diff --git a/internal/api/v1/cert/info.go b/internal/api/v1/cert/info.go
index 412642e7..8e7ffffc 100644
--- a/internal/api/v1/cert/info.go
+++ b/internal/api/v1/cert/info.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/yusing/godoxy/internal/autocert"
+	autocertctx "github.com/yusing/godoxy/internal/autocert/types"
 	apitypes "github.com/yusing/goutils/apitypes"
 )
 
@@ -21,7 +22,7 @@ import (
 // @Failure		500	{object}	apitypes.ErrorResponse "Internal server error"
 // @Router		/cert/info [get]
 func Info(c *gin.Context) {
-	provider := autocert.ActiveProvider.Load()
+	provider := autocertctx.FromCtx(c.Request.Context())
 	if provider == nil {
 		c.JSON(http.StatusNotFound, apitypes.Error("autocert is not enabled"))
 		return
diff --git a/internal/api/v1/cert/renew.go b/internal/api/v1/cert/renew.go
index d81e2562..33232aeb 100644
--- a/internal/api/v1/cert/renew.go
+++ b/internal/api/v1/cert/renew.go
@@ -6,7 +6,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/rs/zerolog/log"
-	"github.com/yusing/godoxy/internal/autocert"
+	autocertctx "github.com/yusing/godoxy/internal/autocert/types"
 	"github.com/yusing/godoxy/internal/logging/memlogger"
 	apitypes "github.com/yusing/goutils/apitypes"
 	"github.com/yusing/goutils/http/websocket"
@@ -23,8 +23,8 @@ import (
 // @Failure		500	{object}	apitypes.ErrorResponse
 // @Router			/cert/renew [get]
 func Renew(c *gin.Context) {
-	autocert := autocert.ActiveProvider.Load()
-	if autocert == nil {
+	provider := autocertctx.FromCtx(c.Request.Context())
+	if provider == nil {
 		c.JSON(http.StatusNotFound, apitypes.Error("autocert is not enabled"))
 		return
 	}
@@ -59,7 +59,7 @@ func Renew(c *gin.Context) {
 	}()
 
 	// renewal happens in background
-	ok := autocert.ForceExpiryAll()
+	ok := provider.ForceExpiryAll()
 	if !ok {
 		log.Error().Msg("cert renewal already in progress")
 		time.Sleep(1 * time.Second) // wait for the log above to be sent
@@ -67,5 +67,5 @@ func Renew(c *gin.Context) {
 	}
 	log.Info().Msg("cert force renewal requested")
 
-	autocert.WaitRenewalDone(manager.Context())
+	provider.WaitRenewalDone(manager.Context())
 }
diff --git a/internal/autocert/provider.go b/internal/autocert/provider.go
index b870981b..336d9a62 100644
--- a/internal/autocert/provider.go
+++ b/internal/autocert/provider.go
@@ -22,6 +22,7 @@ import (
 	"github.com/go-acme/lego/v4/registration"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
+	autocert "github.com/yusing/godoxy/internal/autocert/types"
 	"github.com/yusing/godoxy/internal/common"
 	"github.com/yusing/godoxy/internal/notif"
 	gperr "github.com/yusing/goutils/errs"
@@ -56,15 +57,6 @@ type (
 
 	CertExpiries map[string]time.Time
 
-	CertInfo struct {
-		Subject        string   `json:"subject"`
-		Issuer         string   `json:"issuer"`
-		NotBefore      int64    `json:"not_before"`
-		NotAfter       int64    `json:"not_after"`
-		DNSNames       []string `json:"dns_names"`
-		EmailAddresses []string `json:"email_addresses"`
-	} // @name CertInfo
-
 	RenewMode uint8
 )
 
@@ -82,9 +74,6 @@ const (
 	renewModeIfNeeded
 )
 
-// could be nil
-var ActiveProvider atomic.Pointer[Provider]
-
 func NewProvider(cfg *Config, user *User, legoCfg *lego.Config) (*Provider, error) {
 	p := &Provider{
 		cfg:             cfg,
@@ -119,14 +108,14 @@ func (p *Provider) GetCert(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
 	return p.tlsCert, nil
 }
 
-func (p *Provider) GetCertInfos() ([]CertInfo, error) {
+func (p *Provider) GetCertInfos() ([]autocert.CertInfo, error) {
 	allProviders := p.allProviders()
-	certInfos := make([]CertInfo, 0, len(allProviders))
+	certInfos := make([]autocert.CertInfo, 0, len(allProviders))
 	for _, provider := range allProviders {
 		if provider.tlsCert == nil {
 			continue
 		}
-		certInfos = append(certInfos, CertInfo{
+		certInfos = append(certInfos, autocert.CertInfo{
 			Subject:        provider.tlsCert.Leaf.Subject.CommonName,
 			Issuer:         provider.tlsCert.Leaf.Issuer.CommonName,
 			NotBefore:      provider.tlsCert.Leaf.NotBefore.Unix(),
diff --git a/internal/autocert/types/cert_info.go b/internal/autocert/types/cert_info.go
new file mode 100644
index 00000000..cd6ccbdd
--- /dev/null
+++ b/internal/autocert/types/cert_info.go
@@ -0,0 +1,10 @@
+package autocert
+
+type CertInfo struct {
+	Subject        string   `json:"subject"`
+	Issuer         string   `json:"issuer"`
+	NotBefore      int64    `json:"not_before"`
+	NotAfter       int64    `json:"not_after"`
+	DNSNames       []string `json:"dns_names"`
+	EmailAddresses []string `json:"email_addresses"`
+} // @name CertInfo
diff --git a/internal/autocert/types/provider.go b/internal/autocert/types/provider.go
index 685a2942..2a104cab 100644
--- a/internal/autocert/types/provider.go
+++ b/internal/autocert/types/provider.go
@@ -1,13 +1,17 @@
 package autocert
 
 import (
+	"context"
 	"crypto/tls"
 
 	"github.com/yusing/goutils/task"
 )
 
 type Provider interface {
-	GetCert(*tls.ClientHelloInfo) (*tls.Certificate, error)
-	ScheduleRenewalAll(task.Parent)
+	GetCert(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
+	GetCertInfos() ([]CertInfo, error)
+	ScheduleRenewalAll(parent task.Parent)
 	ObtainCertAll() error
+	ForceExpiryAll() bool
+	WaitRenewalDone(ctx context.Context) bool
 }