Skip to Content

Configuring REST API monitoring

Use the REST API monitor profile to track the availability, performance, and response validity of REST‑based services. The REST API monitor profile includes two server monitoring configurations:

  • Authentication profile—Use the authentication profile to retrieve required values, such as tokens or API keys, from the authentication response and store them as variables. REST API monitoring then reuses these variables to authorize and execute subsequent REST API requests.
  • REST API Configuration—Use this configuration to define the REST API that you want to monitor. This configuration specifies the REST API endpoint, request details, execution interval, and response validation rules. The REST API configuration reuses the variables (tokens or API keys) extracted from the Authentication profile when executing the request.

To configure Authentication Profiles

  1. Perform one of the following actions:
    • In BMC Helix Operations Management, click Configuration > Monitoring Policies > Create Policy.
    • In TrueSight Operations Management, click Configuration > Infrastructure Policies > Create Policy.
  2. Click Add Monitoring Configuration.

  3. To configure the knowledge module, set the following preferences in the Add Monitoring Configuration dialog box:

    Monitoring Solution

    Monitor Profile

    Monitor Type

    Synthetic Monitoring

    Synthetic Monitoring

    REST API Monitoring

  4. In the Authentication Profiles section, click Add.
  5. Enter the authentication details as follows:
    1. In Profile name, enter a unique name that identifies the authentication configuration and is later referenced by the REST API configuration.
    2. In the Authentication type, select one of the following authentication methods used by the service:
      • BASIC (default)
      • API_KEY
      • TOKEN
    3. In the Authentication Profile Input Variables, click Add and enter the following details to define values that must be sent to the authentication API:
      1. Auth Variable Name: Enter the name of the variable required by the authentication request
      2. Auth Variable Value: Enter the value for the authentication parameter
    4. In the Auth URL, enter the authentication endpoint used by the service.
    5. In the Auth method, select one of the following HTTP methods used by the authentication API:
      • POST (default)
      • GET
    6. In the HTTP version, select the required HTTP version supported by the service for sending the request:
      • AUTO
      • HTTP_1_X (default)
      • ATTP_2
  6. Enter the authentication request details as follows:
    1. In the Auth headers (JSON), enter the required headers for the authentication request.
      The header specifies how the authentication API processes the request, such as the content type or authorization information.
    2. In the Auth payload (JSON) section, enter the authentication request body.
      The payload contains the data that the authentication API needs to verify the request, such as access keys
    3. In the Auth session TTL (seconds), specify how long the authentication result remains valid.
      The default value is 3600.
      The authentication request is re‑executed, and a new token is fetched in the following scenarios:
      • When the cached token exceeds the configured Auth session TTL (seconds).
      • When the token expires before the configured TTL.
      • When authentication profile settings (URL, method, headers, payload, or credentials) are modified.
      • When authentication response extraction settings (variable name, regex, or group index) are modified.
      • When the Auth session TTL value is updated.

      • When no cached token is available, such as during the first monitoring cycle or after cache invalidation.

  7. In the Auth response extraction variables section, click Add.
    Use Auth response extraction variables to capture values returned by the authentication response (for example, tokens or API keys) and reuse them when executing the REST API. Add the following Auth response extraction variable details:
    1. In the Auth Extract Variable Name fielddefine a variable to store the extracted authentication response value, which can then be reused in the REST API configuration.
    2. In the Auth Extract Match Regex, enter the pattern used to locate the required value in the authentication response. 
      This pattern identifies the location of the value within the response, such as a token or identifier.
      For example, if the authentication response contains "accessToken", enter the following value in the Match regex "accessToken"\s*:\s*"([^"]+)".
    3. In the Auth Extract Group Index field, enter the number that identifies which part of the matched pattern contains the value to extract.
      REST API monitoring extracts the value from the specified Auth Extract Group Index and stores it under the Variable name.
      The default value is 1.
      For example, if the match regex is "accessToken"\s*:\s*"([^"]+)", enter 1 to extract the value inside the parentheses.
    4. Select the Mandatory Auth Extraction checkbox to make sure that REST API execution does not proceed unless the required value is successfully extracted from the authentication response.
    5. Click OK
  8. In the Authorization section, add the following details to provide credentials required by the REST API:
    1. User Name
    2. Password
    3. Confirm Password
      Important: User Name and Password are required only when the Authentication type is Basic.
Click to view the Example: Authentication Profile using JWT token authentication

This example shows how to configure an authentication profile to retrieve a JWT token from an authentication API and store it for later use by the REST API configuration.

