Written by Elina Kettunen (UH)
API monitoring is often understood as monitoring the availability, performance, and functional correctness of an API. That is, API monitoring means technical monitoring of the API behavior during runtime and it covers different measures, such as monitoring how many times an API is called per hour, how fast are the response times, and what is the API resource consumption. API monitoring is a part of API management and, in addition to the basic API monitoring, it is common to add security features, such as audit logs, that aim to answer questions like “who, what, where and when”.
The goals of web API monitoring can vary depending on the nature of the API. For example, simple, free, information providing APIs mainly wish to keep a record on how many times a single API client contacts the API per hour, as there are limits on how many calls are allowed. Other, more safety critical APIs need a far more comprehensive API monitoring scheme with several different monitoring metrics, monitored resources, alerting policies, and audit logs.
API uptime monitoring is considered one of the most important monitoring metrics. As the costs of API downtime can be substantial, being able to quickly get notifications on an API being unavailable can be vital for API providers [1, 2]. Also, an API failure can be more catastrophic than an application failure, because a broken API affects potentially multiple applications and users that depend on the API. Thus, there is a need for performance data collection besides usage statistics and API monitors should mimic expected usage scenarios . API monitoring can also cover data validation (i.e. checking if the data the API sends or receives is valid) and Service-Level Agreement (SLA) satisfaction .
According to Broadcom’s API monitoring guide, typical DevOps tools, like application performance monitoring tools, may not be able to detect why the API is having a performance issue, and this requires specific API monitoring tools. It is important also to monitor third-party APIs so that issues will be quickly identified and reported to the API producers .
Often a distinction is made between synthetic and Real-User API monitoring. Synthetic monitoring includes, for example, uptime and performance monitoring, and the API behaviour is analysed by using emulations or simulations for the application environment, scripted tests, API mocks, and service virtualization. Real-User API monitoring covers topics like user experience and transaction performance, and the aim is to use actual users to test the application in real-world environments. This may not be always feasible, but it is especially important for mission-critical APIs .
From a security perspective, monitoring an API can be used to detect anomalies in user behaviour. If a user starts, for example, accessing certain API operations in a pattern that differs from the usual patterns, it may indicate a potential security issue. If the monitoring system detects such behaviour, it can send an alert to the IT security team .
There are several different tools that focus on API monitoring and also tools that provide the whole system for API management. Tech marketplace G2 has a comprehensive list of available API management tools , and in their list of the 20 highest rated API management solutions, Postman is at the top. There are also several lists of tools focused on API monitoring available, see e.g. the lists by Comparitech  and Nordic APIs .
As cloud services are nowadays widely used, service providers like Google Cloud, Amazon Web Services (AWS) and Azure provide many tools for web API monitoring and logging. Often some metrics are free and some available for an extra charge. The cloud service user can pick from a list of available API monitoring metrics those that are the most important for their application. For example, with Azure, the most frequently used metrics are capacity (based on gateway resources like CPU and memory consumption) and requests (number of gateway requests) . In addition to basic API monitoring, the cloud services also provide components for security monitoring and, for example, API access control. As cloud services operate on a pay by usage principle, for example Google Cloud billing alerts can be used to enhance security by monitoring Cloud usage and sending alerts if unexpected consumption is detected .
Nowadays, APIs are increasingly important for many different types of businesses, and the need for API management and monitoring is growing. With a good API monitoring system and security components, an API provider can monitor API performance and uptime, gain valuable information on the API usage patterns, and detect anomalous calls to the API. There are many tools and solutions available for API monitoring and management, and it seems that more challenging than API monitoring itself is deciding how comprehensive the monitoring should be and understanding the collected data, whether it is about API usage or the content of API calls.
 Thielens, J. 2013, “Why APIs are central to a BYOD security strategy”, Network Security, vol. 2013, no. 8, pp. 5-6.
 Google Cloud security foundations guide 2020, Google white papers, available at https://cloud.google.com/security/best-practices