Uptime Monitoring

API Monitoring Best Practices

By: Similoluwa Adegoke|Last Updated: Mar 17, 2023

API monitoring is a way of collecting data and gaining insights into how an API is performing. This data may include response time, speed, downtime and uptime, content, etc. API monitoring can be done manually, but this is a painstaking process. Using API monitoring tools like Cronitor is a much better alternative, which, apart from being automatic, provide a lot more metrics to gauge the performance of your API.

This guide breaks down what API monitoring is and how it should be done. It also provides you with a list of tools and best practices to help you get started.

What Is API Monitoring?

API monitoring is a way of simulating how the API is built to work while collecting data on its behavior. An API exposes the functionalities of a system through its endpoints, and the functionalities and performance of the API are also measured through those endpoints.

To implement API monitoring, a remote computer/server sends a request to the endpoints that the API is exposing and receives a response from your API server. This entire process from request to response is then tracked to measure metrics like response time, payload size, etc., and when you run this process over a series of endpoints continuously, you can deduce throughput, uptime, downtime, lag in the network, and other metrics.

Why Is API Monitoring Important?

As an engineer, most of your apps' components rely on APIs to interact with each other. The backend is usually composed of multiple services that connect with each other using APIs, and an API gateway orchestrates these APIs to help interact with the frontend (or directly with the end user using public endpoints). Therefore, ensuring that your APIs are highly available and reliable is crucial for providing top-quality services to your end users.

Reliability is a critical component of your product, and aside from satisfying your consumers, it translates into increased revenue and affects all other parts of your business or product. API monitoring helps ensure that your APIs perform as expected all the time.

API Monitoring vs. Website Monitoring

While API monitoring and website monitoring both sound similar, they are very different. Website monitoring is a broad form of monitoring that covers aspects such as availability, response times, response sizes, uptime, SSL certificate validity, DNS record validity, and more.

API monitoring is a part of website monitoring that focuses solely on a web app's APIs. As mentioned previously, the API server is regularly pinged to receive responses, and the entire process is tracked using metrics that help understand the health of the APIs alone. API monitoring is not concerned with the overall availability of your web app or the end-user experience of the same.

Since APIs are a part of your web apps, their performance directly affects the overall performance of your app. Therefore, you cannot ignore API monitoring if you are looking to deliver an exceptional experience for your website's users.

The metrics being measured vary greatly for API and website monitoring. Metrics like page speed, time to first byte, and time to interactive are not monitored in API monitoring but are very important when it comes to monitoring websites. There is a large overlap in the metrics, but the first concerns of these two types of monitoring (API and website) are different.

How Does API Monitoring Fit in with Other Forms of Monitoring?

Other than website monitoring, there are various types of monitoring strategies. Let's take a look at a few of them to understand how they compare with API monitoring.

Synthetic Monitoring

Synthetic monitoring is a form of monitoring that involves emulating the paths that a user might take while using your application. It uses scripts that simulate user behavior and helps you test your application from various locations, networks, device types, and more.

You can implement synthetic API monitoring by automating the testing of your APIs using tools that can send requests from multiple locations, device types, networks, etc. from around the world and track performance. This is a controlled form of API monitoring, and it gives you full control of the initial testing conditions as well as the volume of data you collect around your API's performance.

Real User Monitoring

Real User Monitoring involves tracking real users as they use various parts of your app. The metrics are collected on the real users that use the app. It is implemented by injecting scripts into the websites and writing them as part of the source code when developing the API or website (also known as instrumentation) or by using automatic instrumentation via monitoring tools.

The API monitoring equivalent of this would involve tracking requests and responses related to your APIs as they are generated by real user activities. You lose control over the testing location, networks, device types, and other conditions, but you get access to real user data, which can be helpful in resolving issues that your customers are actually facing. Also, the volume of data generated in this form of monitoring can be quite high unless filtered properly.