Scenario: The authentication API requires an access key and a secret key. A successful authentication response returns a JWT token (json_web_token), which must be reused to access protected REST APIs. To extract a token, configure the following fields in the monitor policy:

FieldValueDescription
Profile name

ORG_TOKEN

Identifies the authentication configuration and is referenced later by the REST API configuration.

Authentication type

TOKEN

The service uses token‑based authentication and returns a JWT token.

Auth Variable Name

Auth Variable Value

MY_access_key

9Z7K2MRCJ8PT4FVD6AUXY0SEBWLH5

These variables are referenced in the authentication payload and substituted at runtime.

Auth Variable Name

Auth Variable Value

MY_access_secret_key

fQ8eWZr2LkCT0UoY9xP7iNwA5DJVhSMtR4B6gKcEUaHsXm

Auth URL

https://tenant1.abc.com/ims/api/v1/access_keys/login

Endpoint that validates credentials and returns the JWT token.

Auth method

POST 

HTTP version

HTTP_1_x

The authentication endpoint supports HTTP 1.x.

Authentication headers

{

  "Content-Type": "application/json"

}

Specifies that the authentication payload is sent in JSON format.

Authentication payload

{

  "access_key": "{{MY_access_key}}",

  "access_secret_key": "{{MY_access_secret_key}}"

}

Provides authentication parameters required by the authentication API.

Auth session TTL

3600

Specifies that the authentication result remains valid for 3600 seconds.

Auth Extract Variable Name

JSON_WEB_TOKEN

  • The token is extracted and stored as JSON_WEB_TOKEN.
  • The regex locates the json_web_token field.
  • Group index 1 extracts only the token value.
  • Mandatory extraction ensures the REST API execution does not proceed without the token.

Auth Extract Match Regex

"json_web_token"\s*:\s*"([^"]+)"

Auth Extract Group Index

1

Mandatory Auth Extraction

Selected

Authentication response:

The authentication response returns a JWT token that must be reused for secured REST API access:
{
 
"json_web_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

}

At runtime, the authentication profile performs the following actions:

  • Executes the authentication request using the configured endpoint, headers, and payload.
  • Receives the authentication response returned by the authentication service.
  • Extracts the required value (such as a token) from the response using the configured extraction rule.
  • Stores the extracted value under the specified authentication response variable name.
  • Reuses the stored value when executing REST API requests that reference this authentication profile.

To configure REST API profile

  1. In the REST API configuration section, click Add.
  2. In the REST API display name, enter a unique name for this endpoint.
    The input value must not contain any character from the set "=@\\&V".
  3. In the REST API Input Template Variables section, click Add and specify a variable name and its value so REST API monitoring can replace the variable with the actual value when executing the REST API request:
    1. In Template Variable Name, enter the placeholder name that you want to use in the REST API request.
      Use this format when referencing the variable:
      {{variable_name}}
    2. In Template Variable Value, enter the value that the REST API requires.
      The REST API monitoring replaces {{variable_name}} with this value when the request is executed.
    3. Click OK.
  4. In the REST API Endpoint, enter the URL of the REST API you want to monitor.
  5. Configure the following fields to define how the REST API request is sent:
    1. In the Request method type, select one of the following HTTP methods used by the REST API:
      • POST (default)
      • GET
    2. In the HTTP version, select the required HTTP version supported for sending the request:
      • AUTO
      • HTTP_1_X (default)
      • HTTP_2
    3. In the Request headers (JSON), reference authentication variables by using the following format:
      {{auth_profile_name:variable_name}}
      This reference links the REST API request to the authentication profile and causes REST API monitoring to run the authentication profile, retrieve the extracted value (such as a token), and use that value when executing the REST API request.

