Method Semantics: Safety, Idempotency, and Side Effects
LESSON
Method Semantics: Safety, Idempotency, and Side Effects
The core idea: HTTP methods are small public promises about what a request is allowed to change, whether retrying it is safe, and what clients, proxies, caches, and operators may infer before they understand the application body.
Core Insight
Imagine a checkout service with three endpoints: GET /orders/842, POST /payments, and DELETE /cart/items/17. A mobile client sends POST /payments, the network stalls, and the client never receives the response. The user taps again. The app retries. The payment provider may have charged the card once, twice, or not at all, and the API boundary now has to answer a painful question: did the retry repeat the same operation or create a second side effect?
That question is why HTTP methods are not just controller names. A method is part of the contract that surrounds a request before application code runs. GET says the client is asking to retrieve a representation. PUT says the client is asking to replace the target resource with the supplied state. DELETE says the client is asking to remove the target resource. POST says the target resource should process the enclosed representation according to its own rules. Those meanings affect retries, caches, prefetchers, crawlers, gateways, logs, and incident analysis.
The common misconception is that method choice is mostly style: use GET for reads, POST for writes, and move on. That rule is useful, but incomplete. The deeper mechanism is the relationship between a method, the requested side effect, and repeatability. Some requests are safe, meaning the client is not asking the server to change application state. Some requests are idempotent, meaning repeating the same request has the same intended effect as sending it once. Those are not the same property, and confusing them creates production bugs.
The central trade-off is expressive contracts versus handler convenience. A single POST /do-action endpoint can route every operation through one handler shape, but it hides which actions can be retried, cached, prefetched, or deduplicated. More precise method semantics force the API designer to name resources and state transitions, but they give clients and infrastructure better evidence when a request times out or crosses a proxy boundary.
What the Method Promises
A method promise starts before the server reads the JSON body. Consider these requests:
GET /orders/842 HTTP/1.1
Host: api.shop.test
PUT /orders/842/shipping-address HTTP/1.1
Host: api.shop.test
Content-Type: application/json
{"line1":"12 Market St","city":"Madrid"}
POST /payments HTTP/1.1
Host: api.shop.test
Content-Type: application/json
{"order_id":"842","amount_cents":3499}
The gateway can route all three from the method and target. But the semantic promise is different in each case.
GET /orders/842 asks for a representation of the current order. A server may log the request, update metrics, refresh an access timestamp, or charge internal cost accounting, but the client did not request a business-state change. That is the meaning of safe: safe for the client to ask without intending to mutate the resource. It does not mean "nothing anywhere changes." Access logs and counters are still side effects in the broad computer-science sense. The HTTP distinction is about requested application semantics.
PUT /orders/842/shipping-address says the client wants the target resource to become the supplied representation. If the same request is sent twice, the intended final state is still the same address. That is idempotency. The second request may produce a different timestamp, a different trace ID, or a different response status, but the intended resource state should not become "address applied twice."
POST /payments is different. The target collection or processor decides what to do with the submitted representation. Creating a new payment attempt is a normal POST use case, and repeating it may create another payment attempt. POST is not automatically unsafe chaos; it is simply not idempotent by default. If the API wants safe retries for POST, it needs an extra deduplication mechanism such as an idempotency key.
Safety, Idempotency, and Cacheability
These three words are close enough to confuse, so separate them:
- Safe: the client is not asking for a state-changing operation.
GET,HEAD,OPTIONS, andTRACEare defined as safe methods. - Idempotent: one request and repeated identical requests have the same intended effect.
GET,HEAD,PUT,DELETE,OPTIONS, andTRACEare idempotent by method definition. - Cacheable: a response may be stored and reused under the HTTP caching rules.
GETandHEADare the everyday cases; somePOSTresponses can be cacheable when explicitly marked, but many systems do not rely on that path.
The sharp edge is that DELETE is idempotent but not safe. The first DELETE /cart/items/17 may remove the item. A second identical DELETE should not remove a second item; the final intended state is still "item 17 is not in the cart." The response might differ: first 204 No Content, then 404 Not Found, or perhaps 204 both times if the API treats absence as success. The method property is about the intended effect, not byte-for-byte response equality.
PUT and PATCH show another important boundary. PUT replaces the target representation. If you send the same full replacement twice, the final state should be the same. PATCH applies a partial change described by the request body. Some patches are idempotent, and some are not. A patch that says "set status to cancelled" can be idempotent. A patch that says "increment quantity by 1" is not idempotent unless the application adds a deduplication key or operation identity.
This is why method semantics are not enough by themselves. They give the first layer of evidence. The resource model, request body, preconditions, and idempotency keys finish the contract.
