Domain Portfolio Management API: Monitor Expiry, DNS, SSL and Availability

Introduction

The domain outage rarely starts with a dramatic breach. It starts with a quiet asset nobody owns anymore: a redirect domain from an old campaign, a country-code domain registered by a local agency, or a legacy acquisition domain still used by customers, partners, email, SSO, or documentation.

By the time someone notices, the technical question is painfully simple: when did the domain expire, who controls the registrar account, did the nameservers change, is the SSL certificate still valid, and which DNS records are actually live? A spreadsheet can hold a list of domains. It cannot reliably answer those questions at the moment the business needs them.

A domain portfolio management API turns those scattered assets into a live inventory. Instead of manually checking registrars, DNS panels and certificate details, you query the domain layer directly with the WHOIS API, DNS Lookup API, SSL Certificate API, Domain Availability API and Domain Monitoring. The goal is not only security. It is operational control.

What Is Domain Portfolio Management?

Domain portfolio management is the process of keeping an accurate, current record of every domain your organization owns, uses, redirects, protects, or depends on.

A useful portfolio record is more than the domain name. It should include the registrar, creation date, expiration date, EPP status, nameservers, DNS records, SSL certificate state, business owner, renewal process, and monitoring status. For strategic brand variants, it should also track whether the domain is available, already registered, or actively resolving with a domain availability API.

The practical shift: a spreadsheet tells you what someone knew last quarter. An API-backed inventory tells you what is true now.

Why Spreadsheets Fail for Domain Inventory

Spreadsheets are useful for ownership notes, cost centers and internal contacts. They are weak at fields that change without asking permission. If expiry is your main risk, start with the domain expiry lifecycle. If configuration drift is the issue, your inventory needs regular DNS lookup checks.

Expiration dates move: auto-renewal, transfer and registrar changes can alter renewal assumptions.
DNS records drift: product launches, migrations and vendor changes modify A, MX, TXT, CAA and CNAME records.
SSL certificates rotate: issuers, SAN coverage, fingerprints and expiry dates change over time.
Teams forget domains: acquisitions, campaigns, parked domains and country-code domains often outlive the project that created them.
Risk is contextual: a domain expiring in 20 days is a warning; a domain expiring in 20 days that handles SSO is an incident.

API-based domain asset management does not remove the spreadsheet entirely. It makes the spreadsheet the business layer, while the technical state is refreshed automatically from authoritative public signals.

The schema below covers the minimum fields you need to answer those operational questions reliably.

What to Track for Every Domain

Start with a small schema that is easy to refresh and easy to explain to operations, security, marketing and finance.

Field	Source	Why it matters
Registrar	`/whois`	Shows where renewal, transfer lock and ownership controls live.
Expiration date	`/whois`	Prevents accidental domain loss and supports renewal planning.
EPP status	`/whois`	Flags transfer locks, holds, redemption and pending delete states.
Nameservers	`/whois` and `/nslookup`	Confirms which DNS provider controls the zone.
A, AAAA and CNAME records	`/nslookup`	Reveals active web, app and third-party service dependencies.
MX, TXT, DMARC and CAA records	`/nslookup`	Tracks email routing, email security and certificate issuance policy.
SSL expiry, issuer and SANs	`/ssl-cert-check`	Prevents HTTPS outages and catches unexpected certificate changes.
Availability of variants	`/domain-availability`	Supports defensive registration, naming research and brand operations.
Monitoring status	Domain Monitoring	Records whether changes trigger email or webhook alerts.

API Workflow for a Live Domain Inventory

The WhoisJSON OpenAPI file documents the production base URL as https://whoisjson.com/api/v1 and API authentication through the Authorization: TOKEN=YOUR_API_KEY header. For a portfolio workflow, keep the first pass simple.

