Tools Learn Login Sign up
Version 1.0 — published 15 July 2026

The MySSL API Stability & Longevity Pledge

Applies to every public, documented MySSL endpoint: GET /headers/check and everything under /api/v1/.

📌
Why this page exists

In April 2026, the securityheaders.com API was discontinued after the service changed owners. It had years of goodwill and thousands of integrations — and most of its users found out from a failing pipeline, because a year of notice on a blog is no notice at all to a cron job.

Many of our API users came to us directly from that shutdown. Telling them "trust us, we're different" would be worthless — trust in intentions is exactly what just failed them. So this page commits us to a mechanism instead. It is versioned, dated, and any change to it gets a changelog entry.

🤝
The six commitments

1. A permanently free tier.

Anonymous GET /headers/check stays free for basic, on-demand checks, and free accounts keep a working API key. We may tune rate limits to control abuse, but free basic access is permanent. Paid tiers exist for volume, automation and retention — never as a wall in front of a basic result.

2. Versioned endpoints that don't change shape under you.

The /api/v1 prefix means what it says: we add endpoints and fields without breaking existing integrations. Backwards-incompatible changes only ever ship under a new version prefix.

3. A successor ships before anything is removed.

If we ever deprecate a public endpoint, a documented, working replacement is live before the deprecation is announced. Migration is a choice you make on your schedule — never a scramble.

4. At least 12 months' notice.

From deprecation announcement to shutdown of any public endpoint: a minimum of twelve months. Announced in the API changelog and by email to every affected API-key holder.

5. Machines get told, not just humans.

Deprecated endpoints will send Deprecation and Sunset HTTP headers on every response for the entire notice period — so a headless CI job or monitoring script can detect the change in-band, from the response itself. This is the specific failure of the shutdown that stranded everyone: we consider a deprecation your pipeline can't see to be no deprecation notice at all.

6. Your data leaves with you.

Your domain list and configuration are exportable. If you go, you go with your data and without tricks.

⚖️
What we don't promise — read this part

We will not promise that MySSL will never be acquired, never change, or never shut down. Nobody can honestly promise that, and the service you may have migrated from is proof. What we commit to is that the six mechanisms above bind any future of this product, including a wind-down: if MySSL were ever to shut down entirely, the free API would stay up for the full notice period, with in-band Sunset headers, and we would publish honest migration guidance to alternatives — including competitors.

A promise you can verify beats a promise you have to believe.

🔍
Holding us to it

  • This page is versioned and dated; any edit to the pledge itself is recorded in the API changelog with a diff-level description.
  • The current API surface and rate limits are documented at /docs/api and /security-headers/api.
  • Something look off? Tell us: support@myssl.info — or say it publicly. A trust pledge that can't survive public scrutiny isn't one.

Migrate once, calmly.

One-line migration from the securityheaders.com API, field mapping included: the migration guide.

Get a free API key

Report a bug

We're new and growing — your feedback helps us improve.

Click to upload, or paste (Ctrl+V) an image