Use Case

Monitor a Mobile App Backend: The API Your iOS and Android App Calls

14 min read

TL;DR: To monitor a mobile app backend, point monitors at the exact endpoints your iOS or Android app calls (login and token, sync, push-token registration, version gate), not at your App Store listing or marketing site, because a native app is a thin client and those pages stay green through a total backend outage. Velprove does this with a free, no-code multi-step API monitor on those endpoints, plus its free no-code browser login monitor if you have a companion web sign-in at the same domain. The honest boundary: Velprove cannot drive your native app. It probes the endpoints externally from a region you pick, which is precisely the backend a crash reporter like Crashlytics goes quiet on when the app is fine but the server is down. Start free, no credit card required.

1. Your App Store listing is green. Your backend is down. Every user sees a spinner.

Your homepage returns 200. Your App Store listing is five stars. And every person who opens your app right now is staring at a spinner, because the one endpoint your app actually calls, the login and token endpoint, is down, and nothing on your status dashboard knows. The app binary on the phone is fine. It compiled, it shipped, it installed. What broke is the server it talks to, and the listing page that says everything is fine is served by Apple or Google, not by you.

One honest thing up front, because it changes which monitor you reach for. Velprove's headline free monitor is the no-code browser login monitor, and it is the differentiator: it opens a real browser and signs into your own login the way a person does, with no code to write. But it drives a real web browser, not a native app. It cannot tap through your native iOS or Android UI. For a native app, the workhorse is the multi-step API monitor, which hits the same backend endpoints the app calls. The browser login monitor still earns its place here, but only if you also run a companion web sign-in at the same domain. If you do, layer it on top. If you do not, the API monitors below are the whole job.

This is the failure that sends people looking for this post. The marketing site renders. The listing is green. Support is filling up with "the app just spins" and you have no signal that says why, because the only thing you were watching was a page Apple serves. Slack's own engineering post-mortem of its February 22, 2022 incident describes exactly this shape: the incident began just after 6 a.m. Pacific Time and, in their words, many users were unable to connect to Slack. The app on every phone was untouched. The backend behind it was overwhelmed. That is the thin-client truth, and it is the whole reason this post exists.

2. A native app is a thin client. The product is the API behind it.

Walk through what your app actually does on launch. It calls a login or token endpoint. It calls a sync or feed endpoint to pull the user's data. It POSTs its push-notification device token to a registration endpoint. It calls a version-check endpoint to decide whether the installed build is still allowed. Every one of those is an HTTP call to your backend. The app itself is a renderer. The product, the part that can actually go dark, lives on your server.

Now look at what a basic uptime check watches. A homepage GET / → 200 tells you the marketing site renders. It does not exercise the auth endpoint, the sync endpoint, the push-registration endpoint, or the version-gate endpoint, which are the endpoints the app calls. App Store and Play Store listing pages are served by Apple and Google, not by your backend, so they stay green through a total backend outage. There is no Apple or Google surface that shows you your backend is down, because your backend is not their service. The absence of that signal is the point.

This is the same structural problem behind every silent outage: an internal or adjacent signal looks green while the real path users take is broken. We have written about why a 200 OK is not the product in general. The native-app case is one of the sharpest instances of it, because the green you are looking at is not even your server. It is a listing page Apple or Google renders, and it has no idea your API is failing.

3. This is not crash reporting. Crashlytics, Sentry, and Datadog RUM watch a different thing.

Before the failure modes, draw the line clearly, because "mobile monitoring" means two different things and blurring them wastes money. Firebase Crashlytics is, in Firebase's own words, a lightweight, realtime crash reporter that helps you track, prioritize, and fix stability issues, and on Android it reports crashes, non-fatal errors, and Application Not Responding (ANR) errors. Sentry and Datadog RUM sit in the same category: they instrument the client, capture crashes and on-device performance, and send that telemetry up from the user's phone.

Velprove is not that, and it is not trying to be. It runs no code on the user's device. It does not embed in your app, it does not capture crashes, and it does not watch on-device performance. It probes your backend endpoints from outside, from a region you pick. That is a different and complementary concern. Here is the case that makes the difference concrete: a backend that starts returning clean HTTP 503s causes spinners and login failures for every user, with zero crashes. The app handled the error gracefully. So a crash reporter stays completely quiet, because nothing crashed, while your entire install base is locked out.

So run both. Crashlytics or Sentry catch crashes inside the app and go quiet when the app is fine but your backend is down. Velprove watches the backend the app depends on and turns red exactly when those clean 503s start. They cover opposite halves of the same product. Neither replaces the other.