      Example:
      {
         "Authorization": "Bearer {{loginAuth:token}}"
      }
      In this example, loginAuth is the authentication profile name, and token is the value extracted from the authentication response. REST API monitoring automatically replaces the reference with the actual token at runtime.

    4. In the Request payload (JSON) field, enter the request body.
    5. In the Response format type field, select the required response format:
      • JSON (default)
      • XML
      • TEXT
    6. In the Request timeout (sec), enter the maximum time to wait for a response before treating the request as timed out.
      The default value is 30.

      The monitored REST API endpoint is executed at a fixed polling interval. By default, the REST API collector runs every 120 seconds (2 minutes). At each interval, the REST API request is executed, the response is validated, and monitoring metrics such as ResponseCode, ResponseTime, Availability, and MonitoringStatus are updated.

    7. In Follow web server redirects, select how REST API monitoring follows HTTP redirects returned by the API:
      • NEVER (default)
      • ALWAYS
      • NORMAL
  6. In the Response content match rules section, click Add. Configure the following response content match rules to verify that the REST API response contains the expected content:
    1. In the Rule name, enter a unique name to identify the content match rule.
    2. In the Match regex, enter the pattern used to locate the expected content in the REST API response.
    3. In the Capturing group index, enter the number that identifies which part of the matched pattern contains the value to evaluate. The default value is 1.
    4. Select the Mandatory match to treat the REST API response as valid only when the specified content is present.
    5. Select the Case sensitive checkbox to perform a case‑sensitive match when evaluating the response content.
  7. In the Authorization section, add the following details:
    1. User Name
    2. Password
    3. Confirm Password
  8. Configure response code validation to define how REST API monitoring evaluates HTTP status codes returned by the REST API:
    1. OK status code ranges—Specify the HTTP status code ranges that indicate a successful REST API response. The default value is 200-299,302.
    2. Warning status code ranges—Specify the HTTP status code ranges that indicate a warning condition when the REST API returns a response. The default value is 1-199,300-999.
  9. Configure the following proxy settings to allow REST API monitoring to access the REST API through a proxy server:
    1. In the Proxy host name/IP address, enter the proxy host name or IP address used to connect to the REST API.
    2. In the Proxy port number, enter the port number used by the proxy server.
    3. In the Proxy User Name and Proxy Password, enter the user name and password required to authenticate with the proxy server.
Click to view the Example: REST API monitor profile using JWT authentication

This example shows how to configure a REST API monitor profile that:

  • Reuses a JWT token extracted by an authentication profile, and
  • Executes a protected REST API to retrieve policy information.

An authentication profile named ORG_TOKEN is already configured and extracts the JWT token into the variable JSON_WEB_TOKEN. To know more about the token extraction, refer to the example "Authentication Profile using JWT token authentication". 

FieldsValuesDescription

REST API display name

List_Policies

Identifies the REST API being monitored. This name is used in monitoring policies, metrics, and events to distinguish this API from others.

REST API endpoint

https://tenant1.abc.com/tsws/monitoring/api/v1.0/unifiedadmin/Policy/list

Specifies the REST API endpoint that REST API monitoring executes to retrieve policy data. This is the actual service endpoint whose availability and response behavior are monitored.

Request method type

POST

Specifies the HTTP method required by the REST API. This endpoint expects a POST request to process the request and return data.

HTTP version

HTTP_1_X

Specifies the HTTP protocol version supported by the REST API endpoint.

Request headers (JSON)

{

  "Authorization": "Bearer {{ORG_TOKEN:JSON_WEB_TOKEN}}",

  "Content-Type": "application/json"

}

  • ORG_TOKEN is the authentication profile name.

  • JSON_WEB_TOKEN is the variable that stores the extracted JWT token.

  • At runtime, REST API monitoring replaces this placeholder with the actual JWT value.
  • The Authorization header allows access to the protected REST API.

Response format type

JSON

Specifies the expected format of the REST API response so that REST API monitoring can parse and validate it correctly.

Request timeout (sec)

30

Defines how long REST API monitoring waits for a response before timing out the request.

