APIs fail silently. 200 OK doesn't mean correct.

Your payment API returns 200 but the response body is {"data": null}. Your search endpoint responds in 50ms but every result is empty. Your auth service is up but issuing expired tokens. Traditional uptime monitoring sees green. Your customers see broken.

What to actually monitor on an API

Pinging an endpoint and checking for 200 is table stakes. Real API uptime monitoring validates that the response is correct, fast, and secure.

Status codes

Assert the exact status code you expect. A 301 redirect when you expect 200 means your routing is broken. A 204 instead of 200 means your API changed without your knowledge.

Response time

Set latency thresholds. An API that responds in 8 seconds is functionally down for most users even if it returns the right data.

Response body (JSONPath assertions)

Validate specific fields in the JSON response. Check that $.status equals "healthy", that $.data.length is greater than 0, or that a specific key exists.

SSL certificates

Get alerted days before your certificate expires. An expired SSL cert on your API causes every client to reject the connection instantly.

Response headers

Verify security headers like CORS, Content-Type, and Cache-Control are present and correct. Missing CORS headers break every frontend client silently.

Error rate patterns

A single 500 might be a blip. Three consecutive 500s is an outage. Track patterns over time to separate noise from real incidents.

DIY API health checks (and their limits)

You can build basic API monitoring with a cron job and a script. Here is what that looks like and where it falls short.

curl (quick health check)

# Check status code AND response body
curl -sf https://api.example.com/health \
  -w "\nHTTP_CODE:%{http_code} TIME:%{time_total}s\n" \
  | jq -e '.status == "healthy"' > /dev/null \
  || echo "ALERT: API health check failed"

Python (with response body validation)

import requests
import time

def check_api():
    start = time.time()
    try:
        r = requests.get(
            "https://api.example.com/health",
            headers={"Authorization": "Bearer YOUR_TOKEN"},
            timeout=10
        )
        elapsed = time.time() - start

        if r.status_code != 200:
            alert(f"Bad status: {r.status_code}")
            return

        data = r.json()
        if data.get("status") != "healthy":
            alert(f"Unhealthy: {data}")
            return

        if elapsed > 2.0:
            alert(f"Slow response: {elapsed:.1f}s")

    except requests.exceptions.Timeout:
        alert("API timed out after 10s")
    except Exception as e:
        alert(f"API unreachable: {e}")

Node.js (fetch with assertions)

async function checkApi() {
  const controller = new AbortController();
  const timeout = setTimeout(() => controller.abort(), 10_000);

  try {
    const start = performance.now();
    const res = await fetch("https://api.example.com/health", {
      headers: { "Authorization": "Bearer YOUR_TOKEN" },
      signal: controller.signal,
    });
    const elapsed = performance.now() - start;

    if (!res.ok) {
      alert(`Bad status: ${res.status}`);
      return;
    }

    const data = await res.json();
    if (data.status !== "healthy") {
      alert(`Unhealthy response: ${JSON.stringify(data)}`);
      return;
    }

    if (elapsed > 2000) {
      alert(`Slow: ${Math.round(elapsed)}ms`);
    }
  } catch (err) {
    alert(`API unreachable: ${err.message}`);
  } finally {
    clearTimeout(timeout);
  }
}

The problem with DIY: You need to run these scripts from multiple regions, handle retries to avoid false alerts, store historical data for trend analysis, configure alert routing (email, Slack, PagerDuty), and keep the monitoring infrastructure itself reliable. That is a product, not a script.

How Uptrack monitors APIs differently

Most monitoring tools check if a URL returns 200. Uptrack treats each check as a full assertion pipeline: status code, latency, headers, and response body are all validated on every request.

Consecutive-check confirmation (no false alerts)

A single failed check does not trigger an alert. Uptrack runs a confirmation check from a different region before creating an incident. This eliminates false positives from transient network issues, DNS propagation delays, or momentary load spikes. You only get alerted when something is actually down.

Response body assertions (JSONPath and regex)

Define assertions on the response body using JSONPath expressions or regex patterns. Check that $.database.connected is true, that an array has items, or that a version string matches a pattern. If the body check fails, the endpoint is marked down, even with a 200 status.

30-second check intervals

Detect API failures within seconds, not minutes. A 60-second interval means you could be down for a full minute before your first check even fires. With 30-second intervals, you halve your detection time.