4. Failure mode 1: the long-lived token refresh that logs out your whole install base.

A native app does not ask the user to type a password every launch. It stores a long-lived token, and on launch it quietly calls a refresh or token endpoint to trade that for a fresh access token. When the refresh endpoint breaks, the app cannot get a valid token, so it falls back to the only thing it can do: it logs the user out and shows the sign-in screen. Now your entire install base is staring at a login screen at once, while your marketing site and any web dashboard stay green, because neither of them exercises that endpoint.

This is the case the multi-step API monitor was built for, because a single status ping on the login endpoint is not enough. A login endpoint can return 200 and still hand back a token that does not actually authorize anything. You need to use the token. In prose, the monitor does two steps. Step 1: POST your login or token endpoint with a dedicated test account's credentials, assert the status is 200, and capture the returned token into a variable. Step 2: GET a protected endpoint, the kind the app calls right after sign-in, send that captured token as a Bearer header, and assert the response contains that test user's own data. Now a pass means the full chain works: the token was issued and it actually unlocked protected data. A break anywhere in that chain turns the monitor red.

The mechanics of chaining one step into the next, extracting the token and replaying it, are covered in depth in the multi-step API monitor mechanism guide. This post is about pointing that mechanism at the specific endpoints a native app depends on, so go there for the step-by-step build and stay here for which endpoints matter and why.

Step 1 signs in against the token endpoint and captures the token. Step 2 replays it as a Bearer header against a protected endpoint and asserts on the user's own data. A pass means the whole chain works, not just that login returned 200.
Velprove multi-step API monitor editor in the Create New Monitor wizard showing two steps. Step 1 POSTs to a login or token endpoint with a JSON credentials body and saves the returned token into a variable named token via the JSON path $.access_token. Step 2 GETs a protected endpoint, sends the captured token as an Authorization Bearer header using the token variable, and asserts a 200 status plus a Response Body Contains assertion on the test user's own email.

5. Failure mode 2: the push-token registration endpoint (APNs / FCM) that dies silently.

Push notifications have a leg that runs through your backend, and it is the quietest failure on this list. The flow is: the app registers with Apple Push Notification service or Firebase Cloud Messaging, the platform returns a device token, and then the app forwards that token to your server. Apple documents the app forwarding its token to the app's associated provider. Firebase is blunter: it tells you to retrieve registration tokens and store them on your server, and strongly recommends the app save the token to your app server alongside a timestamp at startup. That "send the token to your backend" leg is an endpoint you own.

When that registration endpoint starts returning 500s, nothing visible breaks. The app launches. The user scrolls. No crash, no error dialog, nothing in a crash reporter, because the app did its part and the registration POST just failed silently in the background. But new installs and token refreshes stop landing in your database, so those users quietly fall off your push list. You find out days later when a campaign goes out and the delivered count is wrong, by which point you have lost the window.

Monitor it directly. Point an API monitor at your registration endpoint, have it POST a sentinel device token the way the app would, assert the status is 200, and add a body assertion on the confirmation your endpoint returns when it has stored the token. Now the moment the endpoint starts 500-ing, the monitor goes red, instead of you discovering it from a low delivery count two campaigns later.

An API monitor POSTs a sentinel device token to the push-registration endpoint the app calls. On the next step you add a 200 status assertion and a Response Body Contains assertion on the stored-token confirmation, so a silent 500 here turns the monitor red instead of vanishing.
Velprove API monitor request-configuration step in the Create New Monitor wizard, with method POST, the push-token registration endpoint URL filled in, a Content-Type application/json header, and a JSON request body containing a sentinel device token, mimicking the POST the app makes when it forwards its push token to the backend.

6. Failure mode 3: the force-update / min-version gate that can lock out everyone.

There is no native API to force users to update on iOS. Apps implement the force-update gate themselves: on launch the app calls a backend version-check endpoint, or the public iTunes Search API, gets back a minimum-allowed version, and if the installed build is too old it shows a blocking "please update" screen. Open-source helpers like Siren do the comparison on the client, and Firebase Remote Config is sometimes used to flip a flag, with Firebase noting it lets you change behavior without publishing an app update. However you wire it, the decision hinges on a response from an endpoint you own.