Error Tracking

Error tracking is simply maintaining a record of the issues that occurred in an application and collecting data about them to help in their resolution. In API monitoring, this is implemented by tracking the status codes returned by an API over time and ensuring that alerts are sent out whenever error codes like 4XX or 5XX are encountered. You could also set up monitors for tracking the response body of the API responses and set up alerts whenever it is empty (when it should be nonempty).

Uptime and Downtime Monitoring

Uptime monitoring focuses on the availability of an application. This kind of monitoring could include other metrics like response time, latency, throughput, etc. The availability of critical parts of your APIs is crucial as this can impact your business and the businesses that your API is powering.

Security Monitoring

Security monitoring is the process of collecting data on how secure your apps are and also ensuring all security standards are fulfilled properly. It also involves monitoring protected pages and user authorization levels.

Metrics to Monitor

Like all other forms of monitoring, API monitoring has a set of recommended metrics that you should prioritize when getting started to maximum benefits right out of the box. Here are some of those:

Response Time

Response time is the total time between when a request is made by the client and when the response is sent back to the client. This time includes the time required to process the request in the server and deliver an output to the user or client.

Another way to look at response time is through transport latency and processing time. Transport latency is the time it takes for a request or response to be sent to or from the processing component (server/client). The processing time is then the time it takes for the system to process the request. Hence, response time = transport latency + processing time.

You can use API clients such as Postman to measure the response time manually, or you can use automatic tools like Cronitor. Here is an example of a Cronitor dashboard showing response time for a dog-facts API, and it shows there was a spike in response time at around 14:00.

The cronitor dashboard showing response time

Response Status Code

For every response that is returned to the client, there is always an HTTP status code that indicates the result of the operation. This can be a successful response (2XX), responses that indicate bad requests from the client (4XX), or those that indicate the server might be the cause of the error (5XX).

Thus, these codes are recorded for every request, and the request can be repeated over time to measure the performance of the API, or a user journey might be simulated. These metrics give you insights into the errors per minute, success per minute, server failures, etc.

The cronitor dashboard showing status codes in the latest activity

Assertions Based on Response Data

An assertion is simply comparing the response received with the response expected. This process helps to set up checks that are specific to the response of each API and may help in catching cases where the right status code was sent but the body did not contain the right content.

For example, here is a setup on Cronitor for verifying if the word "fact" is present in the content when a request is made to the dog-facts API.

An image showing setting up assertions when monitoring API

Requests per Minute

Requests per minute record all the requests that are sent from the client to the server within the time frame. Other related metrics include the requests per second and queries per second.

Based on these metrics, you can understand how consumers are using the API and make decisions like scaling up your services or throttling your services.

Other metrics that can be measured include CPU/memory usage, uptime, latency, etc. from the infrastructure side of things or API usage growth, number of requests per consumer, etc. from the business side to evaluate and help grow the business.

Tools to Monitor API performance

If you are new to API monitoring, you might want to start with an API monitoring tool that does the grunt work for you, leaving you with plenty of time to focus on growing your business. In this section, we will discuss how to choose the right tool for monitoring your APIs and share a few examples.

Things to Consider When Choosing an API Monitor

Choosing the right tool to monitor your API performance is vital for you as a developer and for your business at large. The following are some of the things you should consider when choosing an API monitoring tool:

  • Test locations: The API tool should have test locations where the consumers of your APIs are located or give you the ability to select a test location close to where your consumers are. This gives you a truer picture of what is going on on your customer's end.
  • Customization: Customization or configuration options must be provided by the tool while setting up checks or monitors. These configurations could include test device configuration, how long to run the checks, response headers, response content, etc.
  • Response data inspections: Another good feature is the ability to inspect data. This is particularly useful if your testing involves verifying the content of the data.
  • SSL certificates: Security checks are another feature you should look out for in the tool you select. For example, can the tool check for certificate validity, DNS information, etc.?
  • Alerts and notifications: The tool should allow you to set up alerts or notifications when an event happens, like downtime for a certain time or when response time spikes over several requests. Support for popular communication channels like Slack, email, SMS, etc. is also important.
  • Cost: Cost should also be considered when choosing the tool. Does the tool offer enough for the price that it asks? Does its pricing fit in your budget?