Full HTTP method support

Monitor GET, POST, PUT, PATCH, and DELETE endpoints. Send custom request bodies, headers, and authentication tokens. Test your actual API contract, not just whether the server responds.

API monitoring tools compared

How Uptrack stacks up against other monitoring tools for API-specific features.

Provider	Body assertions	Min interval	False alert prevention	Free tier	Price
Uptrack	JSONPath + Regex	30s	Consecutive checks	5 monitors	Free tier
Pingdom	String match only	60s	Single check	No free tier	From $15/mo
Datadog	JSONPath + Regex	60s	Configurable retries	5 synthetic tests	From $23/mo
Better Stack	String match	30s	Confirmation period	5 monitors	From $20/mo

Monitor your first API endpoint in 3 steps

Enter your API endpoint

Go to Dashboard, click Create Monitor, and paste your API URL. Select the HTTP method (GET, POST, etc.) and add any required headers like Authorization: Bearer YOUR_TOKEN. For POST requests, add a request body.

Add response assertions

Set the expected status code (e.g., 200). Add body assertions using JSONPath: $.status == "ok". Set a response time threshold (e.g., alert if above 2000ms). Optionally validate specific response headers.

Configure alerts and go live

Choose where to get notified: email, Slack, Discord, or webhook. Set the check interval (as low as 30 seconds on Pro). Save the monitor. Uptrack runs the first check immediately and you will see results in your dashboard within seconds.

Or create via API:

curl -X POST https://api.uptrack.app/api/monitors \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://api.example.com/health",
    "method": "GET",
    "interval": 30,
    "assertions": [
      {"type": "status_code", "value": 200},
      {"type": "json_path", "path": "$.status", "value": "healthy"},
      {"type": "response_time", "threshold": 2000}
    ]
  }'

API monitoring use cases

REST APIs — Monitor each critical endpoint independently. Your /users endpoint might be healthy while /payments is returning 500s. Per-endpoint monitoring catches partial outages that aggregate health checks miss.

GraphQL APIs — Send a POST request with a GraphQL query body and validate the response. Check that the "errors" array is empty and that expected fields are present in the response data.

Webhooks — Monitor the endpoints that receive webhooks from Stripe, GitHub, or Twilio. If your webhook handler goes down, events queue up and your integrations break silently.

Third-party APIs — Monitor the APIs you depend on: payment gateways, email services, SMS providers, CDNs. When Stripe or SendGrid has an issue, you will know before your customers report it.

Microservices health checks — Each microservice exposes a /health endpoint. Monitor them all from one dashboard. Correlate failures across services to identify which upstream dependency is causing cascading issues.

FAQ

Will monitoring requests trigger rate limiting on my API?

At 30-second intervals, Uptrack sends 2,880 requests per day per monitor. Most APIs handle this easily. If your API has strict rate limits, use a longer interval (60s or 120s) or whitelist Uptrack's IP addresses in your rate limiter. You can also monitor a dedicated health endpoint that is exempt from rate limiting.

Can I send authentication headers?

Yes. Add any custom headers to your monitor configuration, including Authorization: Bearer tokens, API keys, or custom auth headers. Headers are stored encrypted and never exposed in logs or the UI after creation.

Can I monitor POST endpoints?

Yes. Uptrack supports GET, POST, PUT, PATCH, and DELETE methods. For POST monitors, you can specify a JSON request body that gets sent with every check. This is useful for monitoring GraphQL APIs or endpoints that require a request payload.

Can I get alerted based on response time?

Yes. Set a response time threshold when creating a monitor. If the API responds slower than your threshold on consecutive checks, Uptrack creates a degraded performance incident. You can set different thresholds per endpoint since a payment API and a static health check have very different latency expectations.

How do JSONPath assertions work?

JSONPath lets you target specific fields in a JSON response. For example, $.data.users.length checks the number of users returned, $.meta.version checks a version string, and $.services[0].status checks the status of the first service in an array. If the assertion fails, the check is marked as failed.

What happens if my API is behind a firewall?

You will need to whitelist Uptrack's monitoring IP addresses in your firewall rules. Contact support for the current list of IPs. Alternatively, expose a dedicated health check endpoint that is accessible externally without compromising your internal API security.

Start Monitoring Your APIs Free

5 monitors free at 30s. Response body assertions, consecutive-check confirmation. No credit card required.

Start Monitoring Free