GUIDE / performance
What Is a Good API Response Time?
What is a good API response time? Learn p95 vs average targets, SLA vs SLO, industry benchmarks, and how to set latency goals your API can actually meet.
Teams ask what is a good API response time because "it feels slow" is not a release criterion. Product wants snappy experiences. Engineering wants realistic budgets. QA needs numbers that can be tested. A good answer is never a single universal millisecond value. It is a percentile target for a specific operation, under a defined load, with a clear error budget and business context.
This guide explains what a good API response time looks like in practice, how to use p95 and p99 targets, how API latency benchmarks can help without becoming dogma, how SLA and SLO differ, and how to set acceptable API response time goals for reads, writes, and multi service journeys. You will also get tables, examples, and common mistakes.
What Good API Response Time Really Means
A good API response time is a latency level that:
- Supports the user journey without noticeable friction.
- Leaves room for real world networks and retries.
- Holds under expected peak load, not only in an idle lab.
- Is measurable with the same definition across teams.
- Can be owned by a service team with clear dependencies.
Response time is not only a stopwatch number. It is a promise about experience and capacity.
Define the metric before the target
People mix these up constantly:
| Term | Simple meaning | Use for goals? |
|---|---|---|
| Average latency | Mean of all observed times | Secondary only |
| Median (p50) | Half of requests faster than this | Good for "typical" view |
| p95 | 95 percent of requests faster than this | Common primary target |
| p99 | 99 percent of requests faster than this | Tail focused primary or secondary target |
| Max | Slowest observed | Debugging, not usually the SLO |
| TTFB | Time to first byte | Web document and some API diagnostics |
| Apdex | Satisfaction score from thresholds | Communication aid, still needs raw percentiles |
If your dashboard says "response time 300 ms" and nobody knows which of these it is, you do not have a real target yet.
Why "It Depends" Is the Correct Starting Point
Two APIs can both be healthy with very different latencies.
GET /feature-flagsmight need p95 under 50 to 100 ms because it blocks app startup.POST /reports/exportmight be allowed several seconds if it is asynchronous and returns a job id quickly.POST /payments/confirmmight allow higher latency than a like button, but demand near zero hard failures.
Context that changes the answer:
- Consumer facing mobile vs internal batch
- Synchronous user wait vs background processing
- Read vs write
- Cache hit path vs cold path
- Single region vs multi region
- Payload size
- Consistency requirements
- Downstream third parties
A good target respects the slowest honest dependency you refuse to hide.
Practical Latency Ranges Teams Use
These ranges are starting points for discussion, not laws of physics. Adjust with your product research and architecture.
Lightweight read APIs
Examples: current user profile summary, feature flags, product price for a known id, session validation on a warm cache path.
| Quality band | p95 guideline | Notes |
|---|---|---|
| Excellent | <= 100 ms | Often needs caching and local region |
| Strong | 100 to 200 ms | Common ambitious product target |
| Acceptable many apps | 200 to 400 ms | Still feels responsive on good networks |
| Needs scrutiny | > 400 ms | May be fine for heavier reads, not for startup critical calls |
Standard business read APIs
Examples: search, order history list, filtered catalogs, dashboards.
| Quality band | p95 guideline | Notes |
|---|---|---|
| Strong | 200 to 400 ms | Depends on index design and data size |
| Acceptable | 400 to 800 ms | Common for richer queries |
| User visible friction | > 800 ms to 1.5 s | Needs progress UI or query redesign |
| Likely problem for UX | > 2 s synchronous | Consider async, pagination, or precompute |
Write and transactional APIs
Examples: add to cart, submit form, create booking, place order.
| Quality band | p95 guideline | Notes |
|---|---|---|
| Strong | 300 to 700 ms | Includes validation and durable write |
| Acceptable | 700 ms to 1.5 s | Provide clear UI feedback |
| Risky for checkout feel | > 2 s | Users retry, creating more load |
| Redesign territory | multi second critical path | Split async steps where safe |
Hard dependencies and third parties
If a payment processor median is 600 ms, your end to end "confirm payment" p95 cannot magically be 150 ms without changing the architecture (for example optimistic UI plus async confirmation, or a different provider path).
Budget honestly:
User perceived budget
- client processing
- network up and down
- API gateway
- your service logic
- database
- sibling services
- third parties
= remaining slack
If slack is negative, the target is fantasy.
p95 Response Time Targets Beat Averages
Why percentiles dominate modern API latency goals:
- Users experience individual requests, not averages.
- Mobile networks and GC pauses create tails.
- A small percentage of slow requests can dominate support tickets.