The examples discussed below have been examined based on the considerations listed above.

Examples of API Monitors

Here are a few tools that you can rely on to quickly get started with your API monitoring efforts.

Cronitor

An image of the Cronitor dashboard

Cronitor performs insights and uptime monitoring for cron jobs, websites, APIs, and more. It offers a web-based dashboard from which you can set up and configure monitors and checks for your websites and APIs. It also provides SDKs in JavaScript, Python, Ruby, etc. if you want to configure the monitors or perform cron jobs from your code.

Here is a sample to set up an uptime monitor in JavaScript:

const cronitor = require('cronitor')('apiKey123');

const uptimeMonitor = await cronitor.Monitor.put({
    type: 'check',
    key: 'Cronitor Homepage',
    schedule: 'every 45 seconds',
    request: {
        url: 'https://cronitor.io'
    },
    assertions: [
        'response.code = 200',
        'response.time < 600ms'
    ]
})

One of the biggest advantages of Cronitor is the simplicity in setting up different monitors and evaluating the results. It also offers a wide range of offerings such as health checks, heartbeats, job checks, status pages, and more.

AlertSite

An image of the AlertSite dashboard

AlertSite by Smart Bear markets itself as the "Early Warning System" you can trust to monitor your websites, web apps, and APIs from all over the world and within your private networks.

AlertSite uses DejaClick, which enables you to record a process on your web browser and use it to generate a script that is then used to set up the monitors. It also exposes a RESTful API that can be used to manage monitors.

Here is a sample payload to add a monitor using the REST API:

curl -X POST "https://www.alertsite.com/alertsite-restapi/devices" -b
{
  "billing_plancode": "UBM - A/A",
  "site_type": "website-ssl",
  "name": "Home Page",
  "url": "https://smartbear.com",
  "interval": 5,
  "script": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<con:soapui-project id=\"e0b0c87d-7b83-4689-945a-18c250254943\" ... </con:soapui-project>",
  "realm_password": "basic_auth_password",
  "realm_userid": "basic_auth_username",
  "smtp_hostname": "aspmx.l.google.com",
  "pop3_hostname": "pop3s://pop.gmail.com:995",
  "email": "roundtrip.test@gmail.com"
}

One of the biggest advantages of the AlertSite monitoring tool is the presence of DejaClick, which helps quickly generate scripts that are later used to set up monitors. It is also popular for its strong end-to-end URL and frontend monitoring abilities. On the other hand, you don't get a very advanced user interface, and users report quite a few false positives.

Sauce Labs

An image of the Sauce Labs dashboard

Sauce Labs is an automated testing company, and its API monitoring tool is also worth considering. The current API monitoring tool is an integration of API Fortress, which is a platform for automated testing of APIs.

It allows you to generate tests from an imported Postman collection or using the HTTP client tab. The test can then be used to get the necessary metrics and perform operations like assertions, response content checks, etc. From the dashboard, you can view the result and set up alerts, webhooks, and other configurations depending on your business requirements.

The Sauce Labs tool is popular for its powerful collaboration features and the flexibility to test with a wide variety of browser versions. However, it can have longer test or check execution times than the other tools on this list and is also prone to downtimes.

Prometheus

Prometheus is a premier open source solution for performance monitoring and alerting. It stores the metrics it uses for analysis in a time-series format, and these metrics are collected from the target endpoints that are monitored.

Unlike other monitoring tools that have been discussed, Prometheus requires you as the user to set up the server for monitoring. Check out the official docs for more information. Upon setup and configuration using a YAML file like the one below, the metrics can be viewed in a browser using another open source tool known as Grafana.

global:
  scrape_interval:     15s
  evaluation_interval: 15s

rule_files:
  # - "first.rules"
  # - "second.rules"

scrape_configs:
  - job_name: prometheus
    static_configs:
      - targets: ['localhost:9090']

Here is an image of what a Grafana dashboard looks like.

