Skip to main content
An expired TLS certificate or a quietly changed DNS record can take a service offline or redirect traffic without any obvious signal. TLS monitors check your certificates on a regular interval and warn you before they expire. DNS monitors verify that the records for a hostname remain exactly as expected, alerting you if a record goes missing or its value changes.

TLS monitors

A TLS monitor connects to a host and port, retrieves the TLS certificate, and evaluates its validity and time to expiry. No HTTP request is made — the check is purely at the TLS handshake level.

Config fields

host
string
required
The hostname whose certificate you want to monitor. For example, api.example.com.
port
number
default:"443"
The port to connect to. Defaults to 443. Set this to a non-standard port if your service uses one.
interval
number
required
How often to run the check, in seconds.

Status values

StatusMeaning
activeCertificate is valid and not close to expiry.
expiring_soonCertificate is valid but approaching its expiration date.
expiredCertificate has passed its expiration date.
no_certNo TLS certificate was found, or the TLS handshake failed.
The threshold for expiring_soon is determined by configurable warning levels. Overwatch will alert you with enough lead time to renew the certificate before any service impact.

Create a TLS monitor

curl -X POST https://overwatchapp.dev/api/v1/monitors \
  -H "Authorization: Bearer ow_live_sk_<secret>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "api.example.com certificate",
    "type": "TLS",
    "config": {
      "host": "api.example.com",
      "port": 443,
      "interval": 3600
    }
  }'
Certificate expiry doesn’t change minute-to-minute. An interval of 3600 seconds (1 hour) or higher is usually sufficient for TLS monitors, which reduces unnecessary check volume.

DNS monitors

A DNS monitor resolves a hostname and checks whether the expected records are present and unchanged. If the record disappears or its value is different from what Overwatch last saw, the status changes accordingly.

Config fields

hostname
string
required
The fully qualified domain name to resolve. For example, app.example.com.
interval
number
required
How often to run the check, in seconds.

Status values

StatusMeaning
presentThe DNS record resolves as expected.
missingThe DNS record could not be resolved.
changedThe DNS record resolved, but its value differs from what was previously recorded.

Create a DNS monitor

curl -X POST https://overwatchapp.dev/api/v1/monitors \
  -H "Authorization: Bearer ow_live_sk_<secret>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "app.example.com DNS",
    "type": "DNS",
    "config": {
      "hostname": "app.example.com",
      "interval": 300
    }
  }'

Check intervals and plan limits

Check intervals for TLS and DNS monitors follow the same plan-based minimums as HTTP and TCP monitors.
PlanMinimum interval
Starter5 minutes (300 s)
Pro1 minute (60 s)
Enterprise10 seconds
Enterprise plans support 10-second check intervals for all monitor types, including TLS and DNS. Contact us to discuss Enterprise pricing if you need high-frequency certificate or DNS checks.