SSLforSaaS API

Introduction

Welcome to the SSLforSaaS API documentation. These are the live APIs you can use when integrating SSL automation for custom domains into your SaaS platform.

🔐 Automated SSL for SaaS Domains

SSLforSaaS gives you an all-access pass to all SSL automation features — provision, manage, and revoke certificates programmatically for every one of your customers' custom domains.

About SSLforSaaS
Instant, automated SSL for custom domains — at scale.

SSLforSaaS provides automated SSL certificate management for third-party domain names on the fly. Gain all the benefits of SSL — security, speed, SEO rankings, and the ability to use HTTP/2 for greater performance improvements.

Whether you are managing dozens or millions of custom domains for your customers, SSLforSaaS handles issuance, renewal, and revocation automatically so you can focus on building your product.

Base URL
All API requests are made to the following base URL:
HTTPS https://api.sslforsaas.io/v1/
Authentication

All requests to the SSLforSaaS API require authentication via an API token. Include your token in the URL path as shown in the examples throughout this documentation, or retrieve it from the API settings page of your dashboard.

💡
Your API key is available in your SSLforSaaS dashboard → Workspace Settings → API. Keep it secret and never expose it in client-side code.
Quick-start

Issue your first SSL certificate in one request:

cURL
curl -XPOST -H "Content-type: application/json" \
     -d '{"domain": "customer.example.com"}' \
     'https://api.sslforsaas.io/v1/{API_KEY}/tls'

That's it — SSLforSaaS will provision the certificate and fire a domain.created webhook once it's ready.

SSLforSaaS API

Basics

SSLforSaaS APIs are HTTP-based RESTful APIs. All request and response payloads are JSON.

General rules
  • All requests must be issued over HTTPS
  • All requests require authentication via an API token in the URL path
  • Request and response bodies are application/json
API Request
To construct a valid API request, include the following components:
ComponentDescription
HTTP methodGET Request data · POST Submit data · PUT Update resource · DELETE Delete resource
Base URLhttps://api.sslforsaas.io/v1/
Content-Type headerapplication/json
JSON bodyRequired for POST and PUT requests
API Response
All API responses return standard HTTP status codes plus a JSON body.
Status codeDescription
200Successful GET request
201Successful POST or PUT — resource created or updated
400Bad request or already exists
401Unauthorized — insufficient permissions
403Forbidden — missing or invalid API token
404Resource not found
409Conflict — validation error
500 / 501Server error — contact support
Rate Limits

The SSLforSaaS API applies rate limits per API key. If you exceed the limit you will receive a 429 Too Many Requests response. Check your plan limits in the dashboard.

SSLforSaaS API

Errors

The SSLforSaaS API uses conventional HTTP status codes to communicate success or failure. JSON error bodies give you the detail you need to debug.

Validation Errors

Validation errors occur when one or more required fields are missing or invalid. Returns a 409 Conflict.

JSON — 409 Conflict
{
  "required_field": [
    "This field is required."
  ]
}
Authentication Errors

Authentication errors occur when no token is provided, the token is invalid, or the token lacks permission for the requested resource.

Missing or invalid token — 403 Forbidden

JSON — 403 Forbidden
{
  "description": "Please provide an auth token as part of the request.",
  "title": "Invalid api key"
}

Insufficient permissions — 401 Unauthorized

JSON — 401 Unauthorized
{
  "message": "You do not have the required permission to access this resource"
}
Other Errors
Status codeDescription
400Request could not be fulfilled — bad request or resource already exists
404Requested resource does not exist
500 / 501Server error — contact SSLforSaaS support immediately if you encounter these
⚠️
500/501 errors are extremely rare. If you encounter one, contact support@sslforsaas.io with your request details.
SSL Certificates

Provisioning an SSL Certificate

Provision a new SSL certificate for a customer's custom domain with a single POST request.

Endpoint
POST https://api.sslforsaas.io/v1/{API_KEY}/tls

Replace {API_KEY} with your SSLforSaaS token from the API settings page of your dashboard.

Sample Request
cURL
curl -XPOST -H "Content-type: application/json" \
     -d '{
  "domain": "customer.example.com"
}' \
     'https://api.sslforsaas.io/v1/{API_KEY}/tls'
A successful response returns HTTP 201. SSLforSaaS will begin provisioning the certificate immediately and fire a domain.created webhook when complete.
Specifying a Project Endpoint
If you have configured multiple project endpoints, pass the endpoint reference key when provisioning a certificate.

