247Monitor

What is API monitoring? (and how to do it)

Your website has a homepage you can glance at. Your API doesn't — it only exists when something calls it. API monitoring is how you call it for them, around the clock, and check that the answer is not just present but correct. Here's what that means, and how to set it up.

The 247Monitor Team

We run the monitors so we write about them.

10 min read

API monitoring is the practice of automatically and repeatedly calling your APIs — exactly the way a real client would — to confirm they're reachable, fast, and returning the correct data, then alerting you the instant any of that stops being true. It is uptime monitoring with the volume turned up: not just did it answer, but did it answer correctly.

The short version

  • API monitoring calls your endpoints on a schedule and inspects the response — status, speed and the body — not merely whether the server replied.
  • A 200 OK proves the server is talking; it does not prove the payload is right. Good checks assert the shape and content of the data too.
  • Three numbers describe API health: availability, latency (p50/p95/p99) and error rate.
  • Monitor whole workflows — auth, then action, then read — not just single endpoints, and confirm failures from a second region before paging anyone.

What is API monitoring?

Definition

API monitoring is the continuous, automated testing of an API from the outside: a tool sends real requests to your endpoints on a fixed interval, checks that each response is correct — the right status code, an acceptable response time, and the expected data in the body — and raises an alert when a check fails.

An API (application programming interface) is how software talks to software. Your mobile app calls one to load a feed; your checkout calls one to take a payment; your back end calls a dozen third-party ones to send email, look up an address or charge a card. A website failing is visible — someone sees a broken page. An API failing is invisible until something downstream falls over, which is usually a customer's app, or yours.

API monitoring closes that blind spot. It behaves like a client that never sleeps: it makes the call, reads the answer, and decides whether the answer is healthy. Here's what a single check looks like once you pull it apart:

check · api.example.com · every 60s

Request

GET /v1/products/42

Authorization: Bearer ••••••••

Accept: application/json

Response · what we assert

  • Status code200 OK
  • Response time142 ms · budget 500 ms
  • Content-Typeapplication/json
  • Body · $.status“available”
  • Schema8 / 8 fields present
VERDICT: HEALTHY — every assertion passed. The endpoint is reachable, quick, and returning the exact shape of data a caller expects.
An API check is a request, plus a set of assertions about the response.

Why it's not just uptime monitoring

Classic uptime monitoring grew up watching web pages, where “is it loading?” gets you most of the way. APIs are a harder problem for three reasons, and each one is a thing that can break while the page-style check stays green:

  • There's nothing to look at. An API is machine-to-machine. You can't eyeball it, so the only way to know it works is to call it and read the JSON that comes back.
  • The contract matters as much as the code. Callers depend on the exact shape of the response — field names, types, nesting. A deploy that renames price to amount returns a perfect 200 and breaks every client.
  • Authentication is part of the test. Most useful endpoints sit behind a key or token. A monitor that can't authenticate only ever sees the public front door, never the rooms your customers actually use.

So API monitoring keeps everything uptime monitoring does — reachable, right status code, quick enough — and adds the checks that only make sense once you read the body. The product calls these HTTP & API checks: status codes, response-time tracking, and assertions on the response itself.

What API monitoring actually checks

A good API check layers several questions on top of one another. Each layer catches a failure the one above it would happily wave through:

  • Reachability — DNS resolves, the TLS handshake succeeds, and the connection opens at all.
  • Status code — a 200 or 201, not a 500, a 401 that means your key expired, or a 429 that means you're being rate-limited.
  • Response time — under a budget you set. For an API, slow is a failure mode in its own right; a caller that times out doesn't care that a reply was technically on its way.
  • Payload content — a keyword, value or field that proves the response is real. Did $.status come back “available”? Is the list non-empty?
  • Schema & contract — the expected fields are present, of the right type, and not silently null.
  • Authentication — the endpoint accepts your token and the certificate behind it is valid — see SSL monitoring for the quiet expiry that takes an API down at midnight.

The 200 OK trap

This is where naïve API monitoring falls over. HTTP has a polite habit of returning 200 OK even when the thing you asked for is wrong. A handled exception, a serializer that emits null instead of a number, an empty array where there should be results — all of it can ride inside a cheerful, fast, valid-looking response.

check · api.example.com/v1/products/42 · LDN

  • HTTP status200 OK
  • Response time186 ms
  • Valid JSONparsed OK
  • Field “price” (number)returned null
  • Field “inStock”missing from payload
VERDICT: DOWN — the API answered with 200 OK in good time, but the payload broke its contract. A status-code-only check would have called this healthy and sent no alert.
For an API, “up” means the body is right — not just that something came back.

The fix is to treat the body as part of the contract. Assert that a known field has a sane value, that a required key exists, that a collection isn't empty. The moment your check reads the payload instead of just the envelope, the “200 but broken” class of outage stops being invisible.

