Professional Documents
Culture Documents
Apis in Action: A Guide To Monitoring Apis For Performance
Apis in Action: A Guide To Monitoring Apis For Performance
WHITE PAPER
APIs in Action
A guide to monitoring APIs
for performance
WHITE PAPER
Table of Contents
Introduction......................................................................................................................................................... 3
Understanding APIs........................................................................................................................................ 3
APIs in Action...................................................................................................................................................... 4
APIs in Action 2
WHITE PAPER
APIs in Action 3
WHITE PAPER
APIs in Action
Let’s look at a well-known company that relies on Now let’s compare that public API scenario to an
public APIs. example of how APIs can be used to trigger tasks to
The Weather Company collects weather data improve internal business processes.
from millions of endpoints and sources around the Splunk Web Optimization, part of Splunk Synthetic
globe. They store this data and make it accessible Monitoring, captures a number of performance metrics
to consumer-facing applications via hundreds of for digital businesses and provides smart suggestions
different APIs. for how to improve site performance. The optimization
Consider a widget on your home screen or desktop tool can help teams identify when any changes to
that always displays current temperature and weather a website introduce a regression in performance,
conditions based on your location. Your device may not meaning a site or web app has some content that’s
have a thermometer or a barometer or any baked-in making it load slower than it could.
technology that detects or predicts weather patterns, Using the optimization tool’s API, the team at Splunk
but your device can send information about your can integrate performance testing into deployments
location to an API and return the correct data such as and identify any performance regressions introduced.
the temperature and forecast based on your location. A request was built into the deployment process for
Even if you’re not on the Weather Company website the optimization API that triggers a performance
or using one of the Weather Company’s native mobile scan to Splunk’s staging environment and posts the
applications you may be interacting with data from a details of the scan into our Slack chat channel. Now
Weather Company API responding to simple requests. we can use our existing ChatOps setup to notify the
team when anything we build in staging will make our
application slower.
APIs in Action 4
WHITE PAPER
CHAPTER ONE
CHAPTER TWO
APIs in Action 5
WHITE PAPER
Or, let’s say that you’ve developed a new internal • Response time: How quickly is the API returning
API that passes order data from a mobile device responses? Is the response time degrading over
to a system in your product warehouse. Maybe it’s time? Is the response time worse in production
critical that the data passes to the warehouse within than in pre-production?
two minutes, or the entire production schedule will • Data validation: Is the API returning the correct
be off. When you developed the API and tested it in data in the right format?
staging it always passed data successfully within • Multi-step processes: Can I successfully save and
one minute, but when you launch the API and start reuse a variable from this API? Does authentication
processing real requests you notice that the real work as expected? Can I complete a transaction
response time is creeping up closer and closer to with data from this API?
that two-minute threshold. Without active monitoring
• Backend performance: How much latency
on the API in production, your team might assume
or slowness exists in backend services when
that the developed API is fast enough based on
communicating with APIs? Have we set up alerts
pre-production tests.
for poor performance?
Note: If you host an API that other people rely on, These are just the basic concepts that your team
be sure to actively monitor that API in both pre- should be looking for when it comes to monitoring API
production and production environments. performance. In the next section we’ll cover how to
technically implement monitoring for APIs and what
types of features are important to build out robust,
Whether it’s to keep tabs on your own APIs or see
flexible performance tests.
the impact of external services that you rely on, it’s
important to monitor APIs for availability, functionality,
speed and performance. If you know you have an API
that’s been unreliable in the past and you’re not actively
monitoring that API, start the conversation with your
team and develop a plan to begin monitoring that
API today.
APIs in Action 6
WHITE PAPER
CHAPTER THREE
APIs in Action 7
WHITE PAPER
We could continue to add more functional steps to this When using any type of direct authentication, it’s
transaction or add an Assert step to confirm that the important that you also use SSL/TLS or
session ID is set as expected. https:// at the start of the API endpoint URL. Using
SSL/TLS will ensure that the HTTP basic authentication
Handling authentication credentials or API keys aren’t exposed in the URL.
In the above example we used request headers to Interested in learning more about SSL/TLS and how
send over a username and password for authentication. to optimize for performance? There are a number of
Let’s take a minute to focus on the security aspect excellent articles on the Zoompf blog.
of APIs and how we can consider this as we build
performance tests. HTTP basic authentication
Authentication for an API defines who has permission If you are using basic authentication to secure your
to access secure data or endpoints. This is especially APIs, it’s super simple to include that authentication
important for APIs sharing sensitive information, APIs when configuring an external monitor to check for
that allow end users to make changes, or for companies API performance.
that charge some cost for accessing data via API. And
The most common and reliable way to set up a
while securing an API for an individual human end user
monitoring request with HTTP basic authentication
is one undertaking, there are additional considerations
is to go ahead and encode that username:password
as we authenticate systems for an increasing number
value in base64 and send that value over in an
of non-human entities.
authorization header:
As APIs become more secure, proactive monitoring
systems are adapting to make it possible to access
secure systems externally.
Direct authentication
A good example of direct authentication is HTTP basic
authentication. HTTP basic authentication is a standard
part of HTTP, and it can be used for API endpoints
or any HTTP URL. You simply send a username and It’s important to note that while it’s easy to encode
password — encoded together in base64 — as usernames and passwords into base64, it’s also
part of your request to the API. The benefit of HTTP very easy to reverse or decode so that a system can
basic authentication is that it’s easy to implement authenticate a request. You can try this yourself with an
and is typically included in standard frameworks. On online base64 encoder/decoder. Because base64 is so
the downside, HTTP basic authentication offers no accessible, it’s important to protect this type of direct
advanced options and may be easily decoded. authentication with SSL/TLS.
Another example of direct authentication
would be using API keys or tokens. API keys
are just a long string of hexadecimal digits, i.e.
34d83d84f28d146aeae0e32f7803c88d, that
can be sent instead of a username or password to
authenticate access to an API endpoint. API keys
are essentially the same as a set of username and
password credentials, but they provide a layer of
abstraction that is useful. For example, multiple end
users could share a single API key.
APIs in Action 8