You can find the endpoint reference key on the project settings page of your SSLforSaaS dashboard.

cURL
curl -XPOST -H "Content-type: application/json" \
     -d '{
  "domain": "customer.example.com",
  "endpoint": "{ENDPOINT_REF}"
}' \
     'https://api.sslforsaas.io/v1/{API_KEY}/tls'
Request Parameters
ParameterTypeRequiredDescription
domainstringRequiredThe customer's custom domain to provision (e.g. customer.example.com)
endpointstringOptionalProject endpoint reference key. Required only when using multiple endpoints.
targetstringOptionalCustom origin server for this domain (Enterprise plan only).
SSL Certificates

De-provisioning an SSL Certificate

Remove an existing SSL certificate for a custom domain — for example when a customer removes their custom domain from your platform.

Endpoint
POST https://api.sslforsaas.io/v1/{API_KEY}/disable
Sample Request

Replace {API_KEY} with your SSLforSaaS API token.

cURL
curl -XPOST -H "Content-type: application/json" \
     -d '{
  "domain": "customer.example.com"
}' \
     'https://api.sslforsaas.io/v1/{API_KEY}/disable'
A successful de-provisioning request returns HTTP 200. SSLforSaaS will fire a domain.disabled webhook once the certificate is revoked.
Request Parameters
ParameterTypeRequiredDescription
domainstringRequiredThe custom domain whose certificate should be revoked.
SSL Certificates

Custom Certificates

Bring your own SSL certificates instead of using SSLforSaaS-issued ones — ideal for customers who manage their own PKI or require specific CA issuance.

Availability: Custom certificates are available on all SSLforSaaS plans.
Getting started

Unlike SSLforSaaS-managed certificates — where issuance and renewal are fully automated — custom certificates put you in charge of the following:

  • Uploading the Certificate — add your certificate via the dashboard or API.
  • Updating the Certificate — when renewing, you must push the new certificate to SSLforSaaS.
  • Monitoring Expiry — SSLforSaaS does not auto-renew custom certificates. You are responsible for tracking the expiration date.
Certificate Requirements

SSLforSaaS validates every custom certificate before accepting it. Your certificate must:

  • Be encoded in PEM format
  • Have a Subject Alternative Name (SAN) matching the target domain
  • Not expire within 14 days of the upload date
  • Not have a password-protected private key
Adding a certificate via the dashboard
  • Go to Domains and select the relevant domain
  • Click Add certificate
  • Paste or drag-and-drop your PEM certificate and private key
  • Click Next — SSLforSaaS validates the certificate automatically
Managing certificates via the API
💡
Replace {API_KEY} with your SSLforSaaS token from dashboard → Workspace Settings → API.

Adding a certificate

POST https://api.sslforsaas.io/v1/{API_KEY}/certificate/add
cURL
curl -X POST -H "Content-type: application/json" \
     -d '{
  "display_name": "My custom cert",
  "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----",
  "domain": "customer.example.com"
}' \
     'https://api.sslforsaas.io/v1/{API_KEY}/certificate/add'

Updating a certificate

POST https://api.sslforsaas.io/v1/{API_KEY}/certificate/update
cURL
curl -X POST -H "Content-type: application/json" \
     -d '{
  "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----",
  "domain": "customer.example.com"
}' \
     'https://api.sslforsaas.io/v1/{API_KEY}/certificate/update'

Removing a certificate

POST https://api.sslforsaas.io/v1/{API_KEY}/certificate/remove
cURL
curl -X POST -H "Content-type: application/json" \
     -d '{
  "domain": "customer.example.com"
}' \
     'https://api.sslforsaas.io/v1/{API_KEY}/certificate/remove'
Others

Webhooks

SSLforSaaS webhooks notify your server in real time whenever a certificate event occurs — a domain is provisioned, disabled, or deleted.

Webhook payload structure

All webhook payloads share the same top-level structure:

  • event — the type of event that occurred
  • data.id — the unique ID of the affected resource
  • data.status — the current status
  • data.url — the domain name
  • data.endpoint — project endpoint details (if applicable)
  • data.timestamp — ISO 8601 timestamp of the event

domain.created

JSON
{
  "event": "domain.created",
  "data": {
    "id": "907589706",
    "url": "customer.example.com",
    "endpoint": {},
    "timestamp": "2024-06-16T14:58:47Z",
    "admin_graphql_api_id": "gid://sslforsaas/Domain/907589706"
  }
}

domain.disabled

JSON
{
  "event": "domain.disabled",
  "data": {
    "id": "907589706",
    "url": "customer.example.com",
    "endpoint": {},
    "timestamp": "2024-06-16T15:12:00Z"
  }
}

domain.deleted

JSON
{
  "event": "domain.deleted",
  "data": {
    "id": "907589706",
    "url": "customer.example.com",
    "timestamp": "2024-06-16T16:00:00Z"
  }
}
Creating a webhook endpoint

Your webhook URL is a standard POST endpoint that parses a JSON body and returns 200 OK.

