apiresttutorial

How to Monitor a REST API: Response Codes, Latency, and Content Validation

MT

Monitorion Team

Engineering Team

||8 min read
Share:

Your REST API returns 200 OK. The monitoring dashboard shows green. But the /users endpoint is returning an empty array because the database connection pool is exhausted. The /orders endpoint works but takes 12 seconds because a missing index is causing full table scans. The /auth/token endpoint returns 200 with {"error": "invalid_grant"} instead of an access token. Status code monitoring says everything is healthy. Your users say otherwise.

Why API Monitoring Is Different From Website Monitoring

Website monitoring checks whether a human-readable page loads correctly. API monitoring checks whether machine-to-machine communication is functioning. The stakes are often higher: APIs power mobile apps, third-party integrations, webhooks, and internal services. When an API breaks, the blast radius extends to every system that depends on it.

Level 1: Status Code Monitoring

The baseline for any API monitor is verifying the HTTP status code. Configure your monitor with the expected status code for each endpoint:

  • 200 OK — for GET endpoints that return data
  • 201 Created — for POST endpoints that create resources
  • 204 No Content — for DELETE endpoints
  • 401 Unauthorized — for endpoints tested without credentials (validates that auth is enforced)

Level 2: Response Time Monitoring

A slow API is a broken API. If your mobile app expects a response in under 500ms and your API starts taking 3 seconds, the user experience degrades even though the API technically "works." Set response time thresholds based on your API's normal performance. Start with 2x your median response time as the alert threshold.

For a deeper understanding, examine the response time breakdown: DNS resolution, TCP connection, TLS handshake, and Time to First Byte (TTFB). When latency spikes, the breakdown tells you whether the problem is in the network, in TLS, or in your application.

Level 3: Response Body Validation

This is where API monitoring gets genuinely useful. Monitorion's JSON API monitor lets you define assertion rules on the response body using JSON path expressions:

  • Assert $.data exists — ensures the response has a data field
  • Assert $.data.length is greater than 0 — ensures the endpoint returns actual results
  • Assert $.status equals "active" — catches cases where the API returns 200 but with an error status
  • Assert $.users is an array — catches type changes that break deserialization

Combine multiple assertions on a single monitor. If any assertion fails, you get an alert with details about which assertion broke and what the actual value was.

Level 4: Authentication and Custom Headers

Most production APIs require authentication. Monitorion supports custom request headers on all HTTP and JSON API monitors:

  • Authorization: Bearer eyJhbGciOi... — for JWT-authenticated endpoints
  • X-API-Key: your-api-key — for API key authentication
  • Content-Type: application/json — for endpoints that require specific content types

You can also configure the HTTP method (GET, POST, PUT, DELETE) and include a request body for POST/PUT checks.

Level 5: Multi-Step API Workflows

Some API interactions cannot be validated with a single request. An authentication flow requires a POST to get a token, then a GET using that token. Monitorion's multi-step monitor handles these by executing a sequence of requests with variable extraction between steps:

  1. Step 1: POST /api/auth/login with credentials. Extract $.access_token from the response.
  2. Step 2: GET /api/users/me with the extracted token in the Authorization header. Assert $.email exists.
  3. Step 3: GET /api/users/me/settings with the same token. Assert $.notifications is an object.

If any step fails, the monitor reports exactly which step broke. This catches integration issues that individual endpoint monitors miss.

Putting It All Together

A well-monitored REST API uses all five levels. For a typical production API, start with this setup:

  • Health check endpoint — a simple HTTP monitor on /api/health with 1-minute intervals.
  • Critical endpoints — JSON API monitors on your 3-5 most important endpoints with response body assertions.
  • Authentication flow — a multi-step monitor that validates the full login flow every 5 minutes.
  • Performance baselines — response time thresholds on all monitored endpoints.

When something breaks, you know about it in minutes — and you know exactly what broke. Start monitoring your API for free with Monitorion.

Share:

Enjoyed this post?

Get monitoring tips and product updates delivered to your inbox.


Related Posts