4 Essential Metrics for API Consumption Visibility (+ 2 Advanced Ones You shouldn't Miss)

APIs are the backbone of internet traffic today, driving over 83% of all web traffic according to 2018’s analysis by Akamai (numbers skyrocketed since).

Yet, in this vast network of interconnected services, the visibility offered by vendors and tracked by companies often focuses primarily on the API providers’ perspective—monitoring how their exposed APIs are used and governed. 

However, at Lunar.dev, we advocate for a crucial shift in this approach: companies must also gain comprehensive visibility into their role as API consumers. 

This means understanding which third-party APIs are being consumed, how these APIs perform, and collecting actionable metrics to reveal usage patterns and troubleshoot issues effectively.

The importance of this shift cannot be overstated.

How often have you spent hours trying to troubleshoot an integration, struggling to determine whether the problem lies within your own system or with the API provider? 

How frequently have you questioned the performance of your API providers and whether it’s time to consider alternatives?

This blog post addresses these challenges, offering a detailed look into why tracking API consumption visibility and metrics should be a fundamental part of your API integration strategy.

‍

The 4 Types of Metrics for API consumption visibility

1. API’s Technical Metrics

API’s Technical Metrics are critical parameters that measure how the API provider is performing in real-time and over time. This layer of metrics is fundamental to understanding the behavior of the APIs you consume and includes data collected at both the domain level (overall API provider performance) and endpoint level (specific API actions).

Tracking these metrics allows companies to:

1. Understand Problems Early: Detect issues with API performance or downtime before they impact your applications, allowing for quick troubleshooting and problem resolution.
2. Measure SLA of API Providers: By tracking these metrics, you can objectively measure whether your API providers are meeting their Service Level Agreements (SLAs), which is crucial for contract negotiations and ensuring you’re getting the value promised.
3. Plan Triggers and Traffic Control Actions: Monitoring technical metrics allows you to set up triggers and controls in your middleware that can manage traffic, limit requests, and respond to API performance issues proactively.

Here are 8 key technical metrics to track:

• Error Rate & Error Distribution: This metric tracks the frequency and types of errors returned by the API. For instance, a common error is the 429 Too Many Requests error, indicating that the rate limit has been exceeded. Monitoring this helps identify problematic endpoints or usage patterns that could cause service disruptions.
• Latency: Latency measures the time taken for an API request to be processed and a response to be received. This is crucial for latency-sensitive applications, such as processing payments or checking out a shopping cart via the Shopify API, where delays can significantly affect the user experience.
• Duration of API Call: This measures the round trip time of an API call, including the time spent in processing and network transfer. It helps in identifying which APIs are slower and where performance improvements might be needed.
• P90, P95, P99: These metrics represent the 90th, 95th, and 99th percentile response times, respectively, showing the worst performance thresholds that affect the majority of requests. Tracking these percentiles helps ensure that your API performance is within acceptable bounds even during peak loads.
• Payload Size: This metric tracks the size of data sent and received in API calls. It is particularly relevant for APIs that use large XML payloads, like SOAP APIs, where payload size directly affects latency and processing time.
• Gauging of Provider's Rate Limits: This involves monitoring how close you are to hitting your rate limits, which is crucial for managing usage and avoiding throttling. Staying within rate limits ensures consistent performance and availability of the service.
• API Provider's Quota Usage and Rate Limit Usage: Keeping track of real-time quota usage across all consumers, including staging and production environments that may share the same API keys, is critical. This prevents unintended competition over quotas and rate limits, ensuring that mission-critical environments have the resources they need.
• API Uptime: Uptime measures the availability of the API over time, indicating how often the service is up and running without interruptions. This can be tracked internally through synthetic monitoring or by relying on uptime reports provided by the API provider. Regular monitoring of uptime is essential to ensure that the API meets the expected availability requirements outlined in SLAs. For example, if an API claims 99.9% uptime but consistently falls short, it may signal the need to reassess your API provider or implement redundancy measures.

2. Business Usage Metrics

Business Usage Metrics encompass tracking data that impacts the business logic of your application, focusing on aspects such as costs, security, resilience, and performance. Unlike standard technical metrics, these are highly specific to how a company utilizes third-party APIs, often requiring deeper insight into the API payloads, where the business logic is most active. These metrics can vary significantly between companies based on their unique API consumption patterns and needs.