WHOIS and expirycURL

curl "https://whoisjson.com/api/v1/whois?domain=example.com" \
  -H "Authorization: TOKEN=YOUR_API_KEY"

DNS inventorycURL

curl "https://whoisjson.com/api/v1/nslookup?domain=example.com" \
  -H "Authorization: TOKEN=YOUR_API_KEY"

SSL certificate statecURL

curl "https://whoisjson.com/api/v1/ssl-cert-check?domain=example.com" \
  -H "Authorization: TOKEN=YOUR_API_KEY"

Store the response timestamp with every refresh. The value of domain inventory is not only the current state, but the ability to prove when a field changed.

Expiration Monitoring Is the First Win

Domain expiration is the easiest domain operations risk to justify. A missed renewal can take down a website, email, login flow, API callback, landing page, redirect chain, or internal service. The detailed lifecycle is covered in what happens when a domain expires, but portfolio teams need a simpler operating rule: every important domain needs an owner, a renewal path and an alert threshold.

90 days: confirm ownership, registrar access and renewal budget.
60 days: verify auto-renewal, payment method and business owner.
30 days: escalate if the domain is critical or renewal is uncertain.
14 days: treat uncertainty as an operational incident.
7 days: require named accountability and daily tracking.

Expiry is also a useful priority signal. A parked campaign domain expiring in 45 days is not the same as an SSO domain expiring in 45 days. Your inventory should carry both technical data and business criticality.

DNS Inventory: Find Configuration Drift

DNS inventory answers a practical question: what does this domain currently do?

The DNS Lookup API guide covers generic record querying. For domain portfolio management, focus on drift and ownership.

NS changes can indicate a DNS provider migration or unauthorized control change.
MX changes affect inbound email and vendor dependencies.
TXT records often include verification tokens, SPF policy and third-party services.
DMARC shows whether the domain has an email authentication policy.
CAA restricts which certificate authorities can issue certificates for the domain.
CNAME records reveal SaaS dependencies and possible dangling integrations.

Record the expected provider for high-value domains. A nameserver or MX change may be normal during a migration, but it should still match a planned change.

SSL Inventory: Prevent Certificate Surprises

SSL certificate inventory belongs in domain portfolio management because certificate failure looks like a site outage to users. The SSL certificate monitoring guide goes deep on expiry and fingerprint changes; your portfolio view should summarize the fields that operations needs.

Certificate validity and days until expiry.
Issuer organization.
Subject Alternative Names for covered hostnames.
Fingerprints for detecting unexpected replacement.
Whether the certificate is currently valid for the queried host.

A valid certificate is not a complete health check, but an invalid or expiring certificate is a clear operational risk. Combine SSL inventory with DNS records so the team can understand which hosts are actually active.

Availability Checks for Variants and Defensive Domains

Portfolio management is mostly about domains you already own. Availability checks add the forward-looking layer: which domains should you register, protect, or watch?

Use the domain availability API guide when you need to check candidate names at scale. In a portfolio workflow, good candidates include:

Product names and upcoming feature names.
Country-code variants for markets you operate in.
Common hyphenated and plural forms.
Campaign domains before launch.
Defensive domains that reduce customer confusion.

Do not turn availability into automatic registration. Use it as an input for legal, brand and product decisions.

Scheduled Checks vs Domain Monitoring

A scheduled inventory job is enough for low-risk domains. Critical domains need alerts.

Use case	Better approach	Reason
Monthly portfolio reporting	Scheduled API refresh	Cost-effective and easy to archive.
Critical production domain	Domain Monitoring	WHOIS, DNS or SSL changes should trigger alerts.
M&A domain audit	Scheduled API refresh	Snapshot and evidence matter more than real-time alerting.
SSO, payment or email domain	Domain Monitoring	Unplanned changes can become incidents quickly.
Brand variants	Availability sweep plus enrichment	Check availability first, enrich only registered variants.

For a security-oriented version of this workflow, see domain monitoring for security teams. Portfolio management uses many of the same signals, but the operating goal is broader: ownership, renewal, accountability and continuity.