Rule configuration

Rule name: content-match-rule

Match regex: "resourceName"\s*:\s*"([A-Za-z0-9._\-\s]+)"

Capturing group index: 1

Mandatory match: Selected

  • The regex locates the resourceName field in the response.
  • The capturing group extracts the value of the field.
  • Mandatory match ensures the API is considered valid only if the expected data is present.

OK status code ranges/

Warning status code ranges

200–299, 302 / 1–199, 300–999

  • OK status code ranges define which HTTP status codes indicate a successful REST API response.

  • Warning status code ranges define which HTTP status codes indicate warning or unexpected conditions.

At runtime, the REST API profile performs the following actions:

  • REST API monitoring executes the authentication profile ORG_TOKEN.
  • A JWT token is extracted and stored as JSON_WEB_TOKEN.
  • REST API input template variables are resolved.
  • The REST API request is constructed with all resolved values.
  • The REST API is executed, and the response is validated.

To configure Administration settings

  1. Configure the following Java runtime settings:
    1. In the JAVA Home (11 or above), enter the path to the Java installation used to execute REST API monitoring.
    2. In the JVM Arguments, enter JVM arguments to control Java runtime behavior, such as memory allocation or garbage collection settings.
  2. Select the Enable Debug checkbox to enable debug logging for REST API monitoring.
    The log files are available at $PATROL_HOME%/stm/restapi/log directory
  3. Configure the global proxy settings to access REST APIs through a proxy server.
  4. Select the Enable Annotation checkbox to include descriptive messages with REST API monitoring results.
    Annotations provide additional context, such as response details or validation outcomes, to aid in the interpretation of monitoring data. 
    Important: To enable the Annotation option, the BMC Helix Operations Management metric-annotation service must be enabled.
  1. Select the Enable SSL Hostname Verification checkbox to enforce SSL host name verification when connecting to REST APIs over HTTPS. 
    Enabling this setting allows the Knowledge Module to validate the SSL certificate and perform host name verification. Disabling it bypasses SSL certificate validation, allowing connections to older systems that might not meet security requirements. Restart the PATROL Agent for changes to take effect.
Click to view the Example: Monitoring a Service Health API using API Key authentication

This example shows how to monitor a service health endpoint that is protected using an API key. The authentication profile retrieves an API key and reuses it to periodically check whether the service is available and responding correctly.

Scenario

A service exposes a health‑check API that requires an API key for access. REST API monitoring first retrieves the API key and then uses it to periodically check whether the service is up and responding correctly.

Authentication profile configuration

FieldValueDescription
Profile nameServiceHealth_APIKey 
Authentication typeAPI_KEY 
Auth URLhttp://10.155.145.30/api/health/auth 
HTTP versionHTTP_1_X 
Auth headers (JSON){
  "x-api-key": "my-real-key",
  "Content-Type": "application/json"
}		The headers include the API key required by the authentication API and specify the request format.

Auth session TTL (seconds)

3600

Specifies how long the extracted API key remains valid before authentication is re‑executed.

Auth Extract Variable Name

SERVICE_API_KEY

This configuration extracts the API key from the authentication response and stores it in the SERVICE_API_KEY variable.

Auth Extract Match Regex

"API_KEY"\s*:\s*"([^"]*)"

Auth Extract Group Index

1

REST API monitor profile configuration

FieldValueDescription

REST API display name

CheckServiceHealth

Specifies the service health endpoint that REST API monitoring executes to verify service availability.

REST API endpoint

http://10.155.145.30/api/health/status

Request method type

GET

HTTP versionHTTP_1_X
Auth headers (JSON){
  "x-api-key": "{{ServiceHealth_APIKey:SERVICE_API_KEY}}",
  "Content-Type": "application/json"
}
  • ServiceHealth_APIKey is the authentication profile name.
  • SERVICE_API_KEY is the value extracted from the authentication response.
  • REST API monitoring replaces the reference with the actual API key at runtime and executes the REST API request.

Response format type

JSON

Specifies the expected response format and the maximum time REST API monitoring waits for a response.

Request timeout (sec)

30

Rule name

service-health-ok

Validates that the REST API response confirms the service is running.

