What is an API Check?
An API check is a specialized HTTP/HTTPS uptime check tuned for JSON and REST endpoints. It sends authenticated requests with custom headers and bodies, then validates the response — including specific JSON fields, not just the status code.
Use API checks for:
- Public REST APIs you operate or depend on
- Authenticated endpoints (Bearer tokens, API keys, basic auth)
- Webhook receivers that should respond with a specific JSON body
- Third-party APIs where availability impacts your service (payments, auth, etc.)
What Gets Monitored
- HTTP/HTTPS status code — 2xx, 3xx, 4xx, 5xx
- Response time — full request duration including TLS handshake
- JSON body validation — assert specific fields and values
- Custom response headers — verify rate-limit, version, or correlation headers
- Authentication — request succeeds with provided credentials
- TLS certificate validity when using HTTPS endpoints
Prerequisites
- A reachable API endpoint URL
- Authentication credentials if the endpoint is protected (Bearer token, API key, basic auth)
- Endpoint allows requests from Xitoring's probing IP ranges
- A predictable response shape you can assert against
How to Set Up an API Check
Step 1: Create the Check
- Log in to your Xitoring Dashboard
- Go to Uptime → Add Check
- Select API as the check type
Step 2: Configure the Request
- Enter the endpoint URL (e.g.,
https://api.example.com/v1/health) - Choose the HTTP method (GET, POST, PUT, PATCH, DELETE)
- Add request headers:
Authorization: Bearer <token>Content-Type: application/jsonX-API-Key: <key>
- Add a request body for POST/PUT/PATCH (JSON or form-encoded)
- Set the check interval (30 seconds to 15 minutes)
- Set the timeout (default: 30 seconds)
Step 3: Configure Validation
- Expected status code — typically
200or204 - Response body keyword — assert text like
"status":"ok"exists - JSON field assertions — verify specific paths (e.g.,
data.healthy == true) - Header checks — confirm rate-limit headers are present and within bounds
Step 4: Choose Probing Nodes
Pick at least 3 nodes. For globally distributed APIs, spread nodes across the regions your customers use.
Step 5: Assign Notifications
Under Triggers, attach a notification role.
Step 6: Save and Verify
Save the check. Confirm the first probe succeeds in the dashboard.
Setting Up Triggers
Common alerting rules:
- Status code mismatch —
401/403could mean expired credentials,5xxmeans broken backend - Body assertion failed — required JSON field missing or wrong value
- Slow response — exceeds your API SLA threshold
- Authentication failure — repeated
401/403from a previously working credential
Tips
- Use a dedicated
/healthor/v1/statusendpoint — never hit production paths that mutate data - Rotate monitoring credentials separately from real user credentials so a leak is contained
- Assert on a JSON field, not just the status code — many broken APIs return
200with an error body - Watch response time — APIs degrade before they go fully down. Alert at the p95 you've promised
- Add a header to identify Xitoring traffic (e.g.,
X-Health-Check: xitoring) so you can exclude it from analytics - Don't store secrets in the URL — use the headers field, which is encrypted at rest