SSL Doctor — live TLS/SSL certificate health check (MCP + x402)

Give it a hostname; it opens a real TLS connection and tells you whether the certificate is healthy before you trust the endpoint:

• Expiry — exact days left, and a warning while there's still time to renew.

• Hostname match — does the cert's CN/SAN actually cover this host?

• Trust — is the chain trusted, or self-signed / missing an intermediate?

• Verdict — HEALTHY / WARN / CRITICAL + a risk score.

An AI agent can't do a live TLS handshake from a chat. This MCP can — that's the moat.

Two tiers

The deep tier runs server-side only behind payment — it never ships in the installed package, so it can't be used for free.

Related MCP server: MCP Security Tools Suite

Pay (dual lane)

• x402 (USDC on Base) — AI agents pay per call automatically. No signup, no key.

• Stripe — humans buy a prepaid API key at /pro/checkout, then set SSL_DOCTOR_KEY in the MCP env (or send Authorization: Bearer <key>).

Either lane unlocks the same deep result.

Use as an MCP

{
  "mcpServers": {
    "ssl-doctor": {
      "command": "npx",
      "args": ["-y", "ssl-doctor-mcp"],
      "env": { "SSL_DOCTOR_KEY": "ssl_optional-for-deep" }
    }
  }
}

Tool: check_ssl — { target: "example.com", deep?: true }. The free verdict needs no key; deep=true is the premium tier.

HTTP API

• GET /run?target=example.com — free verdict (rate-limited 30/h/IP).

• GET /pro/run?target=example.com — deep tier (x402 USDC or prepaid key).

• POST /mcp — MCP-over-HTTP.

• GET /health, GET /openapi.json, GET /.well-known/x402.

Honesty

A live, point-in-time check via Node's TLS stack. Not a full cipher-enumeration audit; it flags the failure modes that actually break client trust or cause an outage (expiry, mismatch, untrusted chain, weak protocol). Read-only.

MIT (c) Baneado98