API Knowledge Base
Deep dive into our technologies and features.
Detailed guides to using APImetrics to solve critical business problems.

So why API Monitoring? after all, you’ve coded your service, API, app or whatever and why do we need API monitoring for dummies? It’s up and running. Customers are calling at your door. Life should be easy!

But it isn’t. The server goes out. People are getting hung up when they try to send you information. There are huge lag times. Your potential customers get frustrated and go somewhere else.

More likely than not, what’s happening is that there is a problem with the APIs you are running. If you could solve the problem, you would be retaining customers – rather than having the problem sending them to your competition.

This is where monitoring comes in. Dedicated API monitoring helps you check how your internal and third-party APIs are running. If there is a problem with a given API, it tells you what it is. This allows your team to quickly fix it.

In fact, with proper API monitoring, you should know about the problem way before it impacts your customers at all. So they won’t even notice it.

Doing API Monitoring Right

The best practices for API monitoring are going to vary by industry and can run into some problems internally – like, for example, what do you do if the internal risk teams don’t want you to monitor? (We’ll come back to that in another article…)

However, there are some key principles we go by that we want to share here with some tips on doing it right, even if you don’t use APImetrics.

Monitor 24/7

Services go down when you’re not looking, so having heartbeat monitoring is essential – 24/7 365 days a year, have all of your API endpoints exercised by an external call. It doesn’t have to be high frequency, in fact we suggest to customers that anything from 5-10 times an hour for functional testing and maybe only once per hour for security and OAuth monitoring is enough. But they key thing is this – it needs to be a real call from somewhere outside your stack.

External NOT Internal

It really doesn’t matter if your gateway is up, or your backend is running if an actual person calling the API is getting some kind of error, or, worse, can’t even get to the API itself. So monitor externally, set up real API calls, using real security to real resources that run around the clock. Also the whole world isn’t on AWS, so stop using products that think it is.

Cover Everything

Do the little used things as well as the stuff that’s used all the time. You never know when a resource has been turned off without somebody realizing it and you only find out when a customer tries to do something essential for them that they only do once a week. An example from a customer – an expenses reporting API went down and they only realized when people filed their expenses on a Friday, of a holiday weekend.

HTTP Codes Are Not Magic

HTTP 200 All Ok… right? Well, not so much – the dirty secret of the API industry is this. HTTP codes lie. HTTP 200 especially so. Worse offenders are SOAP APIs pretending to be REST APIs where the error is buried in what looks like a pass. This can be tricky and we’ll have a whole article on this, spotting the situation can take some work but it’s well worth it – look our for changes in the size of content returned by the APIs as a first clue – if you usually get 500kb back and occasionally it’s only 100kb or even 2-3 bytes, then you’re possible getting an error or failure.

Did We Say That?

A MUCH overlooked part of API monitoring is what exactly it is you’re monitoring. As the story goes, you see somebody under a street light looking around, you offer help and they say they lost their car keys. You start looking and say where did they last see them, and they say over in the woods. When you stop and ask why they’re looking here, they say, “because the light is here…” – so, part of monitoring is monitoring the service you say you provide NOT what you know you deliver.

API Monitoring for Dummies Best Practice Top 10

We’d suggest the following are the absolute MINIMUM items to monitor on a regular basis AND have alerts set up to tell you when something goes wrong.

