Vendor API silent data gap: HTTP 200 with an empty payload
Your SD-WAN controller dashboard shows flat lines. The Meraki organization API has not updated in twenty minutes. The PAN-OS firewall telemetry stopped at 03:00. Your collector logs show zero errors, every request returned HTTP 200, and no 5xx or timeout appears anywhere. But the data is gone.
The API endpoint is reachable, the TCP connection succeeds, the HTTP status code says OK, and the response body is empty, null, or contains an error wrapped inside a success envelope. Your collector accepted the response as valid because it checked the status code and nothing else. Many API adapters treat a 200 with an empty payload as “no data to report” rather than “the API is broken.” Charts go flat, but no error fires. If the API is your only telemetry source for an SD-WAN overlay or a cloud-managed firewall estate, you are blind without knowing it.
What this means
HTTP 200 signals a successful HTTP transaction. It places no obligation on the server to include a meaningful body. A vendor API that returns an empty JSON object, a null data field, or an error flag buried inside a 200 envelope is conformant to the HTTP specification. The problem is that collectors and monitoring adapters that rely solely on the HTTP status code cannot distinguish between “success with data” and “success without data.”
This failure mode affects vendor northbound APIs: RESTCONF, NETCONF, gNMI, gRPC-based telemetry streams, controller REST APIs (Cisco Catalyst Center, Meraki Dashboard, Cato GraphQL), and firewall XML APIs (PAN-OS). SNMP and ICMP do not have this problem because they either return data or timeout. The gap exists only where an application-layer protocol carries its own success and failure semantics inside an HTTP envelope.
PAN-OS is the canonical example. The XML API returns HTTP 200 for virtually every request, including those that fail. A response body containing <response status="error"> with an error message is delivered inside a 200 envelope. An adapter that checks only the HTTP status code will see 200 and treat the response as successful. Meraki and Cato APIs return structured JSON where the error is a field inside the body, not a separate status code. For gRPC-based telemetry (Juniper JTI, gNMI), the HTTP/2 frame always carries :status=200; the actual call outcome lives in the grpc-status trailer, which many load balancers and access logs do not inspect.
flowchart TD
A["API returns 200"] --> B{"Body present?"}
B -- "empty/null" --> C["Silent empty gap"]
B -- "has content" --> D{"Error marker in body?"}
D -- "yes" --> E["Semantic error"]
D -- "no" --> F{"Schema matches?"}
F -- "no" --> G["Schema drift"]
F -- "yes" --> H["Healthy"]
C --> I{"Auth valid?"}
I -- "401/403/404" --> J["Key expired or revoked"]
I -- "valid" --> K["Vendor backend fault"]
E --> K
G --> L["API version changed"]Common causes
| Cause | What it looks like | First thing to check |
|---|---|---|
| API key expired or revoked | 200 with empty body, or intermittent 401/403 that retry logic swallowed | Manually curl with the current key and inspect the full response |
| Vendor API schema change | 200 with data, but parser fails or produces null fields | Compare response structure to the vendor API changelog |
| Vendor maintenance or backend fault | 200 with empty payload across multiple endpoints simultaneously | Check the vendor status page |
| Rate limiting (HTTP 429) | Intermittent empty responses during high-poll periods | Inspect response headers for Retry-After |
| Collector adapter bug | 200 with valid data, but adapter mishandles the payload | Enable debug logging on the adapter and inspect raw response |