- Autoscaling and caches can make averages look fine while p99 burns.
Example distribution:
| Request group | Latency |
|---|---|
| 90 requests | 120 ms |
| 5 requests | 300 ms |
| 4 requests | 900 ms |
| 1 request | 5,000 ms |
Average is about 250 ms. That looks "good." p95 is around 900 ms. p99 is multi second. If your app calls this API on every keystroke, users will complain while the average dashboard stays green.
Primary gate recommendation:
- Track p50, p95, p99
- Gate on p95 (and p99 for high sensitivity paths)
- Always pair with error rate
- Review max only for incident debugging
For report reading technique, see how to read a performance test report.
Acceptable API Response Time Depends on Load
A target without a load context is incomplete.
Better goal statements:
For POST /checkout/complete in production region eu-west:
- p95 <= 700 ms
- p99 <= 1.5 s
- error rate <= 0.5%
at 120 checkouts per minute sustained for 20 minutes
on the standard production topology.
Weaker goal statements:
Checkout should be under 1 second.
The weak version does not say percentile, load, environment, or failure definition.
When you validate targets, use proper API load testing profiles: smoke, baseline, peak, and where needed spike or soak.
API SLA vs SLO Latency
SLO (Service Level Objective)
Internal target used by product, engineering, and QA:
- Detailed
- Percentile based
- Endpoint or journey based
- Reviewed often
- Tied to alerting and release gates
SLA (Service Level Agreement)
External or contractual commitment:
- Usually coarser
- Legal and commercial weight
- Often monthly availability more than deep latency detail
- Should be weaker than internal SLO so you have margin
Example:
| Layer | Commitment |
|---|---|
| Internal SLO | p95 < 300 ms for GET /v1/prices over 30 days, excluding client errors |
| Public SLA | 99.9% monthly availability; best effort performance |
| Alerting | Page if p95 > 450 ms for 10 minutes |
| Release gate | Fail perf test if peak p95 > 300 ms |
Never let marketing publish a public latency SLA that engineering cannot measure per endpoint under load.
What Is a Good Server Response Time for Websites?
API JSON latency and website server response time are cousins.
For websites, server response influences Time to First Byte (TTFB), which influences Largest Contentful Paint (LCP) and perceived speed. A "good" document TTFB is often in the low hundreds of milliseconds on typical connections, but geography, CDN strategy, and caching change the picture.
If your question is page experience rather than pure API contracts, also read Core Web Vitals. Front end performance can make a fast API feel slow, and a mediocre API can still support a decent page if rendering is careful. Measure both layers.
How to Set Latency Targets in a Real Team
Step 1: Identify critical journeys
List the top user journeys by revenue, retention, or support cost:
- Sign in
- Search
- Add to cart
- Checkout
- Create content
- Load primary dashboard
Step 2: Capture current baselines
Measure production field latency if available (RUM, APM, gateway metrics). Lab only numbers are not enough.
Record:
- p50 / p95 / p99 by endpoint
- Peak traffic windows
- Error rates
- Dependency timings
Step 3: Separate user budget from service budget
Example checkout user budget: 1.5 s perceived confirmation.
Rough split:
| Segment | Budget |
|---|---|
| Mobile network and TLS | 300 ms |
| Client handling and UI | 200 ms |
| API gateway | 50 ms |
| Checkout service | 400 ms |
| Inventory service | 200 ms |
| Payments partner | 350 ms |
Already tight. This forces architecture choices: parallel calls, caching, async confirmation, or partner SLAs.
Step 4: Write endpoint classes
Not every endpoint earns the same budget.
| Class | Example | p95 target band |
|---|---|---|
| Class A interactive | typeahead, feature flags | 50 to 200 ms |
| Class B standard read | lists, details | 200 to 500 ms |
| Class C transactional write | cart, booking | 300 to 1000 ms |
| Class D heavy sync | complex report | 1 to 3 s or convert to async |
| Class E async job start | export, reindex | 200 to 500 ms to accept job |
Step 5: Encode targets in tests and alerts
- Performance tests fail the pipeline when thresholds break.
- APM alerts fire when field percentiles break.
- Error budgets prevent endless feature work while reliability burns.
Step 6: Review after architecture changes
A new fan out, a heavier auth middleware, or a cross region call can invalidate old targets. Re-baseline.
Industry Benchmarks: Use Carefully
You will see blog posts claiming "APIs should respond in under 100 ms" or "Google says X." Some of that guidance comes from human perception research and web performance studies. It is useful inspiration. It is dangerous as a copy paste SLO for every microservice.
Better use of benchmarks:
- Motivate investment in slow critical paths.
