#API Design #Software Engineering #Reliability #Web Development

Idempotent APIs: Designing for Reliability

Namir Ahmed
Namir Ahmed
5 min read
Network nodes connecting for an article by Atlanta based Software Engineer, Namir Ahmed.

Why Idempotency Matters

Network glitches, slow connections, or user error can cause requests to be sent multiple times. If your API isn’t designed to handle this gracefully, you’re going to have problems. Imagine a user trying to purchase an item. If they accidentally click the ‘buy’ button twice and your API creates two orders, that’s a bad experience for everyone. Idempotency is the key to preventing these kinds of issues.

An operation is idempotent if applying it multiple times has the same effect as applying it once. For APIs, this usually means that sending the same request multiple times should result in the same state change on the server, or no change if it’s already been processed.

GET, PUT, and DELETE are Usually Idempotent

Let’s talk about HTTP methods. Some methods are inherently idempotent by design:

  • GET: Retrieving data. Calling GET multiple times won’t change the server’s state. It just fetches the same information.
  • PUT: Updating a resource. If you PUT a resource with specific data, applying that PUT request again with the exact same data should result in the same resource. The server’s state doesn’t change after the first successful PUT.
  • DELETE: Removing a resource. Deleting a resource once is fine. If you try to delete it again, it might return a 404 Not Found, but the resource remains deleted. The state (resource is gone) is the same after the first and subsequent DELETE requests.

POST is Tricky

The POST method is generally not idempotent. When you POST data, you’re typically creating a new resource. Sending the same POST request twice usually means creating two distinct resources. This is where you need to be careful and implement idempotency manually if needed.

Strategies for Idempotent POST Requests

How do you make a POST request idempotent? The most common and effective method is using a unique identifier for each request that the client can manage.

1. The Idempotency-Key Header

This is a standard approach. The client generates a unique key (usually a UUID) for each non-idempotent request. They include this key in a custom header, often named Idempotency-Key or X-Idempotency-Key.

The server then:

  1. Receives the request with the Idempotency-Key.
  2. Checks if it has seen this key before.
  3. If seen, it returns the original response from the first time the request was processed, without performing the operation again.
  4. If not seen, it performs the operation, stores the result (response and status code), and returns it to the client. On subsequent requests with the same key, it will return the stored response.

Let’s look at a conceptual example. Imagine creating a new user.

Client sends:

POST /users HTTP/1.1
Host: api.example.com
Content-Type: application/json
Idempotency-Key: a1b2c3d4-e5f6-7890-1234-567890abcdef


{
  "name": "Alice",
  "email": "alice@example.com"
}

Server (first request):

  1. Receives the request. Idempotency-Key: a1b2c3d4-e5f6-7890-1234-567890abcdef is new.

  2. Creates the user. The new user ID is user-123.

  3. Stores the fact that a1b2c3d4-e5f6-7890-1234-567890abcdef resulted in a 201 Created with user user-123.

  4. Returns:

    HTTP/1.1 201 Created
    Content-Type: application/json
    Location: /users/user-123
    Idempotency-Key: a1b2c3d4-e5f6-7890-1234-567890abcdef
    

    {
      "id": "user-123",
      "name": "Alice",
      "email": "alice@example.com"
    }

Server (second request, same key):

  1. Receives the request. Idempotency-Key: a1b2c3d4-e5f6-7890-1234-567890abcdef has been seen.
  2. Retrieves the stored response for this key.
  3. Returns the exact same 201 Created response as before, without creating a new user.

This header approach requires server-side state management to track idempotency keys and their associated responses. You’ll need a way to persist this information, perhaps in your database or a cache like Redis.

2. Using Natural Uniqueness

Sometimes, the resource you’re trying to create or update has a natural unique identifier that the client already controls. For example, if you’re creating a payment, the client might send a transaction_id they generated.

The API can then check if a payment with that transaction_id already exists. If it does, it returns the original successful response. If not, it creates the payment and associates it with that transaction_id.

Client sends:

POST /payments HTTP/1.1
Host: api.example.com
Content-Type: application/json


{
  "transaction_id": "txn_xyz789",
  "amount": 100.00,
  "currency": "USD"
}

Server logic:

  1. Look for a payment with transaction_id: 'txn_xyz789'.
  2. If found, return the details of that existing payment.
  3. If not found, create the payment, store it with transaction_id: 'txn_xyz789', and return the new payment details.

This method avoids the need for a separate Idempotency-Key header if your resource model allows it.

Benefits of Idempotent APIs

  • Improved Reliability: Prevents duplicate data and ensures operations complete successfully even with network issues.
  • Better User Experience: Users don’t have to worry about accidental double charges or duplicate actions.
  • Simplified Client Logic: Clients don’t need complex retry mechanisms with state tracking for every operation.

Designing for idempotency is a fundamental aspect of building robust and trustworthy APIs. It might add a little complexity to your server-side implementation, but the gains in reliability and user satisfaction are well worth the effort.

Back to Blog
← Previous Article Use Deferred Value for Responsive UIs Next Article → Embrace the Mess: When Imperfect Code is the Right Choice

Contents

Need to Message Me?

Let's Talk!