S
Site Watcher

What Is API Monitoring?

What API monitoring is, why it matters, the types of checks involved, and how to set up monitoring for REST APIs, webhooks, and third-party API dependencies.

API monitoring is the practice of continuously checking that your APIs (and the APIs you depend on) are available, responsive, and returning correct data. If your website relies on APIs for payment processing, user authentication, data retrieval, or any other functionality, an API failure can break your site even when your web server is running perfectly.

This guide covers what API monitoring involves, why it matters, and how to set it up. For general monitoring guidance, see our website maintenance and monitoring guide.

What API Monitoring Checks

Availability

The most basic check: is the API endpoint responding? An availability check sends an HTTP request to the endpoint and verifies it returns a response. If the endpoint times out or returns a connection error, the API is down.

GET https://api.example.com/v1/health
Expected: 200 OK

Response status codes

Beyond basic availability, the response status code matters. A 200 (OK) is expected. But API errors often return specific codes:

  • 401/403: Authentication or authorization failure
  • 404: Endpoint not found (often after a breaking API change)
  • 429: Rate limited
  • 500/502/503: Server error

Monitoring should alert on unexpected status codes, not just connection failures.

Response time

How long the API takes to respond. Slow APIs cause slow page loads and poor user experience. Monitor response time with thresholds:

  • Under 200ms: good for most APIs
  • 200-500ms: acceptable for complex queries
  • Over 500ms: worth investigating
  • Over 2 seconds: likely causing user-facing problems

Track response time trends. A gradually increasing response time often precedes a complete failure.

Response body validation

The most thorough check. Verify that the API response contains expected data in the expected format. This catches situations where the API returns a 200 status code but the data is wrong, empty, or malformed.

For a JSON API:

// Expected response structure
{
  "status": "ok",
  "data": {
    "products": [...]
  }
}

Validation might check:

  • Response is valid JSON
  • Required fields exist
  • Data types are correct
  • Values are within expected ranges

SSL/TLS certificate

If your API uses HTTPS (which it should), monitor the SSL certificate for expiry and validity. An expired API certificate causes all clients to fail with SSL errors.

Authentication

If your API requires authentication (API keys, OAuth tokens, JWT), monitor that authentication works correctly. Expired tokens, rotated keys, or changes to the auth system can silently break API access.

Why API Monitoring Matters

Your site depends on APIs you do not control

Most modern websites consume third-party APIs:

  • Payment processing: Stripe, PayPal, Square
  • Authentication: Auth0, Firebase Auth, OAuth providers
  • Email: SendGrid, Mailgun, Postmark
  • Search: Algolia, Elasticsearch
  • CDN and storage: Cloudflare, AWS S3
  • Maps: Google Maps, Mapbox
  • Analytics and tracking: Google Analytics, Segment

When any of these go down, the affected feature on your site breaks. Your server is healthy, your code is fine, but users cannot check out, log in, or search because a dependency is unavailable.

Standard uptime monitoring (checking your homepage) might not catch these failures if the homepage still loads but the checkout API is down.

Your own APIs serve other systems

If you provide APIs that other applications, mobile apps, or partners consume, monitoring ensures you meet your uptime commitments and catch issues before your API consumers report them.

API failures are often silent

A web page outage is obvious: users see an error page. An API failure can be subtle: a form silently fails to submit, search results are empty, prices do not load, or a feature simply stops working. Without monitoring, these failures can go unnoticed for hours.

Types of API Monitoring

Uptime checks

Simple availability checks that verify the API responds. Typically a GET request to a health endpoint or root endpoint. Fast to set up, catches complete outages.

Functional tests

Multi-step checks that verify API functionality. For example:

  1. Authenticate with credentials
  2. Create a test resource
  3. Read the resource back
  4. Verify the data matches
  5. Delete the test resource

This catches functional failures that simple uptime checks miss: the API is responding but not processing requests correctly.

Performance monitoring

Track response time percentiles (p50, p95, p99) over time. The p50 is the median response time. The p99 is the worst 1% of responses. A good p50 with a bad p99 means most users are fine but some are experiencing severe latency.

Contract testing

Verify that the API response matches a defined schema (JSON Schema, OpenAPI spec). This catches breaking changes where the API still responds but the structure of the response has changed.

