Insights from the recent API Monitoring LiveCast
API owners know all too well the ugly reality of outages, the disconnect between API documentation and production endpoints, and the struggle to keep high uptime for their services. To keep these platforms maintained, the need for better monitoring and testing is a shared concern across the industry.
So, how should providers go about monitoring their APIs? We recently featured experts Patrick Poulin, CEO of API Fortress, and Derric Gilling, CEO of Moesif, in an hourlong LiveCast focusing on API monitoring. Below, we condense some key points on how to set up API monitoring for various environments, what exactly API owners should be tracking, and other API monitoring best practices.
1. Go Beyond Uptime with Functional Uptime
According to Patrick Poulin, of API Fortress, most API monitoring solutions are fundamentally flawed. He sees a stark difference in solutions that address uptime compared to systems that track functional uptime. Simple ping tests don’t dive deep enough to correctly meet Service Level Agreements (SLAs). Instead, Patrick believes more comprehensive functional (and end-to-end) tests are necessary for performance and functional monitoring.
“An API is like a book; you should be analyzing every bit of data associated with it.”
Patrick likens the need for comprehensive API coverage to monitoring a child’s education. Gauging a child’s education process is more than simply checking a box for their attendance. Standardized testing, projects, and grades factor into correctly measuring their progress. Similarly, uptime (or attendance) is only part of a much bigger picture.
2. Use API Monitoring To Avoid Breaches
In a recent report, Akamai found that 83% of web traffic is now processed through APIs. Though cyber-attacks are a prevalent issue, it is estimated that 95% of API vulnerabilities are due to simple human error. Both figures heighten the need for ubiquitous API testing. Patrick points to some major breaches and uncaught downtime, and how, in hindsight, API performance and functional uptime monitoring could have easily avoided them.
3. Adopt Automated Testing Into CI/CD
CI/CD pipelines should include automated testing at every step of the way. In addition to that, Patrick recommends routines monitoring at 5-minute increments as a general rule of thumb. As the DevOps movement has encouraged lean and efficient development and deployment practices, API monitoring and testing should accompany these new initiatives with smart, automated features to reduce human error. To Patrick, when end-to-end tests, load testing capabilities, and functional testing are all run on a routine schedule, this is functional monitoring.
4. Monitoring Can Encompass Business Goals Too
How are developer consumers getting value from your API? When covering API testing and monitoring we tend to focus only on the infrastructure, considering if uptime meets our SLA, or ensuring functional tests pass, etc. While this is foundational and crucial to retaining platform stability, monitoring business activity may be just as important. According to Derric Gilling, API monitoring and analytics should be adopted that track developer user activity more intimately.
5. Follow North Star Business Metrics
According to Derric Gilling, API providers tend to emphasize the wrong metrics too often. When it comes to gauging the success of a developer program, API owners mistakenly trust statistics like the number of API keys issued that week or the number of signups. Instead, Derric argues API owners should put more faith in metrics tied to the bottom line.
For example, Time to First Paid App is an intriguing metric to consider. Public API products inherently have two levels of business models. First, developer consumers must build an application that is revenue-generating. Only once they have a working product can they afford to graduate from freemium to a professional or enterprise-level agreement. At which point, the API provider finally benefits. Having empathy for developer timelines can help ensure your developer experience is better constructed to support their initiatives.
6. Choose API Monitoring Solutions Carefully
Patrick notices four issues with API monitoring tools on the market. When you’re considering API monitoring solutions, it may help to consider his following points.
- Watch out for tools that do “synthetic testing”: Avoid tools touting “synthetic testing” features. Patrick notes this is a code word for basic solutions that cannot reproduce consumer flows.
- Consider API privacy: Some tools that utilize 3rd-party clouds, adding another layer of potential API insecurity. Internal APIs, instead, may need to utilize on-premise tools.
- New platforms requiring new types of tests: Some solutions deal with either monitoring or testing. However. to avoid inconsistencies and time developing new styles, Patrick believes testing and monitoring should be combined.
- Check test intelligence: Some tests aren’t as detailed as they should be. They must reproduce consumer flows.
7. Attend Austin API Summit for More Insights on API Monitoring!
There are many reasons to consider improving your API monitoring game. We’ve learned how smart API monitoring can avoid breaches, increase developer experience, and improve customer satisfaction.
But there are also best practices to do API monitoring correctly. Strategies differ in terms of public versus internal environments and whether or not API providers reduce effort by combining testing and monitoring in the same platform.
These were just a few of the many insights shared in our hourlong API Monitoring LiveCast. Watch it in full for additional details. Also, attend the 2020 Austin API Summit to see Patrick Poulin and Derric Gilling expand on these thoughts during more in-depth sessions:
- Patrick Poulin: API Monitors: A False Sense of Security
- Derric Gilling: How to Build a Killer API Program Developers Love