I've audited dozens of APIs over the past few years, and the same performance killers show up again and again. The good news: most of them are fixable in a day.
1. The N+1 Query Problem
This is the single most common performance issue. You fetch 50 orders, then for each one make a separate query for customer info. That's 51 queries where one would do. Fix: eager loading or DataLoader.
2. Missing Database Indexes
Tables with millions of rows and no indexes beyond the primary key. Every filtered query becomes a full table scan. Rule: if you filter or sort by it in production, it needs an index.
3. No Caching Layer
Redis with a 15-60 second TTL can reduce database load by 80%+ for read-heavy workloads. Start with TTL, invalidate on write for user-triggered changes.
4. Synchronous External Calls
Move non-critical work (emails, PDFs, third-party calls) to a background queue. Return immediately.
5. Payload Bloat
Stop returning 50 fields when the client uses 5. Use sparse fieldsets, dedicated endpoints, or GraphQL.
The Bottom Line
Most API performance issues are solved by fixing queries, adding caching, and being intentional about synchronous computation. Profile, fix the biggest bottleneck, measure again.