TipThe cheapest version of this is a keyword assertion: require a string that only appears in a genuinely healthy response. It's one field, it takes ten seconds to set up, and it catches a surprising share of real incidents.

The types of API monitoring

“API monitoring” is an umbrella over a few distinct jobs. Most teams end up doing several, pointed at different endpoints:

  • Availability monitoring — the baseline: is the endpoint up and returning the right status code? This is the one everyone starts with.
  • Functional / contract monitoring — does the response carry the correct data in the agreed shape? A continuous integration test, running in production.
  • Performance monitoring — is it fast enough, consistently, across regions? Latency that creeps is the usual warning sign before an outage.
  • Multi-step transaction monitoring — does a whole workflow succeed end to end, not just one call in isolation?
  • Third-party / integration monitoring — are the APIs you depend on healthy, so you know whose problem an incident is the instant it starts?

Monitoring multi-step workflows

Real clients rarely hit a single endpoint. They log in, then create something, then read it back. Any one call can be perfect while the sequence is broken — a token that won't mint, an order that saves but can't be fetched. A multi-step check walks the whole journey, carrying state from one request to the next:

journey · api.example.com · checkout

  1. 1

    POST /auth/login

    200 · capture access token

  2. 2

    POST /v1/orders

    201 · capture orderId

  3. 3

    GET /v1/orders/{orderId}

    200 · assert status = “created”

  4. 4

    DELETE /v1/orders/{orderId}

    204 · clean up test data

VERDICT: HEALTHY — the whole workflow ran end to end. The token from step 1 unlocked step 2, and the order it created was readable, then cleaned up.
Real users don't hit one endpoint — monitor the chain, not just a single call.

The pattern that makes this work is token capture: step one authenticates and grabs the access token; later steps reuse it. Where a flow is genuinely browser-shaped — a login form, a redirect dance — a real-browser journey drives it like a human instead. For pure JSON APIs, chained HTTP checks are lighter and faster.

The metrics that matter

Once checks are flowing, three numbers tell you almost everything about an API's health. The first is availability — the share of checks that passed over a window. It looks reassuring until you convert the percentage into real downtime, which is why people obsess over “nines”:

UptimeDown / yr/ month
99%
3d 15h7h 18m
99.9%
8h 46m43m 50s
99.95%
4h 23m21m 54s
99.99%
52m 36s4m 23s
99.999%
5m 15s26s
Each extra “nine” is an order of magnitude less downtime — and harder to reach.

The second is latency, and an average will lie to you. What you want are percentiles: p50 (the typical request), p95 and p99 (the slowest one in twenty, and one in a hundred). A healthy-looking average can hide a p99 that's timing out for your busiest customers. Watch the trend, not just the snapshot — latency almost always climbs before an API actually falls over:

response time · example.com · 24h

avg

168 ms

p95

402 ms

uptime

99.98%

00:0006:0012:0018:0024:00
Latency climbs before the failure — the early-warning signal to watch for.

The third is error rate — the proportion of responses that aren't healthy. A trickle of 500s or a sudden run of 429s is often the first sign of trouble, well before availability dips enough to notice. Together, the three answer “is it up, is it fast, and is it erroring?”

NoteTwo levers move availability: how often the API fails and how quickly you recover. Monitoring attacks the second directly — you can't fix fast what you find out about late.

How to monitor an API, step by step

The mechanics are the same whatever tool you use. This is the sequence that gets you from nothing to coverage you can actually trust.

  1. 1

    List the endpoints that matter

    Start with the ones a failure would hurt most: authentication, the read path your app hammers, the write path that takes money. Add the third-party APIs you depend on — you inherit their outages, so you may as well see them coming.

  2. 2

    Define what “healthy” means per endpoint

    For each one, decide the pass criteria: the expected status code, a response-time budget, and at least one assertion on the body. Reachable is not the same as working — write down what working looks like.

  3. 3

    Handle authentication the safe way

    Most useful endpoints need a key or token. Store it in the monitor and send it as a header or bearer token — ideally a dedicated, least-privilege monitoring key you can rotate or revoke without touching anything else. You can mint one from the dashboard; see the REST API docs.

  4. 4

    Assert the body, not just the status

    Add a keyword or value check so a 200 with the wrong payload still trips. It's the single highest-value setting for an API, and the one most monitors skip.

    check · api.example.com/v1/products/42 · LDN

    • HTTP status200 OK
    • Response time186 ms
    • Valid JSONparsed OK
    • Field “price” (number)returned null
    • Field “inStock”missing from payload
    VERDICT: DOWN — the API answered with 200 OK in good time, but the payload broke its contract. A status-code-only check would have called this healthy and sent no alert.
    For an API, “up” means the body is right — not just that something came back.
  5. 5

    Set a sensible interval — and respect rate limits

    One minute suits most endpoints; drop to 30 seconds for anything revenue-critical. Faster catches outages sooner but leans harder on rate limits and quotas — another reason to use a dedicated key. See how intervals map to plans on pricing.

