APIContext partners with Akamai to expand advanced API monitoring adoption. Learn more >

Log In
Start for Free
🇯🇵
Knowledge Base
Understanding APIs
User Guides
API Knowledge Base

Understanding APIs

Deep dive into our technologies and features.
Learn More

APIContext Guides

Detailed guides to using APIContext to solve critical business problems.

Learn More

So why API Monitoring? after all, you’ve coded your service, API, app or whatever and why do we need API monitoring for dummies? It’s up and running. Customers are calling at your door. Life should be easy!

But it isn’t. The server goes out. People are getting hung up when they try to send you information. There are huge lag times. Your potential customers get frustrated and go somewhere else.

More likely than not, what’s happening is that there is a problem with the APIs you are running. If you could solve the problem, you would be retaining customers – rather than having the problem sending them to your competition.

This is where monitoring comes in. Dedicated API monitoring helps you check how your internal and third-party APIs are running. If there is a problem with a given API, it tells you what it is. This allows your team to quickly fix it.

In fact, with proper API monitoring, you should know about the problem way before it impacts your customers at all. So they won’t even notice it.

Doing API Monitoring Right

The best practices for API monitoring are going to vary by industry and can run into some problems internally – like, for example, what do you do if the internal risk teams don’t want you to monitor? (We’ll come back to that in another article…)

However, there are some key principles we go by that we want to share here with some tips on doing it right, even if you don’t use APIContext.

Monitor 24/7

Services go down when you’re not looking, so having heartbeat monitoring is essential – 24/7 365 days a year, have all of your API endpoints exercised by an external call. It doesn’t have to be high frequency, in fact we suggest to customers that anything from 5-10 times an hour for functional testing and maybe only once per hour for security and OAuth monitoring is enough. But they key thing is this – it needs to be a real call from somewhere outside your stack.

External NOT Internal

It really doesn’t matter if your gateway is up, or your backend is running if an actual person calling the API is getting some kind of error, or, worse, can’t even get to the API itself. So monitor externally, set up real API calls, using real security to real resources that run around the clock. Also the whole world isn’t on AWS, so stop using products that think it is.

Cover Everything

Do the little used things as well as the stuff that’s used all the time. You never know when a resource has been turned off without somebody realizing it and you only find out when a customer tries to do something essential for them that they only do once a week. An example from a customer – an expenses reporting API went down and they only realized when people filed their expenses on a Friday, of a holiday weekend.

HTTP Codes Are Not Magic

HTTP 200 All Ok… right? Well, not so much – the dirty secret of the API industry is this. HTTP codes lie. HTTP 200 especially so. Worse offenders are SOAP APIs pretending to be REST APIs where the error is buried in what looks like a pass. This can be tricky and we’ll have a whole article on this, spotting the situation can take some work but it’s well worth it – look our for changes in the size of content returned by the APIs as a first clue – if you usually get 500kb back and occasionally it’s only 100kb or even 2-3 bytes, then you’re possible getting an error or failure.

Did We Say That?

A MUCH overlooked part of API monitoring is what exactly it is you’re monitoring. As the story goes, you see somebody under a street light looking around, you offer help and they say they lost their car keys. You start looking and say where did they last see them, and they say over in the woods. When you stop and ask why they’re looking here, they say, “because the light is here…” – so, part of monitoring is monitoring the service you say you provide NOT what you know you deliver.

API Monitoring for Dummies Best Practice Top 10

We’d suggest the following are the absolute MINIMUM items to monitor on a regular basis AND have alerts set up to tell you when something goes wrong.