Worked Path: A Timed-Out Checkout
Trace one checkout failure through the system:
mobile app -> edge proxy -> order API -> payment provider
The user presses "Pay." The app sends:
POST /payments HTTP/1.1
Host: api.shop.test
Content-Type: application/json
Idempotency-Key: pay_842_2026_06_18_a
{"order_id":"842","amount_cents":3499,"currency":"EUR"}
The order API receives the request and calls the payment provider. The provider charges the card, but the API times out before it can return the final response to the mobile app. From the user's point of view, the request failed. From the system's point of view, the most dangerous state is "side effect may have happened, but the caller does not know."
Without an idempotency key, the retry is ambiguous:
request 1 -> card charged -> response lost
request 2 -> new payment attempt -> card may be charged again
With an idempotency key, the API can treat the retry as the same operation:
request 1 with key K -> create payment attempt P -> store K -> response lost
request 2 with key K -> find stored attempt P -> return P's result
The key gives the server a stable unit of work. It does not magically make every POST safe. It lets the server distinguish "the same client is retrying the same operation" from "the client is intentionally asking for another payment." That distinction is the operational value of idempotency: it turns a network timeout from a duplicate side effect into a lookup of prior evidence.
The server still needs policy. It must decide how long keys live, whether the same key with a different body is an error, what to return while the first attempt is still in progress, and which storage boundary is authoritative. If the key is stored only in a process-local cache, a deploy or failover can lose the deduplication record. If it is stored with the payment attempt in durable storage, retries have stronger evidence.
Choosing Methods by Resource Shape
A useful design move is to ask, "What resource is the client trying to observe or change?"
For reading an order, GET /orders/842 is clear. It is safe and idempotent. Caches and crawlers can reason about it. Monitoring can treat unexpected mutation during GET as a bug.
For replacing a known address resource, PUT /orders/842/shipping-address is clear. The client chooses the target resource and supplies the desired state. Retrying the same replacement should converge on the same address.
For creating a server-assigned payment attempt, POST /payments is reasonable. The server owns the new resource identity and the business process. Because repeating the request might create a second attempt, the design should add an idempotency key when clients are expected to retry after uncertain failures.
For cancelling an order, either shape can be honest depending on the domain. If cancellation is a state transition on the order, POST /orders/842/cancellations can create a cancellation request with its own audit trail. If cancellation is modeled as replacing order state, PATCH /orders/842 with a precondition can work. If the API exposes a cancellable subresource, PUT /orders/842/status with {"status":"cancelled"} can be idempotent. The important part is not forcing every verb into a slogan; it is making the side effect and repeatability visible.
Failure Modes at the Boundary
Failure: using GET for mutation.
It is tempting because a link is easy to click: GET /emails/123/mark-read. But prefetchers, crawlers, browser previews, cache warmers, or monitoring probes may send safe methods without human intent. If GET mutates business state, infrastructure that assumes safety can create real side effects. Use a state-changing method and require the right authorization and anti-CSRF controls.
Failure: assuming idempotent means harmless.
DELETE /orders/842 may be idempotent, but it is not safe. A retry may be okay after a timeout; an accidental call is still destructive. Idempotency helps with repeatability. It does not remove authorization, confirmation, audit, or product-risk concerns.
Failure: treating every POST as impossible to retry.
Some teams avoid retries for POST because duplicate side effects are scary. That pushes uncertainty onto users and operators. A better design gives important POST operations an idempotency key, stores the operation result durably, and documents what happens when the same key is reused.
Failure: hiding operation identity inside the body only.
If a payment retry can only be deduplicated by comparing a large JSON body, the system has weak evidence. A clear operation key, unique client request ID, or domain resource ID gives logs, traces, and support tooling something stable to search.
Close the lesson and reconstruct one endpoint you maintain or use often. Name its method, target resource, requested side effect, retry behavior, and the evidence a server would use after a timeout. If you cannot say what repeated identical requests do, the method contract is not finished.
Connections
The previous lesson separated HTTP metadata from representation bytes. Method semantics are one of the most important pieces of that metadata: they tell intermediaries and handlers what kind of operation is being requested before the body is interpreted.
The next lesson on status codes builds on this boundary. Once a method says what kind of operation is being attempted, the status code says what the server believes happened: accepted, completed, rejected, conflicted, rate-limited, or failed.
Resources
- [RFC] HTTP Semantics RFC 9110
- Focus: Read the method definitions and the sections on safe, idempotent, and cacheable methods.
- [DOC] MDN: HTTP request methods
- Focus: Use the method table as a compact cross-check for safety and idempotency expectations.
- [DOC] Stripe API: Idempotent requests
- Focus: Study how a payment API turns retries of unsafe operations into deduplicated operation results.
- [RFC] HTTP Caching RFC 9111
- Focus: Connect safe retrieval methods to cache behavior and understand why method semantics affect intermediaries.
Key Takeaways
- HTTP methods are public operation contracts, not just handler routing labels.
- Safe means the client did not request a state change; idempotent means retries have the same intended effect as one request.
POSTcan be retried safely only when the API adds operation identity, usually through an idempotency key or domain resource ID.- Good method design gives clients, proxies, logs, and operators evidence about side effects when responses are lost or delayed.