Frequently asked questions

Xpiry monitors your SSL certificates and domain registrations on a schedule and sends you alerts before anything expires. It checks expiry dates, validates certificate chains, and pulls registrar data via WHOIS / RDAP so you have one place to see the health of every domain you care about.

Sign up, head to your dashboard, and click Add domain. Enter the apex domain (e.g. example.com, not https://www.example.com/path). Once verified, Xpiry runs the first check almost immediately and then on a recurring schedule.

Add the apex domain (example.com). Xpiry checks the certificate served on HTTPS, which on most setups covers both example.com and www.example.com via SAN entries. If you serve a totally different cert on a subdomain, add that as its own domain on the Pro or Agency plan.

Verification proves you actually own — or are authorized to monitor — the domain. It prevents people from secretly tracking domains they don't control and from filling the system with junk. Monitoring only starts after a domain is verified.

When you add a domain, Xpiry generates a unique token. You add a single TXT record at _xpiry.yourdomain.com with the value xpiry-verify=<your-token>. Click Verify now and Xpiry queries DNS to confirm the record. That's it.

Wherever you manage DNS for the domain — your registrar (Namecheap, GoDaddy, Porkbun, etc.) or your DNS host (Cloudflare, Route 53, DNSimple). Look for "DNS records" or "Advanced DNS." Create a new record with type TXT, host _xpiry (most providers append the domain automatically), and the value Xpiry shows you. TTL can stay at the default.

A few common gotchas:

• DNS propagation: records can take a few minutes (sometimes longer) to be visible globally. Wait a moment and try again.
• Host name: enter _xpiry, not _xpiry.yourdomain.com, on providers that auto-append the domain.
• Quotes: some control panels wrap TXT values in quotes automatically — that's fine. Don't add extra quotes yourself.
• Whole value: the value must include the xpiry-verify= prefix.
• Right zone: make sure you're editing DNS at the host that's actually authoritative for the domain (check your nameservers if unsure).

You can verify the record yourself with dig TXT _xpiry.yourdomain.com or nslookup -type=TXT _xpiry.yourdomain.com.

We recommend leaving it in place. Xpiry may re-verify ownership periodically. The record is harmless and tiny — no reason to remove it.

For every verified domain, Xpiry checks:

• The SSL/TLS certificate served on port 443 — issuer, subject, validity dates, days until expiry.
• The certificate chain — making sure intermediates and the root are valid.
• Certificate identity and crypto — public key (SPKI) fingerprint, signature algorithm, key size, SAN list, key usage, extended key usage.
• The domain registration — registrar, registered date, and expiry date via WHOIS / RDAP.

On every check, Xpiry also compares the new certificate to the previous one and records anything that changed, so you get a full audit trail per domain.

Each time Xpiry fetches a certificate, it diffs the result against the previous one stored for that domain and records a classified change with a severity. The kinds of changes Xpiry flags include:

• Rekeyed — the public key changed. This distinguishes a real rekey from a same-key renewal.
• Issuer changed — the certificate was signed by a different CA.
• SANs changed — hosts were added to or removed from the subject alternative name list.
• Weakened crypto — the cert moved to a weaker signature algorithm (e.g. SHA-1) or smaller key (e.g. sub-2048 RSA).
• Chain broken / restored — the trust chain became invalid or started validating again.
• Renewed (same key) — normal lifecycle renewal with the key reused.

The full history is visible on each domain's detail page, with the exact before/after for every field that changed.

Unexpected changes to a production certificate are one of the clearest signals that something is wrong — either a misconfigured deployment that's covering more hostnames than it should, a CA that has been switched without coordination, or in the worst case an unauthorised reissuance. Catching those early is the difference between a quick rollback and an incident.

SSL checks run on a plan-based interval: every 24 hours on Free, 12 hours on Hobby, 6 hours on Pro, and every hour on Agency. Domain registration (WHOIS / RDAP) checks run weekly on Free and daily on every paid plan. Intervals are not user-configurable — pick a plan that matches the cadence you need.

Yes — from a domain's detail page you can re-run the DNS TXT verification check at any time. SSL and security checks themselves run automatically on your plan's schedule.

Yes. If your server presents a self-signed certificate (one cert, issuer DN equal to subject DN, signature verifying with its own public key) Xpiry detects it, flags it on the domain page with a "Self-signed" badge, drops the security grade to its lowest tier, and fires a critical alert. The check itself still completes and records all the cert metadata. What Xpiry can't do is reach hosts behind a VPN or firewall — it has to be able to open a TCP connection to your server from the public internet.

Yes. Each domain has a port setting (defaulting to 443). If you serve TLS on 8443, 9443, or anywhere else, set the port from the domain's Settings page and Xpiry will handshake there.