Example Portfolio Pipeline

A first version can be small and useful. Start with a list of domains, enrich each domain, store the normalized fields, then alert only on high-impact changes.

Portfolio enrichmentPython

import requests

API_KEY = "YOUR_API_KEY"
BASE_URL = "https://whoisjson.com/api/v1"
HEADERS = {"Authorization": f"TOKEN={API_KEY}"}

def get_json(path, **params):
    # Add retry/backoff around 429 and transient 5xx responses in production.
    response = requests.get(
        f"{BASE_URL}/{path}",
        headers=HEADERS,
        params=params,
        timeout=20,
    )
    response.raise_for_status()
    return response.json()

def enrich_domain(domain):
    whois = get_json("whois", domain=domain)
    dns = get_json("nslookup", domain=domain)
    ssl = get_json("ssl-cert-check", domain=domain)

    return {
        "domain": domain,
        "registrar": whois.get("registrar", {}).get("name"),
        "expires": whois.get("expires"),
        "status": whois.get("status", []),
        "nameservers": whois.get("nameserver", []),
        "dns_records": dns,
        "ssl_valid_to": ssl.get("valid_to"),
        "ssl_issuer": ssl.get("issuer", {}),
        "ssl_valid": ssl.get("valid"),
    }

portfolio = ["example.com", "example.net"]
inventory = [enrich_domain(domain) for domain in portfolio]
print(inventory)

In production, add explicit retries, backoff and quota handling. Every response includes a Remaining-Requests header, and the rate limits and retries guide explains how to handle 429 responses cleanly.

Add Business Ownership to Technical Data

API data tells you the state of the domain. It does not tell you who is accountable. A useful domain portfolio record should combine both.

Business owner or team.
Technical owner or Slack channel.
Registrar account owner.
Renewal budget owner.
Criticality tier.
Known purpose: production, redirect, campaign, defensive, parked, legacy, vendor, test.
Monitoring requirement: none, scheduled, email alerts, webhook alerts.

This is where domain portfolio management becomes durable. Technical signals change; ownership makes those changes actionable.

FAQ

How many API calls does a portfolio of 500 domains need?

A basic refresh with WHOIS, DNS and SSL data needs three calls per domain, so 500 domains require about 1,500 API calls per full sweep. You can reduce usage by checking low-risk parked domains less often, moving critical domains into monitoring, and running availability checks only for variants or candidates.

How often should I refresh a domain inventory?

Refresh critical production, SSO, payment and email domains daily or move them into monitoring. Refresh ordinary owned domains weekly or monthly, and use longer intervals for parked or defensive domains unless they are close to expiration.

What is the first domain portfolio check to automate?

Start with expiration date, registrar and nameserver data from WHOIS/RDAP. These fields answer the highest-impact operational questions: who controls the domain, when can it be lost, and which DNS provider is authoritative.

When should I use monitoring instead of scheduled checks?

Use monitoring for domains where an unexpected WHOIS, DNS or SSL change should trigger action immediately: primary website, login, SSO, payment, email, API callback and customer-facing product domains. Use scheduled checks for reporting, audits and lower-risk domains.

Conclusion

Domain portfolio management is the operational layer between domain security and business continuity. It helps teams answer simple but critical questions: which domains do we own, who owns them internally, when do they expire, what DNS and SSL state do they expose, and which changes should trigger action?

The first version does not need to be complex. Start with WHOIS expiry and registrar data, add DNS and SSL inventory, check availability for strategic variants, then move critical domains into monitoring. That turns a fragile spreadsheet into a living domain operations system.

Start with your 10 most critical domains

Run a first inventory on the domains that would hurt most if they expired, changed DNS, or lost HTTPS: WHOIS, DNS and SSL in one pass. The free plan is enough to test that workflow before scaling it to the full portfolio.

Start free Read the docs