Node.js PHP
Express
app.post("/sslforsaas-webhook", (req, res) => {
  // Verify signature
  const secretHash = process.env.SSLFORSAAS_SECRET_HASH;
  const signature = req.headers["x-sslforsaas-signature"];
  if (!signature || signature !== secretHash) {
    return res.status(401).end();
  }
  const payload = req.body;
  console.log("SSLforSaaS event:", payload.event);
  // Process event asynchronously …
  res.status(200).end();
});
Enabling webhooks
  • Log in to your SSLforSaaS dashboard
  • Go to Workspace Settings → Webhooks
  • Add your webhook URL and an optional secret hash
  • Save your settings
💡
For quick testing, visit webhook.site to get a temporary public URL — no server setup needed.
Event types
EventDescription
domain.createdA new domain has been provisioned
domain.disabledA domain's certificate has been revoked
domain.deletedA domain has been permanently deleted
Best practices

Use a secret hash

Your webhook URL is publicly accessible. Set a secret hash in your SSLforSaaS dashboard and verify the x-sslforsaas-signature header on every incoming request.

Respond quickly

Return a 200 OK as fast as possible. Dispatch long-running tasks to a background queue. Without a timely response, SSLforSaaS will retry for up to 36 hours.

Be idempotent

Occasionally SSLforSaaS may deliver the same event more than once. Record processed event IDs and skip duplicates gracefully.

Others

Custom Origin Server

Route each custom domain to a different origin server — giving you per-domain traffic control at the infrastructure level.

⚠️
Enterprise plan required. Custom origin servers are available on the SSLforSaaS Enterprise plan only.
What is a custom origin server?

By default all provisioned domains route traffic to the single application endpoint configured on your SSLforSaaS project. A custom origin server lets you specify a per-domain target endpoint at provisioning time.

Example:

  • customer-a.example.comorigin-a.your-backend.io
  • customer-b.example.comorigin-b.your-backend.io
Usage

Add a "target" parameter to the provisioning request body:

POST https://api.sslforsaas.io/v1/{API_KEY}/tls
cURL
curl -XPOST -H "Content-type: application/json" \
     -d '{
  "domain": "customer.example.com",
  "target": "origin-a.your-backend.io"
}' \
     'https://api.sslforsaas.io/v1/{API_KEY}/tls'
A successful response returns HTTP 201 and the domain will now route traffic to your specified custom origin.
Request Parameters
ParameterTypeRequiredDescription
domainstringRequiredThe custom domain to provision
targetstringRequiredThe custom origin server hostname or IP address
Others

Listing Domain Names

Retrieve a paginated list of all custom domains in your project — with optional filtering by DNS status and operational status.

Endpoint
GET https://api.sslforsaas.io/v1/{API_KEY}/domain/list
Sample Request
cURL
curl -XGET -H "Content-type: application/json" \
     'https://api.sslforsaas.io/v1/{API_KEY}/domain/list?page=1'

Sample Response

JSON — 200 OK
{
  "domains": [
    {
      "id": 1,
      "name": "www.example.com",
      "dns_status": "CONNECTED",
      "status": "ENABLED"
    },
    {
      "id": 2,
      "name": "shop.acme.io",
      "dns_status": "DISCONNECTED",
      "status": "DISABLED"
    }
  ],
  "page": 1,
  "total_pages": 5,
  "total_domains": 2500
}
Query Parameters
ParameterTypeRequiredDescription
pageintegerOptionalPage number. Defaults to 1.
dns_statusstringOptionalFilter by DNS status: CONNECTED, DISCONNECTED, PENDING
statusstringOptionalFilter by operational status: ENABLED or DISABLED
Filtering examples

Filter by DNS status

cURL
curl -XGET 'https://api.sslforsaas.io/v1/{API_KEY}/domain/list?dns_status=CONNECTED'

Filter by operational status

cURL
curl -XGET 'https://api.sslforsaas.io/v1/{API_KEY}/domain/list?status=ENABLED'

Combine both filters

cURL
curl -XGET 'https://api.sslforsaas.io/v1/{API_KEY}/domain/list?dns_status=CONNECTED&status=ENABLED'
Others

Certificate Authorities

SSLforSaaS lets you choose your preferred Certificate Authority (CA) for automatically issued SSL certificates.

Supported Certificate Authorities

SSLforSaaS integrates with the following trusted CAs. Select your preferred CA from your project settings page.

Certificate AuthorityBrowser Compatibility
Let's EncryptView compatibility →
ZeroSSLView compatibility →
Choosing a CA

Both Let's Encrypt and ZeroSSL are trusted by all major browsers and operating systems. The choice typically depends on:

  • Issuance speed — both offer near-instant DV certificate issuance
  • Rate limits — Let's Encrypt applies per-domain rate limits; ZeroSSL has higher default limits on paid plans
  • Compliance requirements — some enterprise environments prefer ZeroSSL for commercial CA support
💡
You can change your preferred CA at any time from Project Settings → Network. Changes apply to newly provisioned certificates only.