An API can return a 200 OK and still be completely broken. A search endpoint returns an empty results array because the indexer crashed. A payments endpoint returns {"status":"ok"} because the success field is hardcoded for compatibility. A login endpoint takes 14 seconds to respond, which technically counts as working, until you remember your mobile clients time out at 10. API monitoring is what separates "the server responded" from "the API actually worked".
If you've never set up monitoring at all, start with the complete guide to uptime monitoring. This post is for the next step: making sure the APIs your sites and apps depend on are healthy at the contract level, not just the connection level.
What API Monitoring Actually Means
API monitoring is the continuous, external verification that an API endpoint returns the right status code, the right payload, and does it fast enough to be useful. Three words matter. Continuous means scheduled, not on-demand. External means hitting the endpoint over the public internet from outside your own network. Verification means checking the response body, not just the response code.
Plenty of internal observability tools, APM, traces, logs, will tell you what's happening inside your service. None of them tell you whether the API works the way a client expects from the outside. That's the gap external API monitoring fills.
The Four Things to Check on Every Endpoint
A solid API monitor combines four assertions. Skip any one and you'll miss real failures.
- Status code: assert a specific code, not "anything 2xx". A
204 No Contentfrom an endpoint that should return200 OKis a contract break, even though both are "successful". - Response time: assert a maximum, and choose it deliberately. Mobile clients usually fail at 10 seconds. Server-to-server callers often timeout at 30. Pick the lower bound and alert when you cross it.
- JSON shape assertion: for JSON APIs, assert that a specific path exists and has the expected type.
data.itemsshould be an array.user.idshould be a number. A schema break is one of the most common production regressions and a status check will not catch it. - Keyword check: for endpoints that return strings, error messages, or partial JSON you can't fully model, assert that an expected substring is present (or that an error string is absent).
Sentinel supports both keyword and JSON assertions on every check, and they're mutually exclusive per monitor so you commit to one contract per endpoint.
Monitoring Authenticated Endpoints
The interesting parts of most APIs sit behind authentication. A bearer token or API key in a header is enough for most monitoring setups, just make sure the credentials you use are:
- Scoped narrowly: a read-only token that can only hit the monitored endpoints. Not your production admin key.
- Rotated on a schedule: if a monitoring secret leaks, you want it to expire on its own. Quarterly rotation is a reasonable default.
- Documented somewhere: when the token rotates and the monitor stops working, the next engineer should be able to find which token, in which vault, with one search.
If your auth flow requires a fresh token per request (OAuth client-credentials, for example), you need a monitor that can run a token request first and then use the result in the actual check. That's a multi-step flow, which leads to the next section.
When You Need Multi-Step Flows
A single endpoint check is enough for most APIs. But some failure modes only show up across multiple calls:
- Login → fetch → write: does the full authenticated workflow still work end to end?
- Create → poll → confirm: does an async job finish in a reasonable time?
- Search → detail: does the detail endpoint actually accept the IDs the search endpoint returns?
These are the API equivalent of synthetic browser flows. Use them sparingly, on the two or three workflows that actually drive revenue. Every step adds latency, complexity, and another thing that can break the monitor itself.
Choosing Intervals and Timeouts for APIs
APIs have different latency budgets than web pages, so the intervals you'd pick for a marketing site are usually wrong for an API:
- 30 seconds: payment APIs, auth endpoints, anything in the synchronous critical path of a user action.
- 1 minute: standard production REST and GraphQL endpoints. The right default.
- 5 minutes: internal analytics endpoints, batch reporting, webhooks consumed asynchronously.
For timeouts, the rule of thumb is: assert at half your hardest client timeout. If your mobile app gives up at 10 seconds, alert at 5. You want a warning before users start seeing failures, not after.
Alerting Without Crying Wolf
API monitors generate the worst alert fatigue of any check type, because APIs are noisier than web pages, third-party providers blip, rate limits kick in, deploys roll. Three rules keep the noise down:
Require consensus. A single failed check is not an outage. Wait for two or three consecutive failures, ideally from more than one region, before paging anyone.
Match severity to endpoint. Payment and auth failures go to phone/SMS. Reporting and analytics endpoints go to Slack or email. The same alert system can route to both, use it.
Distinguish slow from down. A response-time SLO miss should be a different alert (and a different channel) than a hard failure. Slow trends to a meeting; down trends to a pager.
For more on getting alerts right, see the incident management guide.
Common Mistakes
- Only monitoring the gateway. A healthy
/healthendpoint tells you the load balancer is up. It does not tell you whether the search endpoint behind it returns results. Monitor the endpoints that matter to clients, not the ones that are easy to keep green. - Ignoring p95 response time. Averages hide bad outliers. A 200ms average with a 12-second p95 is a bad day for 5% of your users, and an outage for any of them on a slow network.
- Hardcoding test data that expires. A monitor that searches for "test-user-2024" works until the test user is purged. Use IDs that are stable for the lifetime of the monitor, and document where they come from.
- No auth rotation plan. Tokens leak through laptops, screenshots, logs. If you can't rotate the monitoring credential in five minutes, plan to rotate it now.
Getting Started
Sentinel supports HTTP, JSON and keyword assertions on every check, multi-region consensus alerting, and per-monitor timeout and interval controls, everything in this post, configured in the same dashboard as your website checks. Start free with 10 monitors and add API checks alongside your existing site monitors.