APIContext partners with Akamai to expand advanced API monitoring adoption. Learn more >

So why API Monitoring? after all, you’ve coded your service, API, app or whatever and why do we need API monitoring for dummies? It’s up and running. Customers are calling at your door. Life should be easy!

But it isn’t. The server goes out. People are getting hung up when they try to send you information. There are huge lag times. Your potential customers get frustrated and go somewhere else.

More likely than not, what’s happening is that there is a problem with the APIs you are running. If you could solve the problem, you would be retaining customers – rather than having the problem sending them to your competition.

This is where monitoring comes in. Dedicated API monitoring helps you check how your internal and third-party APIs are running. If there is a problem with a given API, it tells you what it is. This allows your team to quickly fix it.

In fact, with proper API monitoring, you should know about the problem way before it impacts your customers at all. So they won’t even notice it.

Doing API Monitoring Right

The best practices for API monitoring are going to vary by industry and can run into some problems internally – like, for example, what do you do if the internal risk teams don’t want you to monitor? (We’ll come back to that in another article…)

However, there are some key principles we go by that we want to share here with some tips on doing it right, even if you don’t use APIContext.

Monitor 24/7

Services go down when you’re not looking, so having heartbeat monitoring is essential – 24/7 365 days a year, have all of your API endpoints exercised by an external call. It doesn’t have to be high frequency, in fact we suggest to customers that anything from 5-10 times an hour for functional testing and maybe only once per hour for security and OAuth monitoring is enough. But they key thing is this – it needs to be a real call from somewhere outside your stack.

External NOT Internal

It really doesn’t matter if your gateway is up, or your backend is running if an actual person calling the API is getting some kind of error, or, worse, can’t even get to the API itself. So monitor externally, set up real API calls, using real security to real resources that run around the clock. Also the whole world isn’t on AWS, so stop using products that think it is.

Cover Everything

Do the little used things as well as the stuff that’s used all the time. You never know when a resource has been turned off without somebody realizing it and you only find out when a customer tries to do something essential for them that they only do once a week. An example from a customer – an expenses reporting API went down and they only realized when people filed their expenses on a Friday, of a holiday weekend.

HTTP Codes Are Not Magic

HTTP 200 All Ok… right? Well, not so much – the dirty secret of the API industry is this. HTTP codes lie. HTTP 200 especially so. Worse offenders are SOAP APIs pretending to be REST APIs where the error is buried in what looks like a pass. This can be tricky and we’ll have a whole article on this, spotting the situation can take some work but it’s well worth it – look our for changes in the size of content returned by the APIs as a first clue – if you usually get 500kb back and occasionally it’s only 100kb or even 2-3 bytes, then you’re possible getting an error or failure.

Did We Say That?

A MUCH overlooked part of API monitoring is what exactly it is you’re monitoring. As the story goes, you see somebody under a street light looking around, you offer help and they say they lost their car keys. You start looking and say where did they last see them, and they say over in the woods. When you stop and ask why they’re looking here, they say, “because the light is here…” – so, part of monitoring is monitoring the service you say you provide NOT what you know you deliver.

API Monitoring for Dummies Best Practice Top 10

We’d suggest the following are the absolute MINIMUM items to monitor on a regular basis AND have alerts set up to tell you when something goes wrong.

  1. Regular API monitoring heart beat checks from multiple locations
  2. Set up assertion/condition checks on the returned content to validate that what you get back is what you expected and trigger warnings and alerts on those accordingly
  3. Hit the production endpoints using the same security as your external users use
  4. Look at the statistical spread of latency results not just the averages – what are your q95 and q99 values?
  5. Have alerting set up for failures and issues
  6. Double check what 4XX errors are telling you – a 4XX error often is ignored as a problem elsewhere in the stack, but with APIs while it might mean you’ve got your security wrong, it could indicated that something outside your control has been shut down – there can be a world of difference in the API space between a 401 – unauthorized and a 404 Not Found
  7. Monitor that your API Security is doing what you think it is? Going back to 6, if you’re meant to return a 401 error if you hit the API with an invalid Scope or Token, do you?
  8. Don’t worry, too much, about one off events, look at trends and groups of issues
  9. SLOW isn’t always as bad as inconsistent – people can cope with slow, you can build it into your service – but if your service is inconsistent then that’s hard for you and end-users
  10. Look for odd geographical or cloud issues – if you’re on Azure but all your users are on AWS, don’t assume that Amazon and Microsoft are doing all the hard work for you on the networking side of things – look at those performance numbers and take steps to remedy what you see