An image of a Grafana dashboard showing various metrics for a monitoring platform

Then the Alertmanager, also an open source tool, can be used to set up notifications for email, Slack, etc. Moreover, Prometheus provides easy integration with a lot of third-party systems.

The biggest advantage of using Prometheus is the configuration and customization you have, from setting up the monitoring server to every other feature that you need. However, you will need to manage a lot of configuration and setup processes manually.

Checkly

An image of the Checkly dashboard

Checkly is another API monitoring platform with tools to set up monitors, alerts, view reports, etc. The process of setting up monitors is straightforward and gives you options to configure where test servers should be, alerts, request headers, assertions, etc. It also provides a dashboard through a custom URL, which you can configure according to your business needs. The dashboard can be embedded in iframes in your websites or applications.

Two of the biggest advantages of Checkly are how easy it is to set up and its ability to embed the dashboard into iframe components, which opens a whole new world of possibilities. However, Checkly offers a limited range of services, and if you were to set up infrastructure monitoring or real user monitoring in the future, you'd have to look for another monitoring platform.

Best Practices

Even if you have an API monitoring tool that fulfills all your needs, there are still some best practices you should follow when monitoring APIs.

Prioritize Important Endpoints

Of course, every API endpoint is important for you and your business as there is a reason it exists. However, some of these endpoints carry more weight than others. A good way to identify important endpoints is to check if they are part of a critical user journey, such as making a payment or filing a complaint.

For example, an endpoint to retrieve details about a product will be more important for an e-commerce app than endpoints that return comments about that product. Both are essential, but one is more important than the other. Thus, it is very important to identify endpoints like this and set up monitoring for these first. You could also prioritize those when setting up assertions and alerts.

Set Targets

For all the metrics that you monitor, it is important to tie them up with some SLOs or targets. SLOs are promises that companies make to their users or customers regarding specific metrics in their service offerings. These are organized together in SLAs, which define the overall quality of services your customers can expect from you. Meeting these targets is important to keep your endpoints optimized and ensure that they meet the business goals.

Tying up metrics with SLOs will give them purpose and will provide you with benchmarks to keep in mind when planning optimization sprints for your product.

Monitor SSL Certificate and Expiration

Security on the internet is more vital than ever. Thus, whichever API monitor you choose should be able to verify the SSL certificates of the endpoints that are being monitored.

Secured websites provide businesses with more confidence that they will deter attackers. Setting up checks that tell you when your website's certificates are expired is a good first step to keeping your security up-to-date.

Monitor Unauthorized Access or Protected Pages

It is not enough to test if access to a page is possible; you should also set up checks to know if authorized pages can be accessed by unauthorized users. This might indicate a breach in your security and lead you toward a timely fix.

Do Not Forget Alerts

Setting up alerts and notification systems when creating checks or monitors is a very important task because without them, you will never be able to respond to incidents in time. This is why you should choose a monitoring tool that can send alerts about issues via the communication medium of your choice.

Set Up Status Pages

While knowing when something's wrong with your web app or APIs is crucial, it is also helpful to provide your users with a way of checking the status of your services by themselves. Status pages are used for this purpose, and with a tool like Cronitor, you can create a status page for your API very easily.

Creating a status page in Cronitor

You can add some of your preexisting monitors or checks to share with your customers, such as the response-time monitor that we saw earlier.

Cronitor's status page

Status pages promote transparency with your users and help develop trust.

Conclusion

This article introduced API monitoring, explained how it contrasts with other types of monitoring, and highlighted some tools with API monitoring capabilities. Monitoring APIs is important for both the developer and business as it helps to fix issues as they arise and ensure reliability for your users.

Cronitor is one of the more practical and user-friendly API monitoring tools discussed in this article. Cronitor allows you to set up checks using servers that are close to where your target audience is. The various metrics like response time, uptime, etc. can be visualized on the dashboard. The platform provides capabilities like incidents (to set up alerts), logs, etc. Check out the official docs to learn about how you can set it up for your next project.

Previous
Website Monitoring Best Practices