That makes the version-check endpoint a backend dependency with an unusually nasty blast radius, because it gates launch itself. If it returns garbage or 500s, you get one of two bad outcomes. The app may hard-gate every user out, treating a broken response as "you must update" and showing the blocking screen to your entire install base, including people on the current version. Or it fails open, lets every client through regardless of version, and now incompatible old builds are hitting an API you have already changed. Either way, an endpoint nobody thinks about controls whether anyone can use the app.

Monitor it like the load-bearing dependency it is. Put an API monitor on the version-check endpoint, assert the status is 200, and add a body assertion on the expected minimum-version payload shape, so a malformed or empty response trips the monitor before it trips your users. The mechanics of asserting on a JSON body, pulling a specific field and checking its shape, are covered in the guide on asserting on a health endpoint's JSON body. Apply the same body-assertion technique to the version-gate response.

The version-check endpoint gates app launch, so monitor it like one. Assert the status is 200 and that the JSON body still carries a well-formed minimum-version field. A garbage response turns the monitor red before it locks out your users.
Velprove API monitor Success Conditions step in the Create New Monitor wizard for a backend version-check endpoint, showing two conditions: Status Code Equals 200, and a JSON Path condition on the path $.min_version with the Exists operator, confirming the minimum-version field is present and well-formed in the response body.

7. Failure mode 4: cert pinning, where the endpoint is green and the app is bricked.

Certificate pinning is the trap that breaks a perfectly healthy endpoint for every pinned client at once. A pinned app trusts only a specific certificate or key, not any valid CA. When you rotate the certificate, the new one does not match the pin baked into the shipped app, so the app fails TLS and cannot connect, while every browser and every generic HTTPS monitor sees a valid cert and stays green. Android's own docs warn that future server configuration changes, such as changing to another CA, render apps with pinned certificates unable to connect to the server without receiving a client software update. Cloudflare puts it the same way: pinning carries outage risk, and clients pinned to the old key will fail TLS each time a certificate rotates.

This is the failure where you have to be honest about what an external monitor can and cannot do, because it is easy to overclaim here. Velprove's SSL certificate monitoring, toggled on an HTTPS monitor, reads the live leaf certificate and warns you as expiry approaches. And the HTTPS monitor's own TLS handshake fails the moment a rotated certificate stops validating, which is your cue to release the updated pin in a new app build before the rotation strands clients. What it cannot do is reach inside your installed app and confirm the app's pin set was actually updated. Only releasing and testing the client build proves that. So treat it as a rotation tripwire, not as proof your pinned clients are fine.

The practical posture: if you pin, SSL certificate monitoring on that HTTPS monitor earns its slot as an early warning that a rotation is about to (or did) happen, so you can get an updated build out. That is genuinely useful and worth doing. Just do not read a green certificate result as "the pinned app connects." Those are two different claims, and the gap between them is exactly where pinned-app outages live.

8. Which monitor for which endpoint: a decision section.

You have four failure modes, and three monitor types do the work here. Here is the map, so you are not guessing which tool to point at which endpoint.

Multi-step API monitor for anything that needs a token to prove it works: the auth and token-refresh flow, and any protected endpoint the app calls right after sign-in. Sign in, capture the token, replay it against a protected endpoint, assert on the user's own data. This is the one that catches the logged-out-install-base failure, because it proves the token actually authorizes something.

Single API monitor for endpoints you can check with one request: the push-token registration endpoint, the version-check gate, and any plain health endpoint. Status assertion plus a body assertion on the response the endpoint returns. These are the silent-failure endpoints, the ones that 500 without anyone noticing, so they are exactly the ones worth a standing monitor. The body-assertion mechanics carry over from the API health-check patterns guide.

Browser login monitor only if there is a companion web sign-in at the same domain. It opens a real browser and signs in the way a person does, no code to write, which is the right tool for the human web path but the wrong tool for a native app, because it drives a browser, not your iOS or Android UI. If you do run a web login alongside the app, layer the browser login monitor on the web sign-in and keep the API monitors on the native app's endpoints.

One rule that trips people up: a monitor runs from one region you pick. There is no "run this from all five regions" toggle on a single monitor. If you want coverage from multiple regions, you create one monitor per region against the same endpoint. All five global regions are available on every plan, including free. So to watch your token endpoint from, say, North America and Europe, that is two monitors on the same URL, one per region, and a regional failure shows up as one of them going red while the other stays green, which is how you tell a regional problem from a global one.

And to be clear about ownership: this post is about your own backend behind a native client. If the API your app depends on is a third party you do not control, like an LLM provider, the triage is different, and the same pattern when the API your app calls is a third-party provider covers that case. Here we are watching the endpoints you wrote.