  1. Regular API monitoring heart beat checks from multiple locations
  2. Set up assertion/condition checks on the returned content to validate that what you get back is what you expected and trigger warnings and alerts on those accordingly
  3. Hit the production endpoints using the same security as your external users use
  4. Look at the statistical spread of latency results not just the averages – what are your q95 and q99 values?
  5. Have alerting set up for failures and issues
  6. Double check what 4XX errors are telling you – a 4XX error often is ignored as a problem elsewhere in the stack, but with APIs while it might mean you’ve got your security wrong, it could indicated that something outside your control has been shut down – there can be a world of difference in the API space between a 401 – unauthorized and a 404 Not Found
  7. Monitor that your API Security is doing what you think it is? Going back to 6, if you’re meant to return a 401 error if you hit the API with an invalid Scope or Token, do you?
  8. Don’t worry, too much, about one off events, look at trends and groups of issues
  9. SLOW isn’t always as bad as inconsistent – people can cope with slow, you can build it into your service – but if your service is inconsistent then that’s hard for you and end-users
  10. Look for odd geographical or cloud issues – if you’re on Azure but all your users are on AWS, don’t assume that Amazon and Microsoft are doing all the hard work for you on the networking side of things – look at those performance numbers and take steps to remedy what you see

API monitoring is often used as a check box exercise to be able to say you do it, or it’s done in a perfunctory way. It doesn’t have to be hard or as in depth as your test coverage but if you’re not monitoring the APIs you use or provide you are going to building up problems for your business and customers.

Here to help

Never forget, we’re here to help – we’ve been involved in API monitoring and performance measurement since before people realized it was a problem and we have the best tools available to deliver the data you didn’t even know you needed.

API Monitoring

See how APIContext monitors the APIs you rely on and provides peace of mind.

Learn More

API Performance

See what metrics you can identify with your APIs and learn how things work.

Learn More

Ready To Start Monitoring?

Want to learn more? Sign up now and start using the product immediately.

Take a Detailed Look

Download a detailed introduction to APIContext and learn how we are bringing common standards to API monitoring with integrated monitoring, performance assurance and compliance analysis!

[fusion_builder_container hundred_percent=”no” equal_height_columns=”no” menu_anchor=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_position=”center center” fade=”no” background_parallax=”none” parallax_speed=”0.3″ video_mp4=”” video_webm=”” video_ogv=”” video_url=”” video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” overlay_color=”” video_preview_image=”” border_size=”” border_color=”” padding_top=”” padding_bottom=”” padding_left=”” padding_right=””][fusion_builder_column type=”1_1″ layout=”1_1″ background_color=”” border_size=”” border_color=”” spacing=”yes” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” center_content=”no” last=”no” min_height=”” hover_type=”none” link=””][fusion_text]

API Monitoring: Getting The Measure Of It (But Not For The Sake Of Measurement)

In the context of API monitoring, your API management system might generate logs to help you learn about the behavior of your APIs. For instance, you might get an alert if a HTTP error is seen. That might tell you there are problems with the API, but only problems of certain kinds. If won’t tell you if there is a problem with what is being returned to the user.

This can be a big issue. Some systems will always return a HTTP 200 response code, even if there is a server error. (SOAP API are especially notorious for always returning 200s.) In this situation, a HTTP 500 response code (Internal Server Error) should return. But if you don’t configure the system properly, tit won’t happen. And in some instances, what seems like an error to the end user might not seem like an error on the server side.

(It can be tempting to wrap code in layers of exception handling, which might prevent a process crashing. But if you catch all the exceptions thrown, it might look as though as the server returned successfully because it has. It just hasn’t done what the user wanted it to.)

DevOps logs also won’t tell you the overall latency your end users are experiencing. If you want to understand what is happening to your end users – and your business – you have to measure what is actually happening to your end users. Otherwise you’re just guessing.

There are a couple of issues here. The first is that a business is a cybernetic organization. It takes in inputs from its environment, processes them in various ways, and produces outputs.

A cybernetic organization constantly changes as it responds to change in its environment and internal state. It evolves to realize its goals more effectively and efficiently. Of course, one of the things that can change about a business is its goals. It can even change how it changes its goals!

A business needs to know as much it can about its internal state and external environment. Or, rather, as much as it needs to know. Measuring things can be expensive and you don’t want to spend a lot of energy, effort and resources to measure things and process the collected information if it doesn’t tell you anything useful in improving the business.

But following Stafford Beer, we can do better than that pre-cybernetic Taylorist thinking.

If your APIs aren’t working properly, it’ll cost you in the long run if not the short. Now, DevOps might say the APIs are working fine from their perspective. Why even bother measuring something if it is only to show up problems we can’t fix?