Content match regex

service\s+is\s+running

Content match group index

1

OK status code ranges

200–299, 302

Defines how REST API monitoring evaluates HTTP status codes returned by the service health API.

Warning status code ranges

1–199, 300–999

At runtime:

  • REST API monitoring executes the authentication profile ServiceHealth_APIKey.
  • The API key is extracted from the authentication response and stored as SERVICE_API_KEY.
  • The REST API request for service health is constructed using the extracted API key.
  • The service health endpoint is executed at the configured polling interval.
  • The response is validated, and monitoring metrics are updated.
Click to view the Example: Monitoring a Secured Report API using JWT token authentication

This example shows how REST API monitoring accesses a secured report API that requires a JWT token. The monitoring system retrieves a JWT token once and reuses it to access the report API.

Scenario

The service exposes a report API that is not publicly accessible. To prevent unauthorized access, the service requires a JWT token with every request. A separate authentication API provides this token. Once the token is received, it can be reused to access the report API for a certain period of time. REST API monitoring retrieves the token and uses it to check whether the report API is available and responding correctly.

Authentication profile configuration

FieldValueDescription
Profile name

ReportService_JWT

This authentication profile defines how REST API monitoring authenticates with the service and retrieves a JWT token.

Authentication type

TOKEN

Auth URL

https://service.example.com/api/v1/auth/token

Auth method

POST
HTTP versionHTTP_1_X

Auth Variable Name

Auth Variable Value

access_key

EXAMPLE_ACCESS_KEY_123

These input variables provide the credentials required by the authentication API and are substituted into the authentication payload at runtime.

Auth Variable Name

Auth Variable Value

access_secret_key

EXAMPLE_SECRET_KEY_456

Auth headers (JSON){
  "Content-Type": "application/json"
}

Specifies that the authentication request payload is sent in JSON format.

Auth payload (JSON)

{
  "access_key": "{{access_key}}",
  "access_secret_key": "{{access_secret_key}}"
}

Provides the authentication parameters required by the authentication API to generate a JWT token.

Auth session TTL (seconds)

3600

Specifies how long the extracted JWT token remains valid before authentication is retried.

Auth Extract Variable Name

REPORT_JWT_TOKEN

This configuration extracts the JWT token from the authentication response and stores it in the variable REPORT_JWT_TOKEN. Mandatory extraction ensures that the REST API execution does not proceed without a valid token.

Auth Extract Match Regex

"json_web_token"\s*:\s*"([^"]+)"

Auth Extract Group Index

1

Authentication response

The authentication response returns a JWT token that must be reused to access secured report APIs.

{
  "json_web_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

REST API monitor profile configuration

FieldValueDescription

REST API display name

CheckReportAPI

Specifies the secured report API endpoint that REST API monitoring executes to validate availability and response content.

REST API endpoint

https://service.example.com/api/v1/reports/status

Request method type

GET

HTTP versionHTTP_1_X

Request headers (JSON)

{
  "Authorization": "Bearer {{ReportService_JWT:REPORT_JWT_TOKEN}}",
  "Content-Type": "application/json"
}

 

  • ReportService_JWT is the authentication profile name.
  • REPORT_JWT_TOKEN is the variable that stores the extracted JWT token.
  • REST API monitoring replaces this reference with the actual JWT token at runtime and executes the REST API request.

Response format type

JSON

Specifies the expected response format and the maximum time REST API monitoring waits for a response.

Request timeout (sec)

30

Rule name

report-api-available

Validates that the REST API response confirms the report API is available.

Content match regex

"status"\s*:\s*"AVAILABLE"

Content match group index

1

OK status code ranges

200–299, 302

Defines how REST API monitoring evaluates HTTP status codes returned by the report API.

Warning status code ranges

1–199, 300–999

At runtime:

  • REST API monitoring executes the authentication profile ReportService_JWT.
  • A JWT token is extracted from the authentication response and stored as REPORT_JWT_TOKEN.
  • The report API request is constructed using the extracted JWT token.
  • The secured report API is executed.
  • The response is validated and monitoring metrics are updated.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC PATROL for Synthetic Monitoring 26.2