Every check also runs a full TLS and security scan. Xpiry records:

• TLS version & cipher — what was negotiated, which versions your server still supports, whether deprecated TLS 1.0/1.1/SSL 3 are still enabled, and whether the negotiated suite provides forward secrecy.
• Security headers — HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
• CAA records — your DNS-level CA authorization.
• DNSSEC — whether your zone is signed and valid.
• Certificate Transparency — that your cert is logged where browsers expect it.
• OCSP stapling — whether your server is stapling a fresh OCSP response.

All of this rolls up into a single security grade you can read at a glance.

Xpiry assigns each domain a letter grade from A+ down to F based on certificate health, TLS version support, cipher strength, security headers, CAA, DNSSEC, and OCSP stapling. The grade is hard-capped for serious issues — for example a self-signed cert can never grade above an F-tier 20, and a revoked or expired cert grades 0. You can see the exact reasons that contributed to your grade on the domain detail page.

You choose. The defaults are 30, 14, 7, 3, and 1 day before expiry, but you can adjust them per account from the Notifications page. Available thresholds depend on your plan. On top of expiry alerts, Xpiry also sends a certificate change alert any time a cert is rekeyed, reissued by a different CA, has SANs added or removed, weakens its crypto, or breaks its trust chain.

Six: email, Slack, Microsoft Teams, Discord, PagerDuty, and generic webhooks. Which channels are available depends on your plan — email is everywhere, chat tools (Slack/Teams/Discord) start at Pro, and PagerDuty + custom webhooks are on Agency. Set up channels under Notifications, give each one a name (like #engineering-alerts or Customer X), and enable the ones you want. You can have multiple channels of the same type.

In Slack, create an Incoming Webhook for the channel you want to post into. Copy the webhook URL, paste it into a new Slack channel inside Xpiry, and save. Use the Test button on a domain to send a test message and confirm everything works.

Add an HTTPS URL and Xpiry will POST a JSON payload to it whenever an alert fires. Your endpoint should respond with a 2xx status. Webhooks are great for piping events into PagerDuty, Linear, your own incident pipeline, or anything else that speaks HTTP.

Check your spam folder first, then make sure the email channel is enabled and the address is correct. If your account email isn't verified yet, alerts to that address are paused until it is. Whitelisting @xpiry.dev in your mail client also helps.

Yes — the Free plan lets you monitor a single domain so you can try Xpiry on something real before upgrading. See the pricing page for the current limits.

You can change plans at any time from Account → Billing. Upgrades take effect immediately; downgrades apply at the end of the current billing period so you keep what you've paid for.

Billing runs through Stripe, so any card Stripe supports works. You can manage your card and download invoices from the customer portal in Billing.

If Xpiry isn't working for you, get in touch within 14 days of a charge and we'll sort it out.

Yes. From the Team page you can invite teammates by email. They'll get a link to join your account and will see the same domains, alerts, and notification settings.

Yes — accept invitations with the same email and you'll be able to switch between accounts. This is handy for agencies and contractors monitoring multiple clients.

Yes — Pro and Agency plans get a REST API that mirrors the dashboard. You can list domains, add and verify them, fetch SSL certificate details, security scan results, alerts, alert rules, and check logs, and trigger an immediate re-check. Auth is API-key based. See the API docs for the full reference.

Coming soon. terraform-provider-xpiry is in development and will let you manage domains and alert rules as code, with data sources for accounts and individual domains. Email [email protected] if you'd like early access.

Yes — the homepage free SSL checker runs the same TLS handshake and chain validation that powers the monitored checks. No login required, rate-limited to a few checks per IP per hour.

Just what's needed to monitor them: the domain name, certificate metadata (issuer, subject, SANs, validity dates, chain status, signature algorithm, public key algorithm and size, and the SHA-256 fingerprints of both the certificate and its public key), and registration data from public WHOIS / RDAP. Xpiry never stores private keys, credentials, or page contents — only the public information a TLS handshake already exposes to anyone who connects to your server.

No. Xpiry uses a single session cookie to keep you signed in — no advertising trackers, no analytics surveillance. See the Privacy Policy for details.

From Account, scroll to the danger zone and choose Delete account. This removes your domains, alert rules, and account data permanently.

The domain is verified and queued. The first check usually completes within a few minutes. If it's been much longer than that, try the manual refresh on the domain page or contact support.

Browsers are forgiving — they'll often patch a missing intermediate certificate from their own cache. Xpiry validates the chain exactly as your server presents it, so a "valid in browser, invalid in Xpiry" result usually means your server isn't sending the full chain. Re-deploy the cert with the intermediate bundle and the warning will clear.

Some TLDs heavily restrict WHOIS / RDAP data or rate-limit aggressively. Xpiry will keep trying, but in rare cases the registration expiry can't be retrieved automatically. SSL monitoring still works either way.

Email [email protected] with the domain in question and a description of what you're seeing. We read every message.