How to Monitor a REST API: Response Codes, Latency, and Content Validation
Monitorion Team
Engineering Team
Your REST API returns 200 OK. The monitoring dashboard shows green. But the /users endpoint is returning an empty array because the database connection pool is exhausted. The /orders endpoint works but takes 12 seconds because a missing index is causing full table scans. The /auth/token endpoint returns 200 with {"error": "invalid_grant"} instead of an access token. Status code monitoring says everything is healthy. Your users say otherwise.
Why API Monitoring Is Different From Website Monitoring
Website monitoring checks whether a human-readable page loads correctly. API monitoring checks whether machine-to-machine communication is functioning. The stakes are often higher: APIs power mobile apps, third-party integrations, webhooks, and internal services. When an API breaks, the blast radius extends to every system that depends on it.
Level 1: Status Code Monitoring
The baseline for any API monitor is verifying the HTTP status code. Configure your monitor with the expected status code for each endpoint:
200 OK— for GET endpoints that return data201 Created— for POST endpoints that create resources204 No Content— for DELETE endpoints401 Unauthorized— for endpoints tested without credentials (validates that auth is enforced)
Level 2: Response Time Monitoring
A slow API is a broken API. If your mobile app expects a response in under 500ms and your API starts taking 3 seconds, the user experience degrades even though the API technically "works." Set response time thresholds based on your API's normal performance. Start with 2x your median response time as the alert threshold.
For a deeper understanding, examine the response time breakdown: DNS resolution, TCP connection, TLS handshake, and Time to First Byte (TTFB). When latency spikes, the breakdown tells you whether the problem is in the network, in TLS, or in your application.
Level 3: Response Body Validation
This is where API monitoring gets genuinely useful. Monitorion's JSON API monitor lets you define assertion rules on the response body using JSON path expressions:
- Assert
$.dataexists — ensures the response has a data field - Assert
$.data.lengthis greater than 0 — ensures the endpoint returns actual results - Assert
$.statusequals"active"— catches cases where the API returns 200 but with an error status - Assert
$.usersis an array — catches type changes that break deserialization
Combine multiple assertions on a single monitor. If any assertion fails, you get an alert with details about which assertion broke and what the actual value was.
Level 4: Authentication and Custom Headers
Most production APIs require authentication. Monitorion supports custom request headers on all HTTP and JSON API monitors:
Authorization: Bearer eyJhbGciOi...— for JWT-authenticated endpointsX-API-Key: your-api-key— for API key authenticationContent-Type: application/json— for endpoints that require specific content types
You can also configure the HTTP method (GET, POST, PUT, DELETE) and include a request body for POST/PUT checks.
Level 5: Multi-Step API Workflows
Some API interactions cannot be validated with a single request. An authentication flow requires a POST to get a token, then a GET using that token. Monitorion's multi-step monitor handles these by executing a sequence of requests with variable extraction between steps:
- Step 1:
POST /api/auth/loginwith credentials. Extract$.access_tokenfrom the response. - Step 2:
GET /api/users/mewith the extracted token in the Authorization header. Assert$.emailexists. - Step 3:
GET /api/users/me/settingswith the same token. Assert$.notificationsis an object.
If any step fails, the monitor reports exactly which step broke. This catches integration issues that individual endpoint monitors miss.
Putting It All Together
A well-monitored REST API uses all five levels. For a typical production API, start with this setup:
- Health check endpoint — a simple HTTP monitor on
/api/healthwith 1-minute intervals. - Critical endpoints — JSON API monitors on your 3-5 most important endpoints with response body assertions.
- Authentication flow — a multi-step monitor that validates the full login flow every 5 minutes.
- Performance baselines — response time thresholds on all monitored endpoints.
When something breaks, you know about it in minutes — and you know exactly what broke. Start monitoring your API for free with Monitorion.
Enjoyed this post?
Get monitoring tips and product updates delivered to your inbox.