But the silo approach really won’t do. People defending their own patches by measuring and managing against soft metrics is ultimately only going to end in tears. All cybernetic organizations – whether microbes, whirlpools, people, companies or galaxies – are involved in the Darwinistic struggle for life. It’s the job of the brain of the firm to see through the self-interest of the occupants of the silos.

Monitoring the performance and quality of your APIs is neither difficult nor expensive. As APImetrics has shown, it’s false economy not to understand your APIs and to rely on measuring what you can measure just because you can measure it. It’s vital to always think those steps further out.

Because if you don’t, your rivals are going to.

Photo courtesy of Neil Cummings

[fusion_button link=”/get-started/” title=”” target=”_self” alignment=”” modal=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” color=”default” button_ button_ button_gradient_top_color_hover=”” button_gradient_bottom_color_hover=”” accent_color=”” accent_hover_color=”” type=”” bevel_color=”” border_width=”” size=”” stretch=”default” shape=”” icon=”” icon_position=”left” icon_divider=”no” ]Try Us Out[/fusion_button]

Continuously test and monitor your APIs. Identify problems before customers notice, and get alerts immediately when applications don’t do what you expect. All with a fully-featured interface, direct CLI and configuration, and integrations to all the tools you use to manage incidents.

1. Setup

Configure API workflows manually or from a curl command, or import them directly from Postman Collections or your OpenAPI spec definition.

2. Monitor

Monitor consistently from over 125 worldwide locations. Set customized intervals, add downtimes, and manage schedules.

3. Report

Send alerts immediately, investigate issues easily, and share reports with stakeholders seamlessly, and all with enterprise-grade security.

Setup API calls simply and quickly

Setting up API monitoring is as simple as entering a URL. Our user-friendly interface lets you make any type of HTTP call, and test it right there in the browser – or from 125+ locations around the world.

You’ll get instant results, which means instant answers and instant solutions – before your customers even know something is wrong.

API Monitoring

Create Functional Workflows

Test critical API sequences using our multi-step API workflow tool. , Mange variables at each API call step, including external calls to websites and other services for handling complex authentication scenarios including OAuth2, and more advanced standards like and scenarios.

Global reach, inside and out

Monitor simultaneously from 125+ data centers from all the major cloud providers including  AWS, Azure, IBM, Google, and Akamai.

And add agents inside your network to monitor APIs behind your firewall or anywhere that you need to keep protected.

Integrated Reporting and Insights

Advanced reporting for incident management, and executive summaries. No matter what your needs, we capture the full data trace and payload, and give you the tools to understand your API resiliency.

Learn More

Monitor secure API calls

Don’t use insecure scripts that require an API key and secret to test only parts of your API functionality.

Leverage our full OAuth handling, including JWTs, mTLS, FAPI validation, and more.

Know that your most important APIs function as you intend.

API conformance checks automatically

Conformance Ready

Validate conformance against your OpenAPI specification or your security standards.

And verify conformance against service level objectives and other performance metrics.

Learn More

Alert when and How you need

When something goes wrong, you need to know immediately. Set up alerts via webhooks or OpenTelemetry, with pre-configured integrations into dozens of platforms.

Uptime Monitoring vs Synthetic Monitoring

APIContext offers two different types of API call monitoring: uptime and full synthetic.

Uptime monitoring, sometimes called heartbeat monitoring, checks to make sure an application is alive and responding, allowing you to choose a set number of API calls that we will check as often as once a minute. Run from a single cloud, it ensures you know immediately when your APIs are down.

Full synthetic monitoring allows you to validate every aspect of your APIs from all our points of presence, sending variables between them, automatically retrying on failure, and verifying conformance.

Get Started for Free

Test

Fully functional external API testing
Click Here

Monitor Uptime

Uptime monitoring with basic ping checks
Click Here

Safe Secure Calls

Don't break your API security - monitor it!
Click Here

Full Synthetics

Complete, secure functional API calls from any datacenter
Click Here

Ready To Start Monitoring?

Want to learn more? Sign up now and start using the product immediately.

APIContext is headquartered in Seattle, WA and has offices in London, Edinburgh, and Portland.

Twitter Youtube Linkedin
Resources
Product Overview
Company

Copyright APIContext © 2024. All rights reserved.