Back to the list

Comprehensive Guide to API Monitoring: Ensure High-Performance and Reliability

APIs have emerged as the unsung heroes, seamlessly connecting diverse systems and enabling the exchange of data across applications. As businesses increasingly rely on microservices, single-page web apps, and native mobile apps, APIs play a pivotal role in ensuring smooth operations and delivering exceptional user experiences. 


This comprehensive guide delves into the world of API monitoring, a critical aspect of maintaining high-performance and reliable systems. We'll explore the fundamentals of APIs, the importance of monitoring their performance, and the essential features to consider when implementing robust monitoring solutions.


Understanding APIs


An API is a set of well-defined protocols, routines, and tools that enables software applications to communicate and interact with each other. Designed to streamline the integration process, APIs provide developers with the necessary guidelines to access web-based software applications or services, specifying available functionality, methods of access, and formats for input and output data. In the modern IT landscape, APIs are foundational, enabling the seamless exchange of data between disparate systems and driving the development of new applications and business models. By leveraging open APIs, organizations can build robust, scalable solutions that facilitate interoperability and innovation.

Consider an API as analogous to a waiter in a restaurant. You place an order (request) with specific instructions, and the waiter (API) retrieves your meal (data) from the kitchen (database) and delivers it to your table (application).


APIs can be categorized into two main types: 


  • Private APIs: Utilized within an internal organization, these APIs enhance operational agility and flexibility by allowing different departments and systems to communicate effectively. 
  • Public APIs: These are exposed to external developers and business partners, enabling integration with third-party applications, fostering new collaborations, and expanding the functionality and reach of the primary service.


Understanding and effectively utilizing APIs is crucial to drive efficiency, innovation, and collaboration within and across organizations.


APIs in Action 


Consider a real-world example from The Weather Company, a leader in collecting and providing weather data. The company gathers weather information from millions of endpoints and sources worldwide, storing this data and making it accessible to consumer-facing applications through hundreds of different APIs. Imagine a widget on your home screen or desktop that displays current temperature and weather conditions based on your location. Your device may not have built-in sensors or technology to detect or predict weather patterns, but it can send your location information to an API and receive accurate data, such as temperature and forecasts, based on your coordinates. Even when you're not directly on The Weather Company's website or using their native mobile applications, you may still be interacting with data from their APIs, responding to simple requests.


Why Monitor 


APIsWhen APIs fail or experience performance issues, the impact on your business can be significant. End users and customers may not recognize that a third-party service is the root cause, and depending on the criticality of the API in the transaction process, this failure could directly affect your bottom line. For instance, if a key component of your website's checkout process relies on a third-party location-based search API, and that API fails to perform correctly, your potential customers may be unable to complete their purchases successfully.

Similarly, if you've developed an application that requires authentication from a social media platform, and the platform's API goes down, your users might not be able to log into your system.While the benefits of relying on third-party services may outweigh the risks, it's crucial to monitor the parts of your user flow that depend on APIs to assess the risk and understand the impact on performance over time.If you've made an API available to partners or developers, you have a responsibility to ensure its availability and proper functioning.

Conversely, if you've developed an internal API to pass order data from a mobile device to a warehouse system, and the data needs to be transferred within two minutes to avoid production delays, active monitoring in the production environment is essential. Pre-production tests may have shown that the API consistently passed data within one minute, but real-world requests in production could reveal response times creeping closer to the two-minute threshold, potentially causing disruptions if left unmonitored.


When monitoring both internal and external APIs, it's essential to test:

  • Availability: Is the API endpoint up and running? Is it returning errors? 
  • Response time: How quickly is the API returning responses? Is the response time degrading over time? Is the production response time worse than in pre-production? 
  • Data validation: Is the API returning correct data in the expected format? 
  • Multi-step processes: Can variables be saved and reused successfully? Does authentication work as expected? Can transactions be completed with data from this API? 
  • Backend performance: Is there any latency or slowness in backend services when communicating with APIs? Have alerts been set up for poor performance?