  1. Regular API monitoring heart beat checks from multiple locations
  2. Set up assertion/condition checks on the returned content to validate that what you get back is what you expected and trigger warnings and alerts on those accordingly
  3. Hit the production endpoints using the same security as your external users use
  4. Look at the statistical spread of latency results not just the averages – what are your q95 and q99 values?
  5. Have alerting set up for failures and issues
  6. Double check what 4XX errors are telling you – a 4XX error often is ignored as a problem elsewhere in the stack, but with APIs while it might mean you’ve got your security wrong, it could indicated that something outside your control has been shut down – there can be a world of difference in the API space between a 401 – unauthorized and a 404 Not Found
  7. Monitor that your API Security is doing what you think it is? Going back to 6, if you’re meant to return a 401 error if you hit the API with an invalid Scope or Token, do you?
  8. Don’t worry, too much, about one off events, look at trends and groups of issues
  9. SLOW isn’t always as bad as inconsistent – people can cope with slow, you can build it into your service – but if your service is inconsistent then that’s hard for you and end-users
  10. Look for odd geographical or cloud issues – if you’re on Azure but all your users are on AWS, don’t assume that Amazon and Microsoft are doing all the hard work for you on the networking side of things – look at those performance numbers and take steps to remedy what you see

API monitoring is often used as a check box exercise to be able to say you do it, or it’s done in a perfunctory way. It doesn’t have to be hard or as in depth as your test coverage but if you’re not monitoring the APIs you use or provide you are going to building up problems for your business and customers.

Here to help

Never forget, we’re here to help – we’ve been involved in API monitoring and performance measurement since before people realized it was a problem and we have the best tools available to deliver the data you didn’t even know you needed.

API Monitoring

See how APImetrics monitors the APIs you rely on and provides peace of mind.

API Performance

See what metrics you can identify with your APIs and learn how things work.

Ready To Start Monitoring?

Want to learn more? Check our our technical knowledge base, or our sector by sector data, or even our starters guide to the API economy. So sign up immediately, without a credit card and be running your first API call in minutes.

Take a Detailed Look

Download a detailed introduction to APImetrics and learn how we are bringing common standards to API monitoring with integrated monitoring, performance assurance and compliance analysis!

[fusion_builder_container hundred_percent=”no” equal_height_columns=”no” menu_anchor=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_position=”center center” fade=”no” background_parallax=”none” parallax_speed=”0.3″ video_mp4=”” video_webm=”” video_ogv=”” video_url=”” video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” overlay_color=”” video_preview_image=”” border_size=”” border_color=”” padding_top=”” padding_bottom=”” padding_left=”” padding_right=””][fusion_builder_column type=”1_1″ layout=”1_1″ background_color=”” border_size=”” border_color=”” spacing=”yes” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” center_content=”no” last=”no” min_height=”” hover_type=”none” link=””][fusion_text]

API Monitoring: Getting The Measure Of It (But Not For The Sake Of Measurement)

In the context of API monitoring, your API management system might generate logs to help you learn about the behavior of your APIs. For instance, you might get an alert if a HTTP error is seen. That might tell you there are problems with the API, but only problems of certain kinds. If won’t tell you if there is a problem with what is being returned to the user.

This can be a big issue. Some systems will always return a HTTP 200 response code, even if there is a server error. (SOAP API are especially notorious for always returning 200s.) In this situation, a HTTP 500 response code (Internal Server Error) should return. But if you don’t configure the system properly, tit won’t happen. And in some instances, what seems like an error to the end user might not seem like an error on the server side.

(It can be tempting to wrap code in layers of exception handling, which might prevent a process crashing. But if you catch all the exceptions thrown, it might look as though as the server returned successfully because it has. It just hasn’t done what the user wanted it to.)

DevOps logs also won’t tell you the overall latency your end users are experiencing. If you want to understand what is happening to your end users – and your business – you have to measure what is actually happening to your end users. Otherwise you’re just guessing.

There are a couple of issues here. The first is that a business is a cybernetic organization. It takes in inputs from its environment, processes them in various ways, and produces outputs.

A cybernetic organization constantly changes as it responds to change in its environment and internal state. It evolves to realize its goals more effectively and efficiently. Of course, one of the things that can change about a business is its goals. It can even change how it changes its goals!

A business needs to know as much it can about its internal state and external environment. Or, rather, as much as it needs to know. Measuring things can be expensive and you don’t want to spend a lot of energy, effort and resources to measure things and process the collected information if it doesn’t tell you anything useful in improving the business.

