If resources are the nouns of REST, HTTP methods are the verbs. While resources identify what you're interacting with, HTTP methods express what action you want to perform. This separation is fundamental to REST's uniform interface—rather than defining custom operations for every resource, we use a standard set of methods with well-defined semantics.

Understanding HTTP method semantics isn't just about knowing that GET retrieves and DELETE removes. It's about understanding the contracts these methods provide: Which methods are safe to retry? Which can be cached? Which might change server state? These semantics enable infrastructure like caches, load balancers, and proxies to make intelligent decisions without understanding your specific API.

In this page, we'll explore each HTTP method in depth—its purpose, its guarantees, its proper usage, and the common mistakes developers make. Mastering method semantics is essential for building APIs that behave predictably and integrate well with the broader HTTP ecosystem.

HTTP defines a set of methods (sometimes called "verbs") that indicate the desired action to be performed on a resource. Each method has specific semantic properties that determine how it should behave and how clients and intermediaries can interact with it.

Two Critical Properties

Every HTTP method is characterized by two important properties:

1. Safety

A method is safe if it doesn't modify resource state. Safe methods are for retrieval and inspection—they have no side effects. Clients can call safe methods without worrying about unintended changes.

Safe methods: GET, HEAD, OPTIONS, TRACE

2. Idempotency

A method is idempotent if making the same request multiple times produces the same result as making it once. The server state after N identical requests is the same as after 1 request. This property enables safe retries.

Idempotent methods: GET, HEAD, OPTIONS, TRACE, PUT, DELETE

Non-idempotent method: POST, PATCH (typically)

GET is the most common HTTP method. It retrieves a representation of the specified resource without modifying server state.

Semantics

• Safe: GET must not change resource state
• Idempotent: Multiple identical GET requests produce the same result
• Cacheable: Responses are cacheable by default
• No request body: GET requests should not include a body (some servers ignore it)

Proper Usage

GET /users                    # Retrieve collection of users
GET /users/123                # Retrieve specific user
GET /users/123/orders         # Retrieve user's orders
GET /users?status=active      # Retrieve filtered collection
GET /products?q=laptop        # Search products

Response Expectations

• 200 OK: Resource found, representation returned in body
• 404 Not Found: Resource doesn't exist
• 304 Not Modified: Resource unchanged (with caching headers)
• 400 Bad Request: Invalid query parameters

GET for Collections

When GETting a collection, include pagination and filtering capabilities:

GET /users?page=2&per_page=20&sort=created_at&order=desc

Response should include:

• The collection items
• Pagination metadata (total count, current page, links to next/prev)
• Applied filters (so clients know what they asked for)

POST submits data to be processed by the identified resource. Its most common use in REST APIs is creating new resources, but it also handles operations that don't fit other methods.

Semantics

• Not safe: POST modifies server state
• Not idempotent: Multiple identical POST requests may create multiple resources
• Not cacheable: Unless response headers explicitly allow it
• Request body required: Contains the data to process

Proper Usage

POST /users                   # Create a new user
POST /orders                  # Create a new order
POST /users/123/orders        # Create order for user 123
POST /emails/456/send         # Trigger sending (action)
POST /reports/generate        # Trigger report generation

Response Expectations

• 201 Created: Resource successfully created
  • Include Location header with URI of new resource
  • Include the created resource in response body
• 200 OK: Processing succeeded (for non-create operations)
• 202 Accepted: Request accepted for asynchronous processing
• 400 Bad Request: Invalid input data
• 409 Conflict: Resource already exists or constraint violation

Why POST Is Non-Idempotent

Consider creating an order:

POST /orders
{"product": "laptop", "quantity": 1}

If this request is sent twice (perhaps due to network retry), two separate orders are created. This is correct behavior—POST is intentionally non-idempotent. To make creation idempotent, use a client-generated ID:

PUT /orders/client-generated-uuid
{"product": "laptop", "quantity": 1}

Or include an idempotency key in headers:

POST /orders
Idempotency-Key: unique-request-id-12345
{"product": "laptop", "quantity": 1}

PUT replaces the entire resource at the specified URI with the provided representation. If the resource doesn't exist, PUT creates it (when the server supports this).

