# API & endpoint monitoring Most teams discover a broken API from a customer's bug report. The endpoint was 'up' the whole time, it just wasn't working. We call your endpoints every minute from multiple locations worldwide and validate what they actually return: status codes, response bodies, headers and response times. Webhooks and scheduled jobs included. Nothing to install. [ Start monitoring ](https://ohdear.app/register) 10 day free trial No credit card required ## 'Up' is not the same as 'working' Validate what your API returns, not just that it answers A simple ping check will happily call your API healthy while it returns an empty body, a stack trace, or somebody else's cached response to every caller. The status code says 200; your integration partners say otherwise. Every Oh Dear check can assert on the response itself. Define which status codes count as healthy, comma-separated, with wildcards. Check that the exact string you expect is present in the body, and that error strings are absent. Verify response headers against exact values or wildcard patterns. Monitoring an endpoint that should reject anonymous traffic? Expect a `401` on purpose. If it ever starts answering `200` to the open internet, you want to hear about it first. ## Private APIs welcome Monitor the endpoints behind API keys and logins Real APIs sit behind credentials. Each check sends up to 5 custom request headers, an API key, a bearer token, whatever your endpoint expects. Endpoints behind HTTP basic auth work too, through an `Authorization` header, credentials and all. And because not everything worth monitoring is a GET: switch the check to POST, PATCH or PUT and attach a request payload, so the endpoint responds the way it does in production. Simulate the form submission, the search query, the validation call, then assert on what comes back. You can even perform a login through a POST call and verify the authenticated response loads properly. No headless browser, no script to maintain. ## Slow is the new down Catch the degradation before the timeout APIs rarely go from healthy to dead in one step. Response times creep: 200 ms becomes 800 ms, becomes 4 seconds, becomes timeouts. For the integration calling you, the 4-second version is already broken, whatever the status code says. Set a hard response-time threshold in milliseconds and get alerted the moment your endpoint runs slower than the limit you choose. On top of the hard limit, sudden-change detection compares the last 15 minutes against the previous two hours and flags unusual slow-downs automatically. And if the endpoint stops answering within your timeout entirely, the check fails outright and we alert you that it's down. ## Built for webhooks and signed URLs Fresh values for endpoints that hate repeated requests Webhook receivers dedupe on idempotency keys. Signed URLs expire. CDNs cache the very response you're trying to test. A naive monitor sends the same request over and over, and measures the cache, not your API. Magic variables fix this: put them anywhere in the monitored URL, the request headers or the payload, and we substitute fresh values right before every single check. Within one check, the same variable expands to the same value. Put `$OH_DEAR_UUID` in both the URL and an `X-Request-ID` header and they match, so you can correlate our request in your own logs. The expanded URL is shown on every check report. ## The cron job that quietly stopped Scheduled jobs don't throw errors, they just stop The nightly invoice export, the queue worker, the cleanup task: when they break, nothing turns red. No exception, no 500, no alert. The job simply stops running, and you find out when the data is two weeks stale. [Scheduled task monitoring](https://ohdear.app/features/scheduled-task-monitoring) is a separate check, included in every plan at no extra cost, and it flips the direction: your job pings Oh Dear when it finishes, and if the ping doesn't arrive on schedule, you get alerted. Works for cron on Linux, scheduled tasks on Windows, and anything in between. Pair it with [application health monitoring](https://ohdear.app/features/application-health-monitoring) to surface what's happening inside the app, queue depth, disk space, database connectivity, and the loop is closed: the endpoint, the jobs behind it, and the app underneath, all on one monitor. ## Who needs API monitoring? Anyone whose product talks to other software **SaaS companies** whose API is the product. When the API fails, every customer integration fails with it, and the support tickets arrive before your dashboards notice. **E-commerce stores** running on payment webhooks, inventory feeds and shipping APIs. A checkout that can't reach the payment provider is downtime, whatever the homepage says. **Agencies** monitoring client integrations they didn't build and can't instrument. External checks need no agent, no code access, just the URL and the credentials. **On-call engineers** who'd rather get a