Key Business Usage Metrics:

1. Cost:
   Companies that consume costly APIs (where charges are based on volume or per-call) must track their API usage to identify opportunities for caching responses. By caching specific API calls—typically GET requests—they can dramatically reduce costs by avoiding redundant API calls to the provider.
   
   Example: A TravelTech company using the Google Maps API to fetch restaurant locations on a particular street can store these responses. If a similar request is made later, the company can serve the cached response instead of calling the API again, significantly cutting down costs.

2. Efficiency:
   Companies may block certain API calls to prevent unnecessary hits to the provider’s rate limit, thereby protecting their SLA commitments. One common scenario involves 200 OK responses with empty bodies, which add no value but still consume rate limits.
   
   Example: A company querying the JFK Airport API to check flight statuses for Lufthansa from JFK to Heathrow might receive a 200 OK response with an empty body because Lufthansa isn’t supported by JFK’s API. By tracking metrics of such responses, the company can avoid making these ineffective calls in the future, thus conserving their rate limits. Additionally, businesses can compare the performance of alternative API providers and prioritize the most reliable or cost-effective one, creating fallback mechanisms to maintain resilience.

3. Security:
   Companies need to monitor excessive API usage by specific tenants to prevent security risks and mitigate cost exposures. Excessive or abusive consumption, especially for sensitive APIs like OpenAI, can pose both financial and security threats.
   
   Example: A company consuming the OpenAI API needs to track the volume of API calls per tenant, establish a baseline of normal usage, and set alerts or blocks when a tenant’s usage surpasses this baseline. This proactive monitoring helps prevent abuse, protects data security, and controls unexpected costs.

‍

3. Middleware Performance Metrics

API Middleware refers to the software layer that sits between your application and the API providers, managing and optimizing how your application interacts with these external services. Middleware can include components like caching layers, retry mechanisms, throttling, and queuing systems, all designed to enhance the performance, reliability, and cost-effectiveness of API consumption.

To fully understand the impact of middleware on API performance, it’s crucial to collect metrics on how these components interact with API providers. These metrics help evaluate middleware effectiveness and identify areas for optimization. Tracking middleware performance metrics ensures that your integrations are not only functioning correctly but are also optimized for cost and performance.

Key Middleware Performance Metrics:

1. Caching API Calls:
   Caching stores frequently used API responses locally, reducing the need to repeatedly call the API provider for the same data. To assess the success of caching strategies, it’s important to track the cache hit/miss ratio, which measures how often data is retrieved from the cache versus how often it’s fetched from the provider.
   
   Example: A high cache hit ratio indicates effective caching, leading to cost savings and improved response times. For instance, a company that caches product data from an e-commerce API can correlate a high hit ratio with reduced API call costs and faster page load times for users.
   ‍
2. Retry Logic:
   Retry logic automatically re-attempts failed API calls, ensuring resilience against temporary outages or errors. To monitor its impact, track the frequency of retries within a given timeframe and the duration it takes to complete API workloads under retry conditions.
   
   Example: If the retry logic is frequently triggered, it may indicate issues with API stability or connectivity. Tracking these metrics helps identify when retries are necessary and assess their impact on overall system performance, ensuring that the retry logic doesn’t inadvertently degrade service levels.
   ‍
3. API Call Queue:
   Queuing helps manage API call loads, especially during peak times, by controlling the flow of requests to the provider. Key metrics include the number of API calls queued and the point at which the queue reaches its limit.
   
   Example: By monitoring queue metrics, a company can evaluate whether the queuing mechanism is effectively managing peak loads or if adjustments are needed to prevent overflows, which could lead to dropped or delayed requests.
   ‍
4. Client-Side Throttling:
   Throttling controls the rate of outgoing API calls to prevent hitting provider rate limits. Key metrics to track include the velocity of throttled calls over time and its impact on the 429 error rate (Too Many Requests).
   
   Example: Tracking how often and when throttling occurs helps correlate its impact on reducing 429 errors. A company that effectively throttles requests can maintain a smoother interaction with API providers, minimizing disruptions and avoiding penalties for exceeding rate limits.

