From zero to live HTTPS
in five minutes

Start by registering for a free account at sslforsaas.io/register. No credit card is required during the trial period. Once registered, you'll land in the main dashboard where all configuration lives.

Once you're in, your dashboard gives you access to your API key, domain list, certificate status, webhook configuration, and all account settings. Keep your API key safe — you'll need it in Step 5.

Your application endpoint is where SSLforSaaS will forward customer traffic after the SSL certificate is applied. This is the hostname of your SaaS application — the server or load balancer that handles your customers' requests.

For example, if your customers visit app.customerdomain.com, SSLforSaaS will terminate SSL and proxy all traffic to your endpoint, such as app.yourplatform.com.

Navigate to Settings → Application Endpoint in your dashboard and enter your hostname:

SSLforSaaS will perform a quick connectivity check to verify your endpoint is reachable. Once verified, a green checkmark appears and you're ready for the next step.

• Load balancer or hostname

  Use a hostname like app.yourplatform.com pointing to your load balancer or primary server.
• Multiple regions

  If your infrastructure spans regions, use a GeoDNS-aware hostname. SSLforSaaS proxies to whatever your DNS resolves to.
• HTTPS endpoint

  If your endpoint is already serving HTTPS, SSLforSaaS will connect to it securely and maintain end-to-end encryption.

This is the record your customers will point their custom domains to. It should be on your own domain — for example, ssl.yourplatform.com. Your customers will never see SSLforSaaS branding; they only interact with your CNAME.

In your domain registrar or DNS provider, create the following CNAME record pointing to the SSLforSaaS proxy network:

Once the CNAME is live, return to your SSLforSaaS dashboard and enter your branded CNAME in Settings → Branded CNAME:

Once your setup is complete, you need to tell your customers how to point their custom domain to your platform. This involves adding a simple DNS record in their registrar. Provide them with clear instructions — the exact record depends on whether they're using an apex (root) domain or a subdomain.

For subdomains (e.g. app.customerdomain.com), your customers add a CNAME record:

For apex (root) domains (e.g. customerdomain.com), CNAME records are not allowed at the root — your customers must use an A record pointing directly to the SSLforSaaS IP:

The moment DNS propagates and traffic hits the SSLforSaaS network, certificate provisioning begins automatically. No webhook, no API call, no manual trigger required. Within seconds, the domain is fully secured with TLS 1.3.

While certificates are issued automatically on first traffic detection, you can also provision domains proactively via the REST API. This is recommended for platforms that know a customer's domain in advance — for example, when a customer enters their domain in your onboarding flow.

# Provision a new custom domain for SSL
curl -X POST https://api.sslforsaas.io/v2/domains \
  -H "Authorization: Bearer sk_live_••••••••••••••••" \
  -H "Content-Type: application/json" \
  -d '{
    "domain": "app.customerdomain.com",
    "notify_webhook": true
  }'

# Response (200 OK)
{
  "id": "dom_9x2mKv...",
  "domain": "app.customerdomain.com",
  "status": "provisioning",
  "tls_version": "TLSv1.3",
  "created_at": "2026-04-10T09:41:26Z"
}

const SSLforSaaS = require('@sslforsaas/node');

const client = new SSLforSaaS({
  apiKey: process.env.SSLFORSAAS_API_KEY
});

// Provision a domain when customer adds it in your UI
async function provisionDomain(customerDomain) {
  const domain = await client.domains.create({
    domain: customerDomain,
    notify_webhook: true
  });

  console.log(`Domain ${domain.id} status: ${domain.status}`);
  return domain;
}

// Check certificate status
const status = await client.domains.get('dom_9x2mKv...');
// { status: 'active', tls_version: 'TLSv1.3', valid_until: '...' }

import sslforsaas

client = sslforsaas.Client(
    api_key="sk_live_••••••••••••••••"
)

# Provision a new custom domain
domain = client.domains.create(
    domain="app.customerdomain.com",
    notify_webhook=True
)

print(f"Status: {domain.status}")  # provisioning

# Poll status (or use webhooks instead)
domain = client.domains.get(domain.id)
print(f"TLS: {domain.tls_version}")  # TLSv1.3

# List all active domains
domains = client.domains.list(status="active")
print(f"Active domains: {len(domains)}")

<?php
use SSLforSaaS\Client;

$client = new Client([
    'api_key' => getenv('SSLFORSAAS_API_KEY')
]);

// Provision a new custom domain
$domain = $client->domains->create([
    'domain'        => 'app.customerdomain.com',
    'notify_webhook' => true
]);

echo "Domain ID: " . $domain->id . "\n";
echo "Status: "    . $domain->status . "\n";

// Revoke when customer removes their domain
$client->domains->delete($domain->id);

We recommend using webhooks rather than polling to know when a certificate becomes active. Configure your webhook endpoint in the dashboard under Settings → Webhooks.

{
  "event": "certificate.issued",
  "timestamp": "2026-04-10T09:41:30Z",
  "data": {
    "domain_id":   "dom_9x2mKv...",
    "domain":     "app.customerdomain.com",
    "status":     "active",
    "issuer":     "Let's Encrypt",
    "tls_version": "TLSv1.3",
    "valid_until": "2026-07-09T09:41:30Z",
    "issued_in_ms": 4218
  }
}

Once your core setup is running, SSLforSaaS offers several advanced options to fine-tune how traffic is handled, secured, and routed. These are optional but recommended for production deployments.

• Change your default Certificate Authority

  Switch between Let's Encrypt and ZeroSSL, or configure SSLforSaaS to prefer one and fall back to the other. Navigate to Settings → Certificate Authority in your dashboard.
• Cloudflare-proxied CNAME

  If your customers use Cloudflare and proxy their CNAME through it (orange cloud), enable Cloudflare Proxy Support in your settings. SSLforSaaS adjusts its validation method automatically.
• Custom request headers

  Attach custom HTTP headers to every proxied request — for example, pass a X-Customer-Domain header to your application so it knows which tenant is being served.
• URL rewriting

  Configure path rewrites when proxying to your endpoint. For example, map all traffic from /app/* to a different backend path on your application server.
• Upload custom SSL certificates

  For enterprise customers with existing certificate contracts, upload your own certificate and private key via the dashboard or API. Custom certificates coexist alongside automatically managed ones.

curl -X PATCH https://api.sslforsaas.io/v2/settings \
  -H "Authorization: Bearer sk_live_••••••••••••••••" \
  -H "Content-Type: application/json" \
  -d '{
    "custom_headers": [
      {
        "name": "X-Customer-Domain",
        "value": "{domain}"
      },
      {
        "name": "X-SSLforSaaS-Verified",
        "value": "true"
      }
    ],
    "preferred_ca": "letsencrypt",
    "fallback_ca": "zerossl",
    "cloudflare_proxy": false
  }'