API monitoring is often used as a check box exercise to be able to say you do it, or it’s done in a perfunctory way. It doesn’t have to be hard or as in depth as your test coverage but if you’re not monitoring the APIs you use or provide you are going to building up problems for your business and customers.

Here to help

Never forget, we’re here to help – we’ve been involved in API monitoring and performance measurement since before people realized it was a problem and we have the best tools available to deliver the data you didn’t even know you needed.

API Monitoring

See how APIContext monitors the APIs you rely on and provides peace of mind.

API Performance

See what metrics you can identify with your APIs and learn how things work.

Ready To Start Monitoring?

Want to learn more? Check out our technical documentation, our API directory, or start using the product immediately. Sign up instantly, and monitor your first API call in minutes.

Take a Detailed Look

Download a detailed introduction to APIContext and learn how we are bringing common standards to API monitoring with integrated monitoring, performance assurance and compliance analysis!

[fusion_builder_container hundred_percent=”no” equal_height_columns=”no” menu_anchor=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_position=”center center” fade=”no” background_parallax=”none” parallax_speed=”0.3″ video_mp4=”” video_webm=”” video_ogv=”” video_url=”” video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” overlay_color=”” video_preview_image=”” border_size=”” border_color=”” padding_top=”” padding_bottom=”” padding_left=”” padding_right=””][fusion_builder_column type=”1_1″ layout=”1_1″ background_color=”” border_size=”” border_color=”” spacing=”yes” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” center_content=”no” last=”no” min_height=”” hover_type=”none” link=””][fusion_text]

API Monitoring: Getting The Measure Of It (But Not For The Sake Of Measurement)

In the context of API monitoring, your API management system might generate logs to help you learn about the behavior of your APIs. For instance, you might get an alert if a HTTP error is seen. That might tell you there are problems with the API, but only problems of certain kinds. If won’t tell you if there is a problem with what is being returned to the user.

This can be a big issue. Some systems will always return a HTTP 200 response code, even if there is a server error. (SOAP API are especially notorious for always returning 200s.) In this situation, a HTTP 500 response code (Internal Server Error) should return. But if you don’t configure the system properly, tit won’t happen. And in some instances, what seems like an error to the end user might not seem like an error on the server side.

(It can be tempting to wrap code in layers of exception handling, which might prevent a process crashing. But if you catch all the exceptions thrown, it might look as though as the server returned successfully because it has. It just hasn’t done what the user wanted it to.)

DevOps logs also won’t tell you the overall latency your end users are experiencing. If you want to understand what is happening to your end users – and your business – you have to measure what is actually happening to your end users. Otherwise you’re just guessing.

There are a couple of issues here. The first is that a business is a cybernetic organization. It takes in inputs from its environment, processes them in various ways, and produces outputs.

A cybernetic organization constantly changes as it responds to change in its environment and internal state. It evolves to realize its goals more effectively and efficiently. Of course, one of the things that can change about a business is its goals. It can even change how it changes its goals!

A business needs to know as much it can about its internal state and external environment. Or, rather, as much as it needs to know. Measuring things can be expensive and you don’t want to spend a lot of energy, effort and resources to measure things and process the collected information if it doesn’t tell you anything useful in improving the business.

But following Stafford Beer, we can do better than that pre-cybernetic Taylorist thinking.

If your APIs aren’t working properly, it’ll cost you in the long run if not the short. Now, DevOps might say the APIs are working fine from their perspective. Why even bother measuring something if it is only to show up problems we can’t fix?