  6. 6

    Check from multiple regions and confirm failures

    A single vantage point lies to you: a regional network blip makes a healthy API look down. Check from several regions and require a failure to be confirmed from a second location before it raises an incident.

  7. 7

    Route alerts and publish a status page

    Send incidents where your team already works — Slack, Teams, Discord, Telegram, email or SMS — and publish a status page so the developers building on your API hear it from you first.

Checking from everywhere — and killing false alarms

The single biggest cause of 3am alerts that turn out to be nothing is trusting one location. The internet between your monitor and your API has a bad minute; one region reports a failure; everyone gets paged for a problem that already healed. The defence is multi-location confirmation:

check · example.com · 5 regions

  • London200 OK · 142 ms
  • Frankfurt200 OK · 151 ms
  • New York503 · request failed
  • Singapore200 OK · 168 ms
  • São Paulo200 OK · 180 ms
VERDICT: HEALTHY — 4 of 5 regions returned 200 OK. The lone New York failure was re-checked from a second region, confirmed transient, and no alert was sent.
One failing region isn't an outage. Confirming from a second location is what kills false alarms.

When a check fails, a second region re-runs it before anything alerts. If the second region is fine, it was a transient blip and nobody gets woken. If both fail, it's real. 247Monitor runs probes from multiple regions around the world for exactly this reason.

The first to know your API is down should be you — not the developer who built their product on top of it.

The whole point of monitoring

How to start in five minutes

You don't need a project plan. The fastest path to real coverage:

  • Add an HTTP check on your most important endpoint and assert the status code you expect.
  • Add a keyword assertion on a field that only appears in a genuinely healthy response.
  • Set a response-time budget so “slow” counts as a failure, not just “down”.
  • Point one check at a third-party API you rely on, so you can tell your outages from theirs.
  • Connect one alert channel you actually watch, and send a test alert to prove it lands.
TipYou can do all five free. 247Monitor's free plan covers 25 monitors, one-minute checks from multiple regions and a public status page — no card required. New to the dashboard? The create-a-monitor guide walks through it, and the uptime how-to covers the website side of the same setup.

Frequently asked questions

What's the difference between API monitoring and uptime monitoring?

Uptime monitoring asks the narrow question “is it reachable and returning a healthy status code?”. API monitoring keeps that and adds the questions only an API has: did the response carry the right data, in the right shape, behind the right authentication, and fast enough? Every API monitor is an uptime monitor, but not every uptime monitor inspects the payload — and for an API, the payload is the whole point.

How often should I check an API?

Once a minute suits most endpoints. Revenue-critical paths like authentication, payments or a public API your customers build on justify every 30 seconds. The real limit is rate limiting and cost, not accuracy — use a dedicated monitoring key so your checks never eat into a customer's quota, and exclude that key from your own analytics.

Is API monitoring the same as API testing?

They overlap. Functional API monitoring is essentially a small integration test that runs continuously against production, rather than once in CI. Unit and integration tests prove your code was correct when you shipped it; monitoring proves the live system is still correct right now — including the parts you don't control, like a third-party dependency or an expired certificate.

Can I monitor a third-party API I depend on?

Yes, and you should. If your checkout calls a payments API or your app leans on a maps or email provider, you inherit their outages whether you watch them or not. Monitoring those endpoints tells you instantly whether a problem is yours or theirs — which is the first question you'll be asked when something breaks.

How do I monitor a private or authenticated API?

Store the credential securely in the monitor and send it as a header or bearer token, ideally using a dedicated, least-privilege monitoring key you can rotate or revoke on its own. For anything behind a login flow, use a multi-step check that signs in first, captures the token, and reuses it for the calls that follow.

Can I monitor APIs for free?

Yes. 247Monitor's free plan includes 25 monitors with one-minute checks from multiple regions, response-body keyword assertions, a public status page and every alert channel — no card required. That's enough to watch a typical API, its authentication endpoint and a couple of the third-party services it depends on.

The bottom line: API monitoring is uptime monitoring that reads the reply. Call the endpoints that matter the way a client would, assert the body and not just the status, confirm failures from more than one place, and route the alerts somewhere you'll see them. Do that and a broken contract becomes a 30-second notification instead of a customer's bug report. Start monitoring free →

No credit card · 25 monitors free · 2-minute setup

Start monitoring in minutes.

Free forever for 25 monitors and a server. Add your first check, pick your alert channels, and you're live before your coffee's cold.