HTTP methods (also called HTTP verbs) signal to the server what should happen to a resource. Each method has its own meaning (semantics). The five most important ones cover the usual operations:

  • GET (read): Requests a representation of the specified resource. GET should only retrieve data and not send any content in the request body.
  • POST (create/process): Submits data to the resource so the server can process it according to its own logic. Typically triggers a state change or side effects, such as creating a new resource or submitting a form.
  • PUT (replace): Creates the target resource or replaces its entire state with the content sent in the request. If the same content is sent again, the result is identical.
  • PATCH (partial change): Applies only partial changes to a resource without replacing it completely.
  • DELETE (delete): Deletes the specified resource.

Two concepts help in choosing the right method:

  • Safe: A method is considered safe if its semantics are essentially read-only, meaning the client expects no state change on the server. GET and HEAD are safe; POST, PUT, PATCH, and DELETE are not.
  • Idempotent: A method is idempotent if multiple identical calls have the same effect on the server as a single one. According to RFC 9110, PUT, DELETE, and all safe methods (GET, HEAD) are idempotent. POST and PATCH are not idempotent.

Which method for what:

  • Retrieve data without changing anything: GET.
  • Create a new resource when the server assigns the URL/ID, or process something in general: POST.
  • Fully create or replace a resource at a known URL: PUT (repeatable without additional effects).
  • Change only individual fields: PATCH.
  • Remove a resource: DELETE.

Practical benefit: a client may safely resend idempotent methods (GET, PUT, DELETE) after a network error. With POST, on the other hand, resending can accidentally create duplicate resources, which is why it is not idempotent.

MethodExampleMeaningSafeIdempotent
GETGET /users/42readYesYes
POSTPOST /userscreate new (server assigns ID)NoNo
PUTPUT /users/42replace completelyNoYes
PATCHPATCH /users/42change only partial fieldsNoNo
DELETEDELETE /users/42deleteNoYes

The five methods on the /users resource. Safe means read-only, idempotent means: sent multiple times, same result.

A PATCH changes only the fields sent with it, here exclusively the email:

PATCH, changing only one field
PATCH /users/42 HTTP/1.1
Content-Type: application/json

{ "email": "new@example.com" }

Sources

Keep reading