Each monitor runs from one region you pick. To watch the same endpoint from more regions, create one monitor per region. All five global regions are available on every plan, including free.
Velprove Schedule and Alerts step in the Create New Monitor wizard for an API monitor, showing the Monitor From region picker with the five global regions (North America, Europe, United Kingdom, Asia, Oceania) and exactly one region, North America, selected. The helper text reads that one monitor will be created, illustrating that each monitor runs from a single region.

Frequently Asked Questions

Can Velprove monitor APNs or FCM push notifications?

Not push delivery itself, and it runs no code on the device. What it monitors is your own backend's token-registration endpoint, the leg where the app POSTs its device token to your server. Firebase's own docs tell you to store those tokens on your server, and Apple's APNs flow has the app forward its token to your provider. If that registration endpoint starts returning 500s, new installs and token refreshes silently stop registering, and those users simply never get pushes, with no crash and nothing the user sees. A Velprove API monitor POSTs a sentinel token to that endpoint and asserts on the success response, so you find out the moment it breaks.

Can Velprove test my app's force-update gate?

Yes, by monitoring the backend version-check endpoint your app calls on launch to decide whether the installed client version is still allowed. Velprove cannot trigger the native update UI, because there is no native force-update primitive on iOS. The gate is something your app implements against that endpoint. So Velprove monitors the endpoint: it asserts the status is 200 and that the JSON body still carries the expected minimum-version shape, so a broken or garbage version-check response turns the monitor red before it locks out or fails open for your whole install base.

Does Velprove sign into my actual iOS or Android app?

No. The browser login monitor drives a real web browser, not a native app, so it cannot tap through your native iOS or Android UI. Coverage for a native app's backend is the multi-step API monitor hitting the same HTTP endpoints the app calls: it signs in against your login or token endpoint, captures the token, and replays it against a protected endpoint. The browser login monitor still applies if you have a companion web sign-in at the same domain, layered on top of the API monitors.

Is Velprove a crash-reporting tool like Crashlytics or Sentry?

No, and it is complementary, not a replacement. Crashlytics and Sentry are on-device crash and ANR reporters: they catch crashes inside the app and go quiet when the app is fine but your backend is down. A backend that returns clean HTTP 503s causes spinners and login failures with zero crashes, which is invisible to a crash reporter. Velprove runs no on-device code. It probes the backend endpoints externally from a region you pick, watching the server the app depends on. Run both: the crash reporter for client-side stability, Velprove for backend uptime.

Will a generic HTTPS monitor catch a certificate-pinning failure?

Not the pin mismatch itself. A browser-based or CA-trust monitor stays green while a pinned app fails TLS, because the monitor trusts any valid CA while the app trusts only its old pinned key. Velprove's SSL certificate monitoring, toggled on an HTTPS monitor, reads the live leaf certificate and warns as expiry approaches, and the HTTPS monitor's TLS handshake fails the moment a rotated certificate stops validating, which is your cue to release the updated pin in a new app build. What it cannot do is confirm the app's pin set was actually updated. That confirmation only comes from releasing and testing the client build.

Can I monitor my mobile app backend on the free plan?

Yes. Free includes 10 monitors at 5-minute intervals, multi-step API monitors up to 3 steps, one no-code browser login monitor every 15 minutes, all six assertion types, email alerts, and commercial use allowed. A monitor runs from one region you pick. To cover more regions, create one monitor per region against the same endpoint.

Monitor your mobile app backend free

The trap is the green that is not yours: the App Store listing, the marketing homepage, the crash reporter that stays quiet because nothing crashed, all reporting fine while your backend hands every user a spinner. The fix is to monitor the endpoints the app actually calls. A multi-step API monitor on the auth and token-refresh flow that captures a token and replays it against protected data. Single API monitors on the push-token registration endpoint and the version-check gate, with body assertions, because those fail silently. SSL certificate monitoring on the HTTPS monitor as a cert-rotation tripwire if you pin. And the no-code browser login monitor on your companion web sign-in if you have one.

Velprove's free plan covers all of it: 10 monitors at 5-minute intervals, multi-step API monitors up to 3 steps, one no-code browser login monitor, all six assertion types, email alerts, commercial use allowed, and no credit card. Pick a region per monitor, and add a second region on the endpoints that matter most. Sign up free and point a monitor at the API your iOS and Android app actually calls.

Start monitoring for free

Free browser login monitors. Multi-step API chains. No credit card required.

Start for free
More articles