precise alert (endpoint, assertion, response body, ready-to-run request) than a vague "something's slow" at 3am. ## What API monitoring checks (and what it doesn't) Understanding the scope Our API monitoring is external, health-check style: we call your endpoints from the outside on a schedule, the way your integrations do, and assert on status, content, headers and timing. That covers the failure modes that actually page you: the endpoint that dies, the one that returns garbage with a 200, the one that slows to a crawl, the webhook that stops firing, the scheduled job that silently quits. What a single check won't do on its own: multi-step scripted flows, log in, fetch a token, call three endpoints in sequence, assert on each. For those, our [AI-powered monitoring](https://ohdear.app/features/ai-monitoring) can drive a complete multi-step flow and judge the result for you, no script to maintain. If your needs are genuinely a full test suite, a checks-as-code tool is an alternative, and we'd rather tell you that here than after you've signed up. For everything else, which is most APIs, configuration beats code: every endpoint, webhook and scheduled job watched around the clock, with nothing to write, review or maintain. ## Stop worrying, start monitoring Start a no-strings-attached 10-day free trial. You're all set in less than a minute. (No credit card needed.) Not convinced yet? Need help? Get in touch via . ### Let's get technical (if you're into that) You don't need to be computer savvy to monitor an API with Oh Dear. But if you are, here's exactly how the checks behave. ## Multi-location, reproducible requests checked twice before we page you Each endpoint is checked from a primary location and verified from a secondary one. We only alert when both report the problem, so a network blip between one region and your host won't page you. Every failure report includes the full response body, all request and response headers, and a ready-to-run command that replicates our exact request, custom headers included. Copy, paste, and see what we saw. ## Content checks, beyond a GET verify writes, logins and search Assert that an exact string, a key, a value, an error marker, is present or absent in the response. A 200 with the wrong body fails the check. Switch any check to POST, PUT or PATCH with its own payload. Simulate the real call, a form submission, a search query, a login, and assert on the authenticated response that comes back. ## Really into the nitty gritty details? Want to get into the nitty gritty details of our monitoring? Have a look at our documentation. ## Frequently asked questions ### Can I monitor my API endpoints with Oh Dear? Yes. Add any endpoint URL as a monitor and Oh Dear checks it from multiple locations worldwide, verifying the status code, response body content, response headers and response time. Custom request headers, HTTP verbs and payloads let you monitor authenticated and write endpoints too. ### What's the best way to monitor endpoints, webhooks, and scheduled jobs together? With one tool instead of three. Oh Dear covers external endpoint checks with content validation, webhook receivers (magic variables generate fresh idempotency keys per check), and [scheduled-task monitoring](https://ohdear.app/features/scheduled-task-monitoring) (your job pings us; silence triggers the alert), alongside certificate, DNS and performance checks on the same website monitor. ### Can Oh Dear check authenticated API endpoints? Yes. Each check can send up to 5 custom request headers: an API key, a bearer token, or an `Authorization` header for HTTP basic auth. You can also choose the verb (GET, POST, PATCH, PUT) and attach a request payload. ### Can it validate the response my API returns? Yes. Define a string that must appear in the response (for example `"status":"ok"`) and a string that must be absent (for example `"error"`). If the body doesn't match, the check fails even when the status code looks healthy. You can [read how response validation works](https://ohdear.app/docs/features/uptime-and-performance-monitoring) in the docs. ### Is this synthetic API monitoring? In the health-check sense, yes: Oh Dear actively calls your API from the outside on a schedule and asserts on the response. It's configuration instead of code. If you need scripted multi-step transactions, a checks-as-code tool fits better; for everything else, this is far less to maintain. ### Can I get alerted when my API gets slow, not just when it's down? Yes. Set a hard response-time threshold in milliseconds and Oh Dear alerts you when your endpoint exceeds it. Sudden-change detection also compares the last 15 minutes against the previous two hours and flags unusual slow-downs automatically. [See all other FAQ items →](https://ohdear.app/docs/faq) ## Start monitoring instantly Start a no-strings-attached 10-day free trial. You're all set in less than a minute. (No credit card needed.) Not convinced yet? Need help? Get in touch via .