Documentation

Notification Channels

SSLTrackr can notify you through multiple channels when your SSL certificates are about to expire, have expired, or when a domain becomes unreachable.

Each channel is a simple notification endpoint tied to your account. Alert thresholds are configured per domain: on each domain's detail page, you subscribe channels and choose which thresholds trigger notifications. You can configure multiple channels of the same type.

Sends an HTML email via Brevo (SMTP) with the alert severity, hostname, expiration date, and days remaining.

Sends a 160-character SMS via Brevo. When subscribing an SMS channel to a domain, only the 3-day, 1-day, and expired (0) thresholds are available by default to avoid excessive messaging costs.

Posts a rich message to a Slack channel via Incoming Webhook, with a color-coded sidebar based on severity (blue = info, orange = warning, red = critical).

Setup

1. Go to https://api.slack.com/apps and click Create New App
2. Choose From scratch, name it (e.g. SSLTrackr), and select your workspace
3. In the left sidebar, click Incoming Webhooks
4. Toggle Activate Incoming Webhooks to On
5. Click Add New Webhook to Workspace
6. Select the channel where alerts should be posted (e.g. #ssl-alerts) and click Allow
7. Copy the Webhook URL and paste it in SSLTrackr

The URL looks like: https://hooks.slack.com/services/T.../B.../xxxx

Sends a signed JSON POST request to any HTTPS endpoint. Every request is signed with HMAC-SHA256 so you can verify authenticity.

The HMAC secret must be at least 16 characters.

Signature header

X-SSLTrackr-Signature: sha256=<hex-encoded HMAC-SHA256>

Payload format

Example payload:

{
  "alert_type": "ssl_expiry",
  "hostname": "example.com",
  "severity": "warning",
  "title": "example.com — SSL certificate expires in 30 days",
  "message": "The SSL certificate for example.com expires on 2026-03-21. 30 days remaining.",
  "threshold_days": 30,
  "triggered_at": "2026-02-19T12:00:00.000Z"
}

Alert types

Severity levels

Verifying the signature

The HMAC signature is computed over the raw JSON body using your secret. Always verify the signature before processing the payload.

Node.js

const crypto = require("crypto");

app.post("/webhook", express.raw({ type: "application/json" }), (req, res) => {
  const signature = req.headers["x-sslexpirealert-signature"];
  const expected = "sha256=" + crypto
    .createHmac("sha256", process.env.WEBHOOK_SECRET)
    .update(req.body)
    .digest("hex");
  if (signature !== expected) return res.status(401).send("Invalid signature");
  const payload = JSON.parse(req.body);
  // Handle the alert...
  res.status(200).send("OK");
});

Python

import hmac, hashlib

def verify(body: bytes, secret: str, header: str) -> bool:
    expected = hmac.new(secret.encode(), body, hashlib.sha256).hexdigest()
    return header == f"sha256={expected}"

Receive native browser and mobile notifications directly on your device. Push notifications work even when the app is not open.

Alert thresholds

On each domain's detail page, you subscribe a channel and select which thresholds trigger notifications. Each channel can have different thresholds per domain. Only one alert fires per threshold per certificate.

• 60 days — Early warning
• 30 days — Renewal recommended
• 14 days — Renewal strongly recommended
• 7 days — Urgent, renewal needed soon
• 3 days — Critical, immediate action required
• 1 day — Last chance before expiry
• Expired — Certificate has already expired

Deduplication

The same alert will not fire twice for the same threshold until the certificate is renewed (detected via serial number change).