Quick checks
# PAN-OS: inspect the full response body, not just the status code.
# Note: key in URL is visible in shell history and process list; use X-PAN-KEY header in production.
curl -sk "https://<fw>/api/?type=op&cmd=<show><system><info></info></system></show>&key=<apikey>" | head -20
# Meraki: check organization listing and HTTP status separately
curl -s -H "X-Cisco-Meraki-API-Key: $KEY" https://api.meraki.com/api/v1/organizations | python3 -m json.tool
curl -s -o /dev/null -w "%{http_code}\n" -H "X-Cisco-Meraki-API-Key: $KEY" https://api.meraki.com/api/v1/organizations
# Cato: GraphQL query with full response inspection
curl -s -H "x-api-key: $KEY" -H "Content-Type: application/json" \
-d '{"query":"{ accountSnapshot(accountID: \"<id>\") { sites { name connectivityStatus } } }"}' \
https://api.catonetworks.com/api/v1/graphql2 | python3 -m json.tool
# Check rate-limit headers on Meraki
curl -sI -H "X-Cisco-Meraki-API-Key: $KEY" https://api.meraki.com/api/v1/organizations | grep -i 'ratelimit\|retry'
# Check rate-limit headers on Cato (Cato does not formally publish these; verify empirically)
curl -sI -H "x-api-key: $KEY" https://api.catonetworks.com/api/v1/graphql2 | grep -i 'ratelimit\|retry'
# Verify ICMP path to vendor cloud is healthy (note: some cloud providers deprioritize ICMP)
ping -c 5 api.meraki.com
How to diagnose
Manually reproduce the API call. Use curl against the same endpoint the collector polls. Inspect the full response body, not just the HTTP status code. Look for error markers inside the payload: PAN-OS
<response status="error">, JSON fields like"isError": true, or empty result arrays where data should exist.Distinguish auth failure from data failure. A 401 or 403 response means the API key is expired, revoked, or the SAML/SSO admin context changed. Meraki v1 returns 404 (not 403) on a bad API key by design, to avoid leaking resource existence. If the response is 200 but empty, the auth may still be valid but the backend is not returning data.
Check for rate limiting. Look for HTTP 429 responses in collector logs. Inspect response headers for
Retry-After(Meraki returns this; Cato does not formally publish rate-limit headers, so verify empirically). Multiple collectors sharing the same API key share the same counter.Check the vendor status page. If the API is returning empty payloads across multiple endpoints, check whether the vendor has an active incident. If the status page shows green but your API calls are failing, you may be early to a multi-customer incident.
Compare SNMP and API data. If SNMP is available for the same device, check whether SNMP-polled data is also stale. API down with SNMP up points to a vendor-cloud-side issue. Both down points to a device or network issue.
Check the API changelog. A schema change without a version bump can cause your parser to silently fail. The response may contain data, but the fields your adapter expects may have moved or been renamed.
Check token expiry timing. API key rotation is the most common cause of silent failures. Tokens often expire on schedules that do not align with operator memory. Check when the current key was issued and when it expires.
Metrics and signals to monitor
| Signal | Why it matters | Warning sign |
|---|---|---|
| API response payload validity | HTTP 200 with empty body is the primary failure mode | Non-zero count of 200-with-empty-payload responses |
| Data freshness for API-sourced metrics | Staleness is the downstream symptom of the gap | Time since last non-empty response exceeding 2x poll interval |
| API request latency | Rising latency indicates vendor-side backpressure | p99 latency exceeding 5x rolling baseline |
| HTTP 429 rate | Throttling produces intermittent gaps | Any sustained 429 rate above 0 |
| HTTP 401/403/404 rate | Auth failures are security-relevant | Any nonzero value is abnormal |
| API rate-limit remaining | Approaching zero means imminent throttle | Below 20% of quota |
| ICMP to vendor cloud | Confirms network path health | Loss or latency spike to the vendor API hostname |
| Vendor API schema version | Schema drift breaks parsers silently | Version mismatch between expected and actual |
Fixes
API key expired or revoked
Rotate the key immediately. For PAN-OS, generate a new key via /api/?type=keygen&user=<u>&password=<p> and pass it as the X-PAN-KEY header or key= query parameter. For Meraki, generate a new key from the dashboard (SAML/SSO admins cannot generate API keys; use a local dashboard admin). For Cato, generate a new API key from the admin portal. Update the collector configuration and verify the new key returns valid data.