‍

4. User-Defined Diagnosis Metrics

User-Defined Diagnosis Metrics refer to custom metrics that are tracked to diagnose specific patterns or problems occurring over time. These metrics are a combination of business logic metrics and technical API performance metrics, tailored to your organization’s unique needs. They provide deeper insights by allowing you to filter, group, and analyze API calls based on specific criteria, helping to identify and troubleshoot issues that may not be apparent through standard metrics alone.

This approach is particularly powerful because it enables companies to create a detailed, contextual view of API usage and performance, focusing on the areas that are most relevant to their business or technical requirements. By collecting and analyzing these metrics, you can better understand recurring issues, optimize performance, and ensure that your API integrations are aligned with your business goals.

Key Grouping and Filtering Parameters:

• Consumer (Tenant/Application): Track API metrics per individual tenant or application, which is essential for multi-tenant architectures where different clients may have distinct usage patterns and performance needs.
• Custom Header: Analyze API calls based on custom headers, which can be used to track specific API consumers, versions, or other metadata that is critical for diagnosis.
• Call Method: Differentiate between API calls based on the HTTP method used (GET, POST, PUT, DELETE), which is important for understanding usage patterns and optimizing API interactions.
• URL: Group API calls by specific endpoints or URLs, allowing for detailed analysis of traffic patterns and performance issues at a granular level.
• Domain: Track metrics by domain, which is useful when interacting with multiple API providers or different environments (staging vs. production).

Examples of Diagnosis Metrics Collection:

• Rate Limits Indicated in 200 OK Responses: Track how often rate limits are communicated within the body of a 200 OK response, which can be an early indicator of nearing or exceeded rate limits that aren’t immediately visible as errors.
• Total Number of API Calls per LLM Provider: Monitor the volume of API calls made to large language model (LLM) providers like OpenAI or GPT-4, which can help manage costs and performance across different providers.
• Total API Calls with a Specific "Reason" Parameter: Filter API calls that include a particular “reason” parameter in the request body. This is useful for diagnosing issues related to specific error conditions or business logic triggers.
• Distinguishing Between “Rate Limit Exceeded 429” and “Request Quota Exceeded 429”: Separate tracking of different 429 errors allows for a more precise understanding of rate limit issues versus quota exhaustion, helping to implement more targeted solutions.
• Total API Calls per Tenant: Measure and compare API usage across different tenants to identify potential overuse, inefficiencies, or opportunities for optimization in a multi-tenant environment.

Beyond Visibility Metrics

Predictions & Anomaly Detection

Collecting and monitoring the right API consumption metrics unlocks the next phase: observability. Observability goes beyond simple visibility by allowing you to learn patterns, make predictions, and detect anomalies in your API consumption over time. By leveraging historic data and current metrics, organizations can gain advanced insights into their API usage, enabling them to proactively manage their interactions with third-party providers.

This advanced layer of monitoring helps businesses not only respond to issues as they occur but also anticipate future challenges and opportunities, optimizing API usage in ways that align with both technical and business objectives.

Key Benefits of Predictions and Anomaly Detection:

1. Understanding and Predicting Costs Over Time:
   With a robust set of metrics, companies can model and predict future API costs based on historical consumption data and current usage trends. This predictive capability allows businesses to budget more accurately, negotiate better terms with providers, and identify cost-saving opportunities, such as caching high-volume API calls or optimizing request rates.
   
   Example: By analyzing past consumption patterns, a company can forecast its Google Maps API costs for the upcoming quarter, taking into account expected spikes during peak seasons or marketing campaigns. This helps avoid unexpected overages and provides a clear view of cost implications tied to API usage.
2. Detecting Traffic Peaks and Low-Volume Times:
   Predictive analytics can identify traffic peaks (e.g., Cyber Monday for e-commerce APIs) and low-volume periods, allowing companies to plan and prepare in advance. Understanding these fluctuations enables strategic adjustments, such as increasing API quotas ahead of high-demand periods or balancing traffic during quieter times to smooth overall consumption.
   
