Skip to main content
Claude Code plugin

SSL/TLS monitoring without leaving your editor

Free scans, free Let's Encrypt issuance via Beacon, and ongoing certificate monitoring — all from inside Claude Code. No API keys to copy and paste; authentication uses standard OAuth 2.0.

Install plugin View on GitHub

Open source · MIT licensed · No telemetry from the plugin itself

Five commands, one funnel

Each command maps to one MCP tool. Most work without an account; monitoring asks for OAuth consent once.

/tls-scan example.com Free

Free, anonymous SSL/TLS scan. Returns issuer, expiry, vulnerabilities, and a shareable report URL. No login.

/tls-cert mydomain.dev Free

Issue a free 90-day Let's Encrypt certificate via Beacon. Guides you through DNS validation and returns a PKCS#12 bundle.

/mcp Auth

Built-in Claude Code command. Picks the tlsradar server, opens your browser for OAuth consent, stores the token. Run once.

/tls-monitor add api.foo.io Account

Add a domain to ongoing monitoring. Free plan watches 1 domain and alerts at 7 days before expiry.

/tls-expiring Account

What certs are expiring soon across your monitors? Defaults to a 30-day window, sorted by days remaining.

/tls-status Account

Plan tier, monitors used, alerts used, scans today. Useful for deciding when to upgrade.

Auth uses standard OAuth — no API keys to manage

The plugin is pure configuration. Claude Code's built-in /mcp command handles the OAuth dance.

  1. 1

    Discovery

    Claude Code fetches /.well-known/oauth-authorization-server from tlsradar.com to learn the endpoints and supported scopes.

  2. 2

    Self-registration

    The plugin auto-registers as a public OAuth client via RFC 7591. No manual API key creation, no app submissions.

  3. 3

    Consent

    Your browser opens to tlsradar.com/oauth/authorize. You see the requested scopes (read, write) and approve. Sign up here if you're new — plugin signups go directly to the free plan, no trial.

  4. 4

    Token exchange

    Authorization code + PKCE (S256) exchanges for a bearer token. Refresh tokens rotate on use.

  5. 5

    You're done

    Subsequent requests carry the bearer token automatically. Revoke any time at tlsradar.com/oauth/authorized_applications.

Free plan covers most solo developers

1
monitored domain
7 days
expiry warning window
Unlimited
free anonymous scans
Unlimited
Beacon cert issuance

Need more? Compare plans — Starter ($9.99/mo) unlocks 10 monitors and hourly checks.

Install

// Clone the plugin into Claude Code's plugin directory
git clone https://github.com/TLS-Radar/tlsradar-claude-plugin \
    ~/.claude/plugins/tlsradar
// Then in Claude Code:
/mcp

No compiler, no Go toolchain, no ~/.local/bin setup. The plugin is pure config that Claude Code reads directly.

Beacon plugin token

Required for /tls-cert and /tls-renew to run inline. Without it those commands fall back to opening Beacon's web form — same cert, just in your browser.

Current token

e986a25644ad0398a927c8db53b63d0f9f92868379124578bac7837ddc0d1acb

Set it in your shell

export BEACON_PLUGIN_TOKEN="..."

The token is a traffic-identification cookie, not a secret — Beacon uses it for per-source rate limiting. The cert you receive belongs to whoever controls the domain (validated via DNS).