
What payment methods do you accept?
Billing runs through Stripe, so any card Stripe supports works. You can manage your card and download invoices from the customer portal in Billing.
Do you offer refunds?
If Xpiry isn't working for you, get in touch within 14 days of a charge and we'll sort it out.

Teams & accounts

Can I share an account with my team?
Yes, on every plan, with unlimited team members. From the Team page you can invite teammates by email; they'll get a link (valid for 7 days) to join your account and will see the same domains, alerts, and notification settings.
Can one person belong to multiple accounts?
Not at the moment. Each user belongs to a single account, and accepting an invitation moves your user into the inviting account. If you need a separate account of your own, register it under a different email address.

Developers

Is there an API?
Yes. Every plan gets a REST API that mirrors the dashboard (rate-limited per key, from 60 req/min on Free up to 600 on Agency). You can list domains, add and verify them, fetch SSL certificate details, security scan results, alerts, alert rules, and check logs, and trigger an immediate re-check. Auth is API-key based. See the API docs for the full reference.
Can Xpiry receive exceptions from my app?
Yes. Enable Exception tracking in a domain's settings and you get a Sentry-compatible DSN. Paste it into any Sentry SDK (no Xpiry client needed) and errors arrive grouped into issues with stacktraces, alerting you on new errors and on regressions of issues you'd resolved. Every plan includes a daily event budget, from 100 events/day on Free to 100,000 on Agency, and a retention window, from 3 days on Free to 90 on Agency. Once you pass either limit, the oldest events are pruned.
Is there a Terraform provider?
Coming soon. terraform-provider-xpiry is in development and will let you manage domains and alert rules as code, with data sources for accounts and individual domains. Email [email protected] if you'd like early access.
Is there a free SSL checker I can use without signing up?
Yes. The homepage free SSL checker runs the same TLS handshake and chain validation that powers the monitored checks. No login required; anonymous checks are limited to two per hour per IP.

Security & privacy

What data does Xpiry store about my domains?
Just what's needed to monitor them: the domain name, certificate metadata (issuer, subject, SANs, validity dates, chain status, signature algorithm, public key algorithm and size, and the SHA-256 fingerprints of both the certificate and its public key), and registration data from public WHOIS / RDAP. Xpiry never stores private keys, credentials, or page contents; it stores only the public information a TLS handshake already exposes to anyone who connects to your server.
Do you use third-party tracking?
No. Xpiry uses a single session cookie to keep you signed in, with no advertising trackers and no analytics surveillance. See the Privacy Policy for details.
How do I delete my account?
From Account, scroll to the danger zone and choose Delete account. This removes your domains, alert rules, and account data permanently.

Troubleshooting

A domain shows "Awaiting first check". What's happening?
The domain is verified and queued. The first check usually completes within a few minutes. If it's been much longer than that, contact support. (API users on any plan can also trigger an immediate re-check with POST /api/v1/domains/:id/check.)
Why is the chain showing as invalid when my browser is happy?
Browsers are forgiving: they'll often patch a missing intermediate certificate from their own cache. Xpiry validates the chain exactly as your server presents it, so a "valid in browser, invalid in Xpiry" result usually means your server isn't sending the full chain. Re-deploy the cert with the intermediate bundle and the warning will clear.
WHOIS / registration data is missing for my TLD.
Some TLDs heavily restrict WHOIS / RDAP data or rate-limit aggressively. Xpiry will keep trying, but in rare cases the registration expiry can't be retrieved automatically. SSL monitoring still works either way.
I still need help.
Email [email protected] with the domain in question and a description of what you're seeing. We read every message.

Still have questions?

Email us and a real human will get back to you.

[email protected]