   Example: An e-commerce platform might anticipate a significant traffic surge on Black Friday and preemptively increase its quota or distribute traffic across multiple API keys to handle the load without hitting rate limits. Conversely, during lower traffic periods, they could schedule maintenance or rebalancing efforts to optimize system performance without affecting user experience.
3. Understanding Customer Usage Patterns and API Dependencies:
   By correlating customer usage patterns with their propagated API calls, companies can gain valuable insights into user journeys and dependencies on external APIs. This understanding can help tailor the user experience, enhance engagement, and optimize API strategies to better support customer needs.
   
   Example: A SaaS platform could track how different customer segments interact with third-party APIs, such as payment gateways or data analytics services, and adjust their offerings or integrations accordingly. If a particular API is crucial to a high-value customer journey, the company can ensure higher reliability and performance for those interactions, driving better outcomes.

Logging and Auditing API Calls

Logging and auditing API calls are crucial aspects of API visibility, focusing on the systematic collection and storage of API interactions over time. This practice involves capturing detailed records of API requests and responses, including headers, payloads, status codes, and timestamps. Logging can be applied to all API calls or targeted subsets based on specific criteria, providing an invaluable resource for analysis, troubleshooting, and compliance.

The primary goal of logging and auditing is to maintain a comprehensive record of API activity, which serves multiple purposes that go beyond standard metrics. By having access to detailed logs, companies can improve their development processes, enhance security, and ensure compliance with data protection regulations.

Key Reasons for Logging and Auditing API Calls:

1. Mocking API Request-Responses for Development and Root Cause Analysis:
   Logging API interactions allows developers to mock real request-responses during development, enabling them to test integrations without needing direct access to the live API. Additionally, logs provide a detailed record of interactions that can be reviewed to perform root cause analysis when issues arise, helping to identify where a problem occurred and how to resolve it.
   Example: During development, a company might use logged API responses to simulate interactions with a payment provider, allowing developers to work in an isolated environment without the risk of impacting real transactions. If an issue is reported in production, logs can be reviewed to trace the exact sequence of events leading up to the problem.
2. Investigating Security Breaches:
   In the event of a security incident, logs are essential for investigating how unauthorized access or data leakage occurred. Detailed logging of API calls helps pinpoint which actions were taken, by whom, and what data was accessed or transmitted, providing a clear trail of evidence for forensic analysis.
   Example: If a suspicious spike in API activity is detected, logs can help identify if a specific tenant or user was responsible, what data was accessed, and whether any sensitive information was compromised. This data is critical for responding to security incidents swiftly and implementing measures to prevent future breaches.
3. Auditing API Calls to Provide Customer Reports:
   Auditing API calls enables companies to generate detailed reports for customers, showing what Personally Identifiable Information (PII) was sent to external applications and what actions were performed. This transparency is crucial for compliance with data protection regulations and for building trust with customers.
   Example: A healthcare provider using third-party APIs to send patient data can use audit logs to generate reports that show exactly what data was shared and when, fulfilling legal requirements and ensuring customers are informed about how their information is handled.
4. Providing Logged Responses During API Downtime or Outages:
   When an API provider experiences downtime, logging past responses allows companies to provide fallback data to maintain service availability. This approach improves the user experience during outages by returning previously stored responses when live data cannot be fetched.
   Example: If a logistics company relies on a shipping provider’s API to track package statuses, an unexpected API outage could disrupt operations. By using logged responses, the company can continue to provide estimated delivery information to customers based on the last known status, minimizing the impact of the outage.

‍

To Conclude

In today’s interconnected digital landscape, APIs are not just technical components—they are critical business enablers that drive the functionality, performance, and success of modern applications. Gaining detailed visibility into your API consumption through comprehensive tracking of metrics is no longer optional; it’s essential. From technical performance and business impact to middleware efficiency and custom diagnostics, every aspect of your API usage tells a story about how well your integrations are supporting your organization’s goals.

The ability to predict costs, detect anomalies, and log detailed interactions empowers companies to move beyond reactive troubleshooting to proactive optimization, ensuring that every API call aligns with your business needs. As these third-party integrations become increasingly central to operations, having a deep, data-driven understanding of your API consumption is what sets resilient, efficient organizations apart. Investing in visibility today means safeguarding your business-critical integrations for tomorrow.

‍