# website monitoring
How to Monitor REST API Uptime and Availability
REST APIs are the backbone of modern web applications — they power mobile apps, integrations, and service-to-service communication. When an API goes down, every dependent application breaks. Monitoring REST API uptime requires a slightly different approach than monitoring websites: authentication headers, request bodies, and response validation all need careful configuration.
What REST API Monitoring Checks
Effective API monitoring validates more than just HTTP status codes:
- Status code — is the API returning expected codes (200, 201, 204)?
- Response body — does the response contain expected data?
- Authentication — are authentication tokens valid and working?
- Response time — is the API responding within acceptable latency?
- Error rate — what percentage of checks are returning errors?
Setting Up a Health Endpoint
Every REST API should expose a dedicated health endpoint:
GET /health
GET /api/health
GET /api/v1/health
Health endpoint response:
{
"status": "ok",
"version": "2.1.4",
"uptime": 86432,
"timestamp": "2026-03-17T14:23:00Z"
}
This endpoint should:
- Require no authentication (so monitoring services can access it)
- Return 200 when healthy, 503 when unhealthy
- Be lightweight — no database calls or heavy computation
Configure your uptime monitor to check this endpoint:
Monitor: https://api.yourdomain.com/health
Method: GET
Expected status: 200
Content check: "ok"
Interval: 1 minute
Monitoring Authenticated Endpoints
For APIs that require authentication, configure monitoring with the necessary headers:
Monitor: https://api.yourdomain.com/v1/status
Method: GET
Headers:
Authorization: Bearer your-monitoring-token
X-API-Key: your-api-key
Expected status: 200
Best practice: Create a dedicated monitoring API key with read-only access to health endpoints. Don't use production user credentials — these can expire, change, or create security concerns.
POST Endpoint Monitoring
Some critical API functionality requires POST requests:
Monitor: https://api.yourdomain.com/v1/echo
Method: POST
Headers:
Content-Type: application/json
Authorization: Bearer monitoring-token
Body:
{"test": true, "source": "monitoring"}
Expected status: 200
Content check: "test"
Use a safe, idempotent test action — an echo endpoint, a status endpoint, or a test-mode endpoint that doesn't create real data.
Response Body Validation
Status codes alone aren't sufficient. An API can return 200 with an error body:
{
"status": 200,
"error": "Database connection failed",
"data": null
}
Configure content verification to check for expected response content:
Content check: contains "data" AND NOT contains "error"
Or check for a specific success indicator:
Content check: '"status":"ok"'
Monitoring API Rate Limiting
If your monitoring API key has rate limits, configure check frequency accordingly. Checking too often may consume your rate limit allocation. For rate-limited APIs:
- Use 5-minute check intervals (unless you have a dedicated monitoring key with higher limits)
- Monitor the rate limit headers in responses
- Alert if you're approaching rate limit thresholds
GraphQL API Monitoring
For GraphQL APIs, monitoring requires sending a GraphQL query. See the dedicated guide on monitoring GraphQL APIs for query-based health checks.
Multi-Region API Monitoring
APIs serving global users should be checked from multiple geographic locations. API availability can be regional:
- A CDN edge failure can make an API unavailable from one region
- Geographic routing can send users to a degraded regional instance
- DNS propagation issues can affect resolution in specific regions
Check from at least 3 global locations for production APIs with international users.
SSL Certificate Monitoring for APIs
API certificates are often overlooked compared to web application certificates. An expired API certificate breaks every client application that calls it:
Monitor type: SSL certificate
Domain: api.yourdomain.com
Alert at: 30 days remaining
See SSL certificate monitoring for setup.
Alerting for API Failures
Configure appropriately for API criticality:
| API Type | Alert Channel | Why |
|---|---|---|
| Payment API | SMS + Slack | Revenue-critical |
| Authentication API | SMS + Slack | All users blocked |
| Core data API | Slack | Significant user impact |
| Reporting API | Non-critical functionality | |
| Internal API | Slack | Team visibility |
See how to set up downtime alerts for complete configuration.
Common API Monitoring Mistakes
Only monitoring GET endpoints: If your critical functionality uses POST/PUT/PATCH, monitor those routes too — they may fail independently of GET routes.
Not testing authentication: If the API key used for monitoring expires, the monitor starts failing even when the API is healthy. Set a reminder to rotate monitoring credentials.
Ignoring response time alerts: An API that responds in 30 seconds is "up" but effectively broken. Set response time thresholds alongside availability checks.
Single location checks: API failures can be regional. Multi-location monitoring catches issues that single-location checks miss.
Monitor your REST API endpoints with HTTP checks, authentication support, and response validation at Domain Monitor.
Related Articles
More posts
What Is Generative AI? How It Works and What It Creates
Generative AI creates new content — text, images, code, and more. This guide explains how it works, what tools are available, and where it's genuinely useful versus overhyped.
Read moreWhat Is Cursor AI? The AI Code Editor Explained
Cursor AI is an AI-powered code editor built on VS Code. Learn what it does, how it works, and whether it's the right tool for your development workflow.
Read moreWhat Is Claude Opus? Anthropic's Most Powerful Model Explained
Claude Opus is Anthropic's most capable AI model, built for complex reasoning and demanding tasks. Learn what it does, how it compares, and when to use it.
Read moreSubscribe to our PRO plan.
Looking to monitor your website and domains? Join our platform and start today.