But the silo approach really won’t do. People defending their own patches by measuring and managing against soft metrics is ultimately only going to end in tears. All cybernetic organizations – whether microbes, whirlpools, people, companies or galaxies – are involved in the Darwinistic struggle for life. It’s the job of the brain of the firm to see through the self-interest of the occupants of the silos.

Monitoring the performance and quality of your APIs is neither difficult nor expensive. As APImetrics has shown, it’s false economy not to understand your APIs and to rely on measuring what you can measure just because you can measure it. It’s vital to always think those steps further out.

Because if you don’t, your rivals are going to.

Photo courtesy of Neil Cummings

[fusion_button link=”/get-started/” title=”” target=”_self” alignment=”” modal=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” color=”default” button_ button_ button_gradient_top_color_hover=”” button_gradient_bottom_color_hover=”” accent_color=”” accent_hover_color=”” type=”” bevel_color=”” border_width=”” size=”” stretch=”default” shape=”” icon=”” icon_position=”left” icon_divider=”no” ]Try Us Out[/fusion_button]

API monitoring from APIContext tests and monitors your APIs. Spot problems before customers notice and keep on top of quality and governance issues, With an easy-to-use interface and direct integrations to major API & APM tooling systems, now you can monitor all your critical APIs and API workflows, generate reporting, and get alerted when and how  you need it.

1. Setup

Setup API monitoring flows easily and simply from a curl command or import them directly from Open API specs or Postman.

2. Monitor

Monitor regularly from over 100 different cloud locations at customized intervals, add downtime and custom frequencies

3. Report

Add alerts, reports and share data to other users or stakeholders instantly and with total security.

Setup API calls simply and quickly

Setting up API monitoring is as simple as entering a URL. The APIContext user-friendly interface lets you make any type of HTTP call, and test it right there in the browser – or from 100+ locations around the world.

You’ll get instant results, which means instant answers and instant solutions – before your customers even know something is wrong.

API Monitoring

Create Functional Workflows

Multi-step, functional sequences of calls to test core functionality of your APIs – handling variables at each step including external calls to websites and other services for handling complex auth scenarios like Financial Grade API.

Global, multi-Cloud reach

Monitor simultaneously from 100s of data centers from all the major cloud providers including  AWS, Azure, IBM, Google, and Akamai.

Add new custom locations with our containerized agents and deploy them inside your firewalls and infrastructure.

Integrated Reporting and Insights

No matter what your needs, APIContext captures and gives you the tools to see what is going on with your APIs.

Whether it’s network bottlenecks or tracking outliers with correlation IDs or customer facing SLO metrics

We have you covered

Uptime API Monitoring vs Synthetic API Monitoring

APIContext offers two different types of API call monitoring: uptime and full synthetic.

Our uptime monitoring is a simple API call that checks for downtime, allowing you to choose a set number of API calls that we will check as often as once a minute. Synthetic monitoring allows you to thoroughly check your APIs, sending variables between them, automatically retry on failure, across 100+ locations. Uptime monitoring will give you a more simple overlook from a single cloud location, ensuring you know when your critical APIs are having issues at a quick glance

Real API Security

Don’t skimp on security or use insecure scripts to get around OAuth flows. Use the only synthetic API monitoring product that can handle all forms of API security include OAuth, JWTs and FAPI levels of security without presenting a risk or expanding your attack surface.

API conformance checks automatically

Conformance Ready

Create calls direct from Open API specifications and validate the returned content against the specification used.

Get real time conformance and performance alerts and data including Schema and Service Level Objective alerts

Webhooks

Alerting the way you want it

Error and performance change alerts via email or webhook. Integrated OpenTelemetry or webhooks for critical tools.

APIContext API monitoring gives you the information you need – before you knew you needed it.

Don’t wait.

Get an alert BEFORE it breaks.

Test

Fully functional external API testing

Monitor Uptime

Uptime monitoring with basic ping checks

Safe Secure Calls

Don't break your API security - monitor it!

Full Synthetics

Complete, secure functional API calls from any datacenter

Ready To Start Monitoring?

Want to learn more? Check out our technical documentation, our API directory, or start using the product immediately. Sign up instantly, and monitor your first API call in minutes.