Semantics

• Not safe: PUT modifies server state
• Idempotent: Multiple identical PUT requests produce the same result
• Request body required: Contains the complete new representation
• The URI identifies the resource: The client specifies where the resource lives

Proper Usage

PUT /users/123                # Replace user 123 entirely
PUT /articles/my-article      # Create or replace article
PUT /config/settings          # Replace entire configuration

Response Expectations

• 200 OK: Resource updated, new representation in body
• 201 Created: Resource created (didn't exist before)
• 204 No Content: Resource updated, no body returned
• 404 Not Found: Resource doesn't exist (if creation not supported)
• 409 Conflict: Concurrent modification conflict

PATCH applies partial modifications to a resource. Unlike PUT, which replaces the entire resource, PATCH updates only the specified fields.

Semantics

• Not safe: PATCH modifies server state
• Not inherently idempotent: Depends on patch operations (see below)
• Request body required: Contains the changes to apply
• Flexible format: Can use various patch document formats

Proper Usage

PATCH /users/123              # Update specific fields of user
PATCH /orders/456/status      # Update order status only
PATCH /articles/789           # Update article metadata

Patch Document Formats

There are multiple ways to specify patches:

1. Merge Patch (RFC 7396) — Most common and intuitive

{"name": "New Name", "email": "new@example.com"}

Content-Type: application/merge-patch+json

2. JSON Patch (RFC 6902) — More powerful, explicit operations

[
  {"op": "replace", "path": "/name", "value": "New Name"},
  {"op": "add", "path": "/tags/-", "value": "new-tag"}
]

Content-Type: application/json-patch+json

Making PATCH Idempotent

PATCH can be non-idempotent. Consider:

{"views": {"$increment": 1}}

Calling this twice increments views twice—not idempotent.

To ensure idempotency:

• Use absolute values, not relative: {"views": 150} instead of {"$increment": 1}
• Implement client-supplied idempotency keys
• Use test operations in JSON Patch to verify initial state

DELETE removes the specified resource from the server.

Semantics

• Not safe: DELETE modifies server state
• Idempotent: Deleting an already-deleted resource has no additional effect
• Request body optional: Rarely used, some servers ignore it
• Response body optional: Often 204 No Content

Proper Usage

DELETE /users/123             # Delete user 123
DELETE /orders/456/items/789  # Delete item from order
DELETE /sessions/current      # Log out (delete current session)

Response Expectations

• 200 OK: Deleted, response body contains deleted resource or confirmation
• 204 No Content: Deleted, no response body
• 202 Accepted: Deletion queued for asynchronous processing
• 404 Not Found: Resource doesn't exist (can also return 204 for idempotency)
• 409 Conflict: Cannot delete due to dependencies

Soft Delete vs. Hard Delete

Real-world APIs often implement soft delete (marking as deleted) rather than hard delete (actual removal):

Hard Delete:

• Resource is permanently removed
• Subsequent GET returns 404
• Cannot be recovered

Soft Delete:

• Resource is marked with deletedAt timestamp
• Resource may still be accessible via special queries
• Can be recovered (undeleted)
• Better for audit trails and data recovery

# Soft delete - mark as deleted
DELETE /users/123  →  Sets deletedAt: "2024-06-15T16:30:00Z"

# Get deleted user (if API supports it)
GET /users/123?includeSoftDeleted=true

# Restore (undelete)
POST /users/123/restore  or  PATCH /users/123 {deletedAt: null}

While GET, POST, PUT, PATCH, and DELETE cover most API operations, other HTTP methods are useful in specific scenarios.

HEAD

HEAD is identical to GET but returns only headers, no body. Use it to:

• Check if a resource exists without downloading it
• Get metadata (Content-Length, Last-Modified, ETag)
• Validate cache freshness

HEAD /files/large-report.pdf
→ Returns Content-Length: 15000000, but no body

OPTIONS

OPTIONS returns the allowed methods for a resource. It's crucial for CORS preflight requests:

OPTIONS /users/123
→ Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
→ Access-Control-Allow-Methods: GET, PUT, PATCH, DELETE

TRACE

TRACE echoes the received request back to the client. Useful for debugging proxy chains, but typically disabled for security reasons.

Choosing the right HTTP method depends on what you're trying to accomplish. Use this decision guide:

HTTP methods provide a standard vocabulary for resource operations. Understanding their semantics is essential for building predictable, scalable APIs.

What's next:

We've covered resources (nouns) and methods (verbs). The final piece is Status Codes and Responses—how your API communicates the outcome of each operation. Proper status codes make APIs debuggable, automatable, and developer-friendly.