Track key expiration dates as an operational metric. Alert when any API key is within 7 days of expiry. This is the single most effective prevention measure for silent API gaps.
Vendor API schema change
Update the collector adapter to handle the new schema. Check the vendor API changelog for breaking changes. If the vendor changed the schema without a version bump, add schema validation logic that checks for expected fields in the response and flags their absence.
Vendor maintenance or backend fault
Wait for the vendor to resolve the issue. Switch to supplementary telemetry if available. If SNMP is configured on the same devices, SNMP data may continue flowing while the API is down. If the API is the only telemetry source, which is common for SD-WAN overlays, there is no fallback. Document the gap in the incident record and set expectations for when data will resume.
Rate limiting
Reduce polling frequency. Shard collectors to use separate API keys if the vendor supports multiple keys per organization. Implement exponential backoff in the collector and respect the Retry-After header where present. For Meraki, the documented limit is 10 req/sec per organization. For Cato, different query types have different limits: accountSnapshot at 1/sec is the tightest constraint and is easily exceeded if multiple collectors share a key.
Collector adapter bug
Enable debug logging on the adapter to capture raw API responses. Compare the raw response to what the adapter is parsing. If the adapter is silently dropping valid data due to a parsing bug, file a bug report with the raw response and the expected parsed output.
Prevention
Validate response payloads, not just status codes. Every API adapter should check for expected fields in the response body. For PAN-OS, check for <response status="success"> in the XML. For JSON APIs, check that expected data arrays or objects are non-null and non-empty when they should contain data.
Monitor data freshness explicitly. Track the timestamp of the last successful, non-empty API response per endpoint. Alert when this exceeds 2x the poll interval. This catches silent gaps that status-code-only checks miss.
Track API key lifecycle. Maintain an inventory of all API keys, their creation dates, and their expiration or rotation schedules. Alert when any key approaches expiry. Some vendor keys do not have formal expiration timestamps, but they can be revoked or rotated by dashboard admins at any time.
Implement schema validation. At minimum, check that the response contains the top-level fields your adapter expects. Full JSON Schema validation is better but may be excessive for most use cases.
Share API keys deliberately. If multiple collectors share a single API key, they share a single rate-limit counter. Document which collectors use which keys, and monitor aggregate usage against the vendor’s published limits.
How Netdata helps
- Netdata can inspect HTTP response codes and body content from vendor APIs, alerting on 200-with-empty-payload patterns that status-code-only checks miss.
- Correlate API response validity with downstream metric freshness: if the Cato API starts returning empty payloads, Netdata shows the downstream effect on SD-WAN tunnel metrics in the same view.
- Track API request latency alongside response validity to distinguish vendor-side backpressure from silent failures.
- Monitor SNMP data in parallel with API data for the same devices, making it immediately visible when the API is down but SNMP is still flowing.
- Alert on data freshness thresholds: time since last non-empty API response exceeding 2x poll interval triggers an alert regardless of HTTP status code.
- Collect per-endpoint API error rates, including 401/403/404 responses that indicate auth issues before they become silent gaps.
Related guides
- ARP cache staleness: when IP-to-MAC mapping goes bad
- Asymmetric routing: why your path and latency measurements lie
- Audit log gaps: detecting syslog/trap tampering or loss
- BGP flapping: why a peer keeps resetting and how to find the cause
- BGP NOTIFICATION and Cease messages: what each subcode is telling you
- BGP RIB and FIB growth: monitoring route-table size before it bites
- BGP route leak and hijack: the detection signals and alerts that matter
- BGP session Established but stale: detecting silent route loss
- Cold-start topology: why your map is incomplete after a collector restart
- Locating endpoints behind NAT and wireless: the positioning problem
- Stale FDB/MAC tables: why endpoint location is wrong
- NetFlow storage sizing: how much disk your flow collector really needs