Dependency monitoring

Monitor the third-party APIs your site depends on. You cannot fix their issues, but you can detect them quickly and communicate with users or switch to fallbacks.

Setting Up API Monitoring

Step 1: Identify your critical APIs

List every API endpoint your site depends on, both internal and external:

  • Your own backend API endpoints
  • Payment processor APIs
  • Authentication provider APIs
  • Third-party data sources
  • CDN and storage APIs

Prioritize by impact: which API failures would affect the most users or the most revenue?

Step 2: Create basic availability checks

For each critical endpoint, set up a simple HTTP check:

Endpoint: GET https://api.example.com/v1/health
Expected status: 200
Check interval: 1 minute
Alert on: non-200 response or timeout > 5 seconds

For authenticated endpoints, include the necessary headers:

Endpoint: GET https://api.example.com/v1/products
Headers: Authorization: Bearer your-api-key
Expected status: 200

Step 3: Add response validation

For your most critical endpoints, add response body checks:

Endpoint: GET https://api.example.com/v1/products
Expected: Response contains "products" array with at least 1 item
Expected: Response time under 500ms

Step 4: Set up alerting

Configure alerts to reach the right people through the right channels:

  • Critical APIs (payment, auth): Slack + SMS + PagerDuty
  • Important APIs (search, recommendations): Slack + email
  • Nice-to-have APIs (analytics, tracking): Email only

Include escalation: if nobody acknowledges the alert in 15 minutes, alert the next person.

Step 5: Monitor third-party dependencies

For external APIs you depend on, set up checks that verify the specific endpoints your site uses (not just the provider's status page). Status pages often underreport issues or have delayed updates. Your own monitoring is faster and more accurate for your specific use case.

Monitor from the user's perspective

API monitoring from inside your network does not catch the same problems as monitoring from outside. An API endpoint might work perfectly from your server but be unreachable from your users' perspective due to DNS issues, CDN problems, or geographic routing. Monitor API endpoints from multiple external locations, the same way you monitor your website's uptime.

API Monitoring and Website Monitoring

API monitoring complements website uptime monitoring. Uptime monitoring checks whether your pages load. API monitoring checks whether the services behind those pages work correctly.

A complete monitoring setup includes:

  1. Website uptime monitoring -- Is the site reachable?
  2. API endpoint monitoring -- Are the backend services working?
  3. Third-party dependency monitoring -- Are external services available?
  4. SSL and domain monitoring -- Are certificates and registrations current?

Together, these cover the full stack of potential failure points.

Common Mistakes

Only monitoring the health endpoint

Many APIs have a /health or /status endpoint that returns 200 as long as the server is running. But the server being up does not mean the API is functioning correctly. A database failure could leave the health endpoint responding while all data endpoints return errors. Monitor actual data endpoints, not just health checks.

Not monitoring response time

An API that responds in 10 seconds is technically "up" but functionally broken for real-time applications. Set response time thresholds and alert when they are exceeded.

Forgetting about rate limits

If your monitoring checks hit a third-party API too frequently, you may get rate-limited. This generates false alerts (the API appears down) and can disrupt your production API usage. Check the API provider's rate limit policies and configure check intervals accordingly.

Not monitoring authentication

API keys expire, OAuth tokens need refreshing, and providers change their auth requirements. A monitoring check that uses a hardcoded API key will not catch auth failures that affect your application's dynamically generated tokens. Where possible, test the full auth flow.

Ignoring response body changes

An API that returns 200 with an empty array or a "maintenance" message is not working correctly. Validate response bodies for critical endpoints.

Summary

API monitoring verifies that the APIs your site depends on are available, fast, and returning correct data. It catches failures that standard website monitoring misses: the site loads, but a critical backend service is broken. Start by identifying your critical API dependencies, set up availability checks with response validation, configure meaningful alerting, and monitor third-party APIs from external locations. API monitoring closes the gap between "the site is up" and "the site actually works."

Monitor your site and its dependencies

Site Watcher monitors uptime, SSL, domain, DNS, and vendor dependencies. Catch third-party failures before your users do. $39/mo unlimited. Free for up to 3 targets.

Related Articles