API Keysintermediate

Monitor API usage

Watch per-key usage — request counts, error rates, last-used timestamps. Where the dashboards are, what to look at, and what alerting setup makes sense for production keys.

May 10, 2026

Monitor API usage

Every API request is logged with the key it used, the endpoint, status code, and timestamp. Usage data surfaces both as live dashboards and as a record for security audits. Knowing what to watch for is the difference between catching a problem early and finding out from a furious customer.

Where the data lives

Two views:

  • Settings → API Keys → key → Usage — Per-key dashboard: requests over time, by endpoint, by status code, last-used timestamp
  • Settings → API Keys → Overview — Tenant-wide: all keys, last-used, request volume, anomalies

The per-key view is for operational debugging. The overview is for “is something broken?” at a glance.

What to look at

For each key:

Last used

The lastUsedAt timestamp updates every time the key is used. Useful for:

  • “Is this key still in use?” — keys with lastUsedAt more than 30 days old are candidates for revocation. They’re either obsolete integrations or unused defaults from when the tenant was set up.
  • “Did the rotation finish?” — after rotating to a new key, watch the old key’s lastUsedAt. When it stops updating for 24-48 hours, every consumer has migrated and you can safely revoke.
  • “Did the integration break silently?” — a production key that suddenly stops being used means the integration is failing somewhere. Check the consumer.

Request volume over time

Spikes and dips both signal something:

  • Sudden spike — could be a normal traffic surge, OR a runaway loop in an integration, OR a leaked key being abused. Cross-check with the per-endpoint breakdown.
  • Sudden dip — could be a deployed change in the consumer that reduced volume, OR the consumer is broken. Cross-check with error rate.

Error rate (status codes)

Atender logs the status code on every API call. The signals:

  • 2xx — Success — Healthy
  • 401 — Unauthorized — Wrong / revoked / expired key (check rotation status)
  • 403 — Forbidden — Key valid but missing scope for the called endpoint
  • 404 — Not found — Targeting a resource that doesn’t exist (typo in URL, deleted resource, wrong tenant)
  • 422 — Validation failed — Request body shape wrong (wrong field names, missing required fields)
  • 429 — Rate limited — Hitting the per-minute or per-day cap. See rate limits reference
  • 5xx — Server error — Atender-side issue. If sustained, check status page

A healthy key has >99% 2xx. A key with 5%+ 429s is being throttled and either needs a tier upgrade or a slower consumer.

Top endpoints

The breakdown of which endpoints the key hits most. Useful for:

  • Detecting unintended scope creep — if a key intended for KB sync is suddenly hitting /contacts, the consumer changed its behavior
  • Finding optimization opportunities — a key making 90% of its requests to GET /articles could be cached at the consumer
  • Debugging a confused consumer — top endpoints showing 4xx clusters point at where a deployment regressed

Alerting that pays off

For production keys, set up alerts on:

  • lastUsedAt not updating — >2 hours of silence on a real-time integration — Detects silent integration failures
  • 429 rate >5% — sustained over 30 min — Tier is too low or consumer is misbehaving
  • 5xx rate >1% — over the same window — Atender-side issue or misuse
  • 403 rate spike — any spike on a previously-clean key — Scope mismatch — the consumer is calling endpoints it shouldn’t, or someone changed scopes
  • New unique IPs on the key — first occurrence — Possible key leak — investigate the source

Atender’s webhook system can fire these alerts to Slack, PagerDuty, or email — see Settings → Webhooks.

What’s tracked, what’s retained

  • Per-request log (endpoint, status, timestamp, IP) — Variable per tier; typically 30-90 days for the standard tier
  • Daily aggregate stats (total requests, error rates, top endpoints) — Indefinite
  • lastUsedAt on the key record — Indefinite

For long-term analysis (year-over-year usage patterns), rely on daily aggregates. Per-request detail is for recent debugging.

Periodic review

Once a quarter, walk through every active API key and check:

  1. Is it still in use? (lastUsedAt recent)
  2. Are its scopes still appropriate? (any drift in what the consumer does)
  3. Is it on the right tier? (check 429 rate)
  4. When was it last rotated? (rotate if older than your policy)

This 15-minute review catches stale keys, over-scoped keys, and rotation gaps before they become incidents.

See also

Tags

How To
Back to API Keys

See Atender in action

Book a personalized demo and see how AI-powered customer service with expert humans can transform your support operation.

Book a DemoContact Sales