CT Monitor
pro/v1/domain/ct-monitorSearches Certificate Transparency logs (RFC 6962/9162) via crt.sh for recent TLS certificates issued for a domain or wildcard. Surfaces unauthorized-issuance signals (issuer outside CAA-authorized set, sudden cert surge, unexpected wildcard) and provides recommendations to harden cert issuance hygiene.
What It Does
Queries crt.sh JSON endpoint (free, no key) for cert history within a configurable window. Optional `include_subdomains=true` switches to wildcard-prefix search to surface certs issued for any subdomain. Returns full per-cert details (issuer, validity, SANs), aggregate stats (unique issuers, recent 30-day count, earliest/latest dates), an `alerts` array (severity-tagged signals), and remediation recommendations. Foundation for future webhook notifications.
Why It's Useful
CT logs are the canonical record of "every cert ever issued for my domain" and the leading early-warning signal for DNS hijacking, phishing infra staging, and shadow-IT issuance. This endpoint productizes the manual crt.sh workflow with alert thresholds and remediation guidance, eliminating the need for security teams to build their own CT-monitoring tooling.
Use Cases
Unauthorized Issuance Detection
Run a daily CT scan on all owned domains and alert when a cert appears from a CA outside your CAA-approved list — the canonical signal that an attacker has gained cert-issuance capability.
Detect CA-based attacks (DNS hijacks, BGP MITM, internal credential abuse) within hours of issuance, before traffic interception begins.
Phishing-Infra Early Warning
Monitor CT logs for typosquat variants of your brand — squatters frequently obtain Let's Encrypt certs days before launching campaigns.
File takedown requests during the prep window, denying the attacker the activation moment.
CAA Hygiene Audit
Compare actual CT issuers vs your published CAA records — a mismatch indicates either a CAA misconfiguration or an unauthorized issuance pathway.
Close the gap between policy (CAA) and reality (CT logs).
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to monitorExample: example.com |
include_subdomains | string | Optional | When `true` (default), query CT for `%.<domain>` (wildcard subdomain match). Set to `false` to query the bare apex only.Example: true |
limit | string | Optional | Max certs to return (1-200, default 50)Example: 50 |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
scope | string | "apex" or "apex_and_subdomains" |
total_certs | number | Number of certs returned |
certs | array | Per-cert details: issuer, issuer_org, not_before, not_after, sans[], id |
unique_issuers | array | Distinct issuer organization names across results |
most_recent | string | ISO timestamp of most-recently-issued cert |
earliest | string | ISO timestamp of earliest cert in the window |
recent_30d_count | number | Cert-issuance count in the last 30 days |
alerts | array | Severity-tagged alerts (cert_surge, wildcard_present, unexpected_issuer, issuer_sprawl) |
recommendations | array | Remediation steps for the surfaced alerts |
Code Examples
curl "https://api.edgedns.dev/v1/domain/ct-monitor" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/domain/ct-monitor?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/domain/ct-monitor',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full CT Monitor guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.