- Compare relative standing against competitors when you have real data.
- Calibrate executive expectations.
Worse use of benchmarks:
- Shame teams whose domain includes inherently slow third parties.
- Set one number for every endpoint.
- Optimize lab synthetic tests while field mobile users still suffer.
Client Side Perception vs Server Timing
A server can respond in 180 ms and the user still waits a second because:
- The client makes five sequential API calls.
- Waterfalls wait for non critical resources.
- Large JSON must be parsed on a low end phone.
- UI blocks rendering until every call finishes.
- Retries double wait time after a single timeout.
So a good API response time is necessary but not sufficient. QA should also test:
- Number of calls per journey
- Parallel vs sequential patterns
- Payload size
- Timeout and retry policy
- Idempotency under double submit
Timeouts, Retries, and "Good" Latency
Timeouts should be larger than normal success latency, but not infinite.
Heuristic pattern:
p99 success latency under peak
+ safety margin
< client timeout
< upstream gateway timeout
If p99 is 1.2 s and the client times out at 1.0 s, you manufactured errors. Those errors trigger retries, which increase load, which worsen latency. Bad timeout design can destroy an otherwise acceptable response time profile.
Examples of Well Written Latency Goals
Example 1: Public read API
SLO: For GET /v1/products/{id} in prod us-east-1,
p95 latency <= 150 ms and p99 <= 400 ms
measured at the service boundary,
excluding 4xx client errors,
over rolling 28 days,
during all traffic conditions.
Release gate: peak load test p95 <= 150 ms at 3x average RPS.
Example 2: Search API
SLO: For POST /v1/search,
p95 <= 500 ms for result sets under default page size,
error rate <= 1% for 5xx and timeouts.
Heavy queries over advanced filters are tracked separately
and may use p95 <= 1.2 s.
Example 3: Export API
SLO: POST /v1/exports must accept a valid job with p95 <= 300 ms
and return job_id. Completion time is a separate pipeline SLO
and is not part of the interactive response time budget.
These goals are testable. That is the point.
How QA Should Validate Response Time Claims
- Confirm metric definition with backend owners.
- Verify dashboards use the same percentile and boundary (gateway vs service).
- Run baseline and peak load profiles with checks.
- Compare against previous release.
- Inspect dependency breakdown for regressions.
- Report pass fail against the written SLO, not against feelings.
Suggested evidence table:
| Endpoint | SLO p95 | Baseline p95 | Candidate p95 | Error % | Decision |
|---|---|---|---|---|---|
| GET /prices | 200 ms | 160 ms | 250 ms | 0.2% | Fail |
| POST /cart | 700 ms | 520 ms | 540 ms | 0.3% | Pass |
| POST /checkout | 900 ms | 800 ms | 880 ms | 0.8% | Conditional |
Conditional might mean: ship with feature flag off for high traffic tenants, or ship only after query fix.
Common Mistakes About API Response Time Goals
Mistake 1: One number for the whole company
"All APIs under 200 ms" sounds decisive and fails on contact with payments, search, and ETL style endpoints.
Mistake 2: Lab idle latency as the SLO
An unloaded local Docker compose average is not production truth.
Mistake 3: Average only dashboards
Green means hide the pain.
Mistake 4: Ignoring multi call journeys
Each call is "fine" at 300 ms, but eight sequential calls are not fine.
Mistake 5: Copying competitor marketing claims
You do not know their percentile, region, cache rate, or failure exclusions.
Mistake 6: No error budget linkage
Fast responses that fail open are not good performance.
Mistake 7: Forgetting cold starts and cache warming
Serverless and empty caches need explicit policy.
Mistake 8: Setting p99 equal to the happy path dream
P99 must include real tail causes or it will page forever and get ignored.
Mistake 9: Not versioning goals with architecture
Cross region expansion changes the possible floor.
Mistake 10: Leaving QA out of the definition
If testers cannot operationalize the metric, it will not be validated before users find it.
Decision Helper: Choosing Your First Targets
If you need a pragmatic starting set tomorrow:
| Journey type | Starting p95 | Starting p99 | Error budget |
|---|---|---|---|
| Auth / session validate | 200 ms | 500 ms | 0.1% to 0.5% |
| Core entity read | 300 ms | 800 ms | 0.5% |
| Search | 500 ms | 1.5 s | 1% |
| Cart / form write | 700 ms | 2 s | 0.5% |
| Payment confirm | 1.0 s | 3 s | near zero hard fail, define carefully |
| Async job accept | 300 ms | 1 s | 0.5% |
Then tighten or relax with field data within two sprints. The goal is movement toward user value, not perfect first draft math.