But following Stafford Beer, we can do better than that pre-cybernetic Taylorist thinking.

If your APIs aren’t working properly, it’ll cost you in the long run if not the short. Now, DevOps might say the APIs are working fine from their perspective. Why even bother measuring something if it is only to show up problems we can’t fix?

But the silo approach really won’t do. People defending their own patches by measuring and managing against soft metrics is ultimately only going to end in tears. All cybernetic organizations – whether microbes, whirlpools, people, companies or galaxies – are involved in the Darwinistic struggle for life. It’s the job of the brain of the firm to see through the self-interest of the occupants of the silos.

Monitoring the performance and quality of your APIs is neither difficult nor expensive. As APImetrics has shown, it’s false economy not to understand your APIs and to rely on measuring what you can measure just because you can measure it. It’s vital to always think those steps further out.

Because if you don’t, your rivals are going to.

Photo courtesy of Neil Cummings

[fusion_button link=”/get-started/” title=”” target=”_self” alignment=”” modal=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” color=”default” button_ button_ button_gradient_top_color_hover=”” button_gradient_bottom_color_hover=”” accent_color=”” accent_hover_color=”” type=”” bevel_color=”” border_width=”” size=”” stretch=”default” shape=”” icon=”” icon_position=”left” icon_divider=”no” ]Try Us Out[/fusion_button]

API monitoring from APImetrics lets you spot problems quickly before customers and users do. With an easy-to-use interface and direct integrations to major API tooling systems, now you can monitor all your critical APIs and API workflows, generate reporting, and get alerted when you need it.

1. Setup

Setup API flows easily and simply from a curl command or import them directly from Open API specs or Postman.

2. Monitor

Monitor regularly from over 80 different cloud locations at customized intervals.

3. Report

Add alerts, reports and share data to other users or stakeholders instantly and with total security.

Cross Cloud from 80+ locations

Your customers aren't on one cloud. Why test from only one? Schedule APIs from any public AWS, Azure, Google or IBM location

Real-time alerts

Add and manage custom conditions for your APIs. Set alerts based on speed, size, content & more

Easy setup, simple import

Integrated API reporting, quality API metrics and SLA compliance. Customize and export quickly and easily

Setup API calls simply and quickly

Setting up API monitoring is as simple as entering a URL. The APImetrics user-friendly interface lets you make any type of HTTP call, and test it right there in the browser – or from 80+ locations around the world and the cloud.

You’ll get instant results, which means instant answers and instant solutions – before your customers even know something is wrong.

Create Functional Sequences

Set up functional sequences of API calls including variables. Configure alerts based on assertions and other metrics.

Monitor from 100+ Locations

Imagine being able to monitor from 100 different locations at AWS, Azure, IBM, and Google data centers. Add new locations using our containerized agents.

Integrated Reporting and Analytics

APImetrics provides a range of integrated reports including AI-based insights, SLO reporting, and latency reporting using our patented CASC scoring system.

Functional Security

Experience integrated security monitoring with in-product handling of OAuth including refresh tokens, FAPI and OpenID connect flows and more. Manage all aspects of API security natively from within the product without expanding your attack surface.
Webhooks

Alerting the way you want it

Error and performance change alerts via email or webhook. Integrated webhook setup for critical tools.

APImetrics API monitoring gives you the information you need – before you knew you needed it.
Don’t wait.

Get an alert BEFORE it breaks.

Real API Calls

Handle GET, PUT, POST, DELETE and more – any type of HTTP request – in our similar call manager.

Validate Responses

Set conditions. Override expected HTTP return codes for 200 failures. Set variables on a test or global basis.

Functional Security

Fully integrated security manager for API Keys & OAuth including JWT and JWS. Test scopes and token validity.

Ready To Start Monitoring?

Want to learn more? Check our our technical knowledge base, or our sector by sector data, or even our starters guide to the API economy. So sign up immediately, without a credit card and be running your first API call in minutes.