These are just the fundamental concepts to consider when monitoring API performance. In the following sections, we'll explore how to technically implement monitoring and the essential features to build robust, flexible performance tests.


x

How to Monitor APIs 


While monitoring an API's availability with basic uptime or ping-type checks can be relatively straightforward if you have access to an external, proactive monitoring system, comprehensive API testing often requires more advanced configurations.

Request Headers


Depending on how a site or application works, request headers may be a critical part of the requirements for an active monitoring test's configuration to effectively simulate a transaction. For example, if you need to actively test the checkout process when a visitor has a specific cookie, you'll need a way to set that cookie with a Request Header when building the test. Request headers are fields passed along in the header sections of HTTP requests, defining rules and settings for how an HTTP transaction should operate. Some common examples include:

  • Authorization: Sends credentials for basic HTTP authentication to grant access. 
  • Cache-Control: Tells the browser how long a resource is eligible to be cached and reused. 
  • Content-Type: Informs the server of the MIME type of the request body, allowing proper parsing of data.
  • Cookie: Sets a cookie to be stored in the browser for tracking state or sessions.


Developers may also implement custom request headers with custom names, often prefixed with "X," like "X-Http-Method-Override," which could override the request method from something like POST to PUT or DELETE. In Splunk's API Check, you can set request headers with each request step as part of a transaction, enabling you to test scenarios like logging in by POSTing a username and password, extracting and saving a session ID, and then making another request with the session ID in the request headers.


Handling Authentication


As APIs become more secure, proactive monitoring systems must adapt to allow external access to secure systems. Let's explore some common authentication methods and how to handle them when monitoring APIs.

Direct Authentication


  • HTTP Basic Authentication: This standard HTTP method involves sending a base64-encoded username and password as part of the request to the API endpoint. While easy to implement, it offers no advanced options and can be easily decoded, so using SSL/TLS (https://) is essential to protect credentials.
  • API Keys or Tokens: These are long strings of hexadecimal digits (e.g., 34d83d84f28d146aeae0e32f7803c88d) sent instead of a username or password to authenticate access to an API endpoint. They provide an abstraction layer, allowing multiple end users to share a single key.


Ticket-based Authentication

This method relies on central authentication servers that act as intermediaries, accepting credentials from end users and sending back tickets, tokens, or keys that allow access to specific secured data. Examples include OAuth, Kerberos, single sign-on, and web forms. While implementation methods vary, most ticket-based systems follow a similar structure: first, make a request for a ticket or token, then use that ticket or token to access secured data or endpoints.

Tickets in ticket-based authentication systems are similar to API keys but are ephemeral and can be easily revoked, providing an extra layer of security. To effectively monitor an API that uses ticket-based authentication, your monitoring system must be able to complete multiple steps, save the ticket or token in a variable, and reuse it in future steps. Regardless of the authentication method used, it's crucial to implement appropriate security measures for your API and ensure that your external monitoring systems have the necessary permissions to monitor performance and reliability accurately.

Monitoring and Validating Data

When monitoring websites in a browser, we want to go beyond checking the response code and confirm that content or images load correctly on the page. Similarly, when monitoring API endpoints, we need to ensure that the correct data is returned in the expected format, not just a successful response code.

Using basic Extract and Assert options, we can validate that an API returns data in the correct format. For example, with Splunk Optimization's open API, we can create an external, synthetic test to hit the check endpoint at a set frequency from multiple locations and confirm that:

  1. The response code is 200 OK. 
  2. The check ID included in the JSON output matches the URL endpoint being hit.

By extracting the check ID from the JSON using a JSON path and asserting that it matches the expected value, we can test for availability, data format, and data quality. If the data format is incorrect or the ID value is missing or incorrect, the test will fail, enabling us to troubleshoot promptly.


Write Performance Tests to Assume Failure


When writing performance tests, a recommended strategy is to write tests in a way that assumes the system will not receive data from an API call. This approach helps ensure that critical errors are not missed, as external API calls often go unnoticed within the context of an application when coded with local calls.By designing tests to alert when no data is present, you can ensure that your code remains resilient and continues to function even when it receives an error message, mangled data, or no response at all.