How This Fits Performance Test Types
- Load tests check whether good response times hold at expected peak.
- Stress tests show when latency leaves the good band and errors explode.
- Spike tests show whether bursts push you out of the good band temporarily.
- Soak tests show whether latency slowly worsens from leaks.
Targets without the right test type produce false confidence. See load vs stress vs soak vs spike.
Practice Setting and Defending Targets
Being able to explain good API response time tradeoffs is an interview and workplace skill. Use QABattle to practice structured performance reasoning: state the user journey, pick a percentile, defend the budget, and describe how you would test it. If you are building a fuller performance and API practice path, sign up and keep notes on real targets from systems you test.
Final Checklist for Latency Goals
- Name the endpoint or journey.
- Choose percentile primary metrics (usually p95, often plus p99).
- State load and environment assumptions.
- Include error rate.
- Split user budget across network, app, and dependencies.
- Classify endpoints instead of forcing one number.
- Encode goals in APM alerts and performance tests.
- Review after major architecture or traffic changes.
- Report regressions with baseline deltas.
- Prefer honest async design over fantasy synchronous targets.
So, what is a good API response time? It is the percentile latency that keeps a specific journey usable under real load, with room for networks and dependencies, measured consistently, and enforced with tests and alerts. For many interactive reads, that lands in the low hundreds of milliseconds at p95. For complex writes, it may be higher. For heavy work, the good response may be a fast job acceptance rather than a long synchronous wait.
If you remember one rule, remember this: a good latency target is a testable product promise, not a round number copied from a blog post.
Regional, Mobile, and Cache Reality Checks
A good API response time in one region can be impossible in another if your architecture is single region without an edge strategy. Mobile clients on high latency networks also experience the same server time plus more round trips. When setting goals:
- State the region or the multi region aggregation method.
- Decide whether targets are measured at the server, gateway, or client.
- Separate cold cache and warm cache objectives when they differ by design.
- Avoid promising global p95 numbers you only measure from a co-located load generator.
If product marketing wants a worldwide claim, engineering must either invest in multi region delivery or narrow the claim. QA should force that clarity by asking where the percentile is measured.
FAQ
Questions testers ask
What is a good API response time?
A good API response time depends on the endpoint and user journey, but many product APIs aim for p95 under 200 to 500 ms for lightweight reads and under 500 ms to 1 s for more complex business operations. Always define latency with percentiles, environment, and load level, not a single average from an empty test box.
Is 200 ms a good API response time?
200 ms can be an excellent target for simple authenticated reads on a warm path, but it is not universal. Payment confirmation, search over large indexes, or multi service orchestration may need higher budgets. Use 200 ms as a design aspiration for critical reads, then validate with real percentiles under peak load.
Should I use average or p95 for API latency goals?
Use percentiles such as p95 and p99 as primary goals. Averages hide tail latency that users feel and that mobile clients amplify. Report average as supporting context if you want, but gate releases on percentiles, error rate, and throughput together.
What is the difference between API SLA and SLO latency?
An SLO is an internal reliability or performance objective the team uses to manage quality. An SLA is an external contractual commitment, often with credits or penalties. Latency SLOs are usually stricter and more detailed than marketing SLAs. Do not publish an SLA you cannot measure and meet with margin.
What is a good server response time for web pages?
For HTML documents, many teams aim for a fast Time to First Byte, often under a few hundred milliseconds on typical broadband, because slow TTFB harms LCP and perceived speed. API JSON endpoints and full page loads are related but not identical. Measure the metric that matches the user path.
How do I set response time targets for microservices?
Budget from the user journey downward. If the mobile client needs p95 under 800 ms for checkout, reserve time for network and client work, then split the remaining budget across gateway and downstream services. Give chatty fan out paths tighter internal targets and measure each dependency under load.
RELATED GUIDES
Continue the route
How to Read a Performance Test Report
Learn how to read a performance test report: interpret p95 and p99, error rates, throughput vs latency graphs, and find bottlenecks from load test results.
How to Do API Load Testing
Learn how to do API load testing: design realistic scenarios, set thresholds, run concurrent users, read metrics, and avoid false confidence on REST APIs.
Core Web Vitals: Measuring and Improving Performance
Core Web Vitals guide to LCP, INP, and CLS: good scores, lab vs field data, SEO impact, and practical steps to improve LCP and CLS on real sites.
Load vs Stress vs Soak vs Spike Testing
Compare load vs stress vs soak vs spike testing with a types chart, when to run each, endurance tips, and practical scenario examples for QA teams.