Which HTTP methods are idempotent and why does it matter?
An HTTP method is **idempotent** if making the same request N times produces the same server state as making it once. It is **safe** if it does not modify server state at all. These properties are not just academic—they directly determine whether a client or proxy can safely retry a request after a network failure.
**Safe methods**: GET, HEAD, OPTIONS, TRACE. Because they have no side effects, they can be retried, cached, and prefetched without concern.
**Idempotent but not safe**: PUT, DELETE. PUT replaces a resource with the supplied representation; sending it twice results in the same final state as sending it once. DELETE removes a resource; a second DELETE on an already-deleted resource should return 404 or 204, but the server state is the same (resource absent). These cannot be cached but can be retried safely on timeout.
**Neither idempotent nor safe**: POST, PATCH. POST typically appends or creates a new resource—sending it twice creates two resources. PATCH applies a partial update; the semantics depend on the operation (an increment patch is not idempotent, a set patch could be). Clients must not auto-retry POST without idempotency keys.
**Why it matters in practice**: Load balancers and service meshes use idempotency to decide retry policy. A timed-out GET can be retried immediately; a timed-out POST cannot without risking duplicate processing (double charges, duplicate orders). This is why payment APIs like Stripe require an `Idempotency-Key` header on POST requests—it allows safe retries by making POST behave as idempotent at the application layer.
Distributed systems also rely on this property for at-least-once delivery. Message consumers processing HTTP callbacks must treat POST payloads as potentially duplicated and implement deduplication logic (storing processed IDs) when the operation is not naturally idempotent.
A common confusion is between idempotency and the HTTP response code: a second DELETE returning 404 instead of 204 does not violate idempotency—idempotency is about server state, not response equality.
| Method | Safe | Idempotent | Typical Use | Retry on Timeout? |
|---|---|---|---|---|
| GET | Yes | Yes | Read resource | Yes |
| HEAD | Yes | Yes | Check headers/existence | Yes |
| PUT | No | Yes | Replace resource | Yes |
| DELETE | No | Yes | Remove resource | Yes |
| POST | No | No | Create / trigger action | Only with idempotency key |
| PATCH | No | No (usually) | Partial update | Depends on patch semantics |
| OPTIONS | Yes | Yes | CORS preflight | Yes |
Correctly classifies GET, PUT, DELETE as idempotent and POST as non-idempotent, with a clear definition of idempotency.
Covers safe vs. idempotent distinction, explains PATCH nuance, discusses retry implications, and mentions idempotency keys as an application-layer solution for POST.
Reading the answer is step one. Explaining it unprompted — under interview pressure — is what actually matters. Get AI-graded feedback on your answer with follow-up probes on your weak points.
Get Graded — Free Assessment