HTTP methods (also called HTTP verbs) signal to the server what should happen to a resource. Each method has its own meaning (semantics). The five most important ones cover the usual operations:
- GET (read): Requests a representation of the specified resource. GET should only retrieve data and not send any content in the request body.
- POST (create/process): Submits data to the resource so the server can process it according to its own logic. Typically triggers a state change or side effects, such as creating a new resource or submitting a form.
- PUT (replace): Creates the target resource or replaces its entire state with the content sent in the request. If the same content is sent again, the result is identical.
- PATCH (partial change): Applies only partial changes to a resource without replacing it completely.
- DELETE (delete): Deletes the specified resource.
Two concepts help in choosing the right method:
- Safe: A method is considered safe if its semantics are essentially read-only, meaning the client expects no state change on the server.
GETandHEADare safe;POST,PUT,PATCH, andDELETEare not. - Idempotent: A method is idempotent if multiple identical calls have the same effect on the server as a single one. According to RFC 9110,
PUT,DELETE, and all safe methods (GET,HEAD) are idempotent.POSTandPATCHare not idempotent.
Which method for what:
- Retrieve data without changing anything: GET.
- Create a new resource when the server assigns the URL/ID, or process something in general: POST.
- Fully create or replace a resource at a known URL: PUT (repeatable without additional effects).
- Change only individual fields: PATCH.
- Remove a resource: DELETE.
Practical benefit: a client may safely resend idempotent methods (GET, PUT, DELETE) after a network error. With POST, on the other hand, resending can accidentally create duplicate resources, which is why it is not idempotent.
| Method | Example | Meaning | Safe | Idempotent |
|---|---|---|---|---|
| GET | GET /users/42 | read | Yes | Yes |
| POST | POST /users | create new (server assigns ID) | No | No |
| PUT | PUT /users/42 | replace completely | No | Yes |
| PATCH | PATCH /users/42 | change only partial fields | No | No |
| DELETE | DELETE /users/42 | delete | No | Yes |
The five methods on the /users resource. Safe means read-only, idempotent means: sent multiple times, same result.
A PATCH changes only the fields sent with it, here exclusively the email:
PATCH /users/42 HTTP/1.1
Content-Type: application/json
{ "email": "new@example.com" }
Sources
- HTTP request methods MDN Web Docs
- RFC 9110: HTTP Semantics RFC Editor / IETF