What Are HTTP Methods?
HTTP methods (also called verbs) indicate the desired action to be performed on a resource. Choosing the right method is essential for building correct, cacheable, and predictable APIs.
The Core Methods
GET — Retrieve a Resource
GET requests retrieve data without side effects. They are safe (no state change) and idempotent (same result every time). Browsers cache GET responses by default.
GET /api/users/42 HTTP/1.1
Host: api.example.comPOST — Create a Resource
POST submits data for processing. It is not safe and not idempotent — sending the same POST twice may create two resources.
POST /api/users HTTP/1.1
Content-Type: application/json
{"name": "Alice", "email": "[email protected]"}Typical response: 201 Created with a Location header.
PUT — Replace a Resource
PUT replaces the entire resource at the given URL. It is idempotent — sending the same PUT multiple times yields the same result. If the resource doesn't exist, some APIs create it (upsert).
PUT /api/users/42 HTTP/1.1
Content-Type: application/json
{"name": "Alice Updated", "email": "[email protected]"}PATCH — Partially Update a Resource
PATCH applies a partial modification. Unlike PUT, you only send the fields you want to change. It is not necessarily idempotent (e.g., incrementing a counter).
PATCH /api/users/42 HTTP/1.1
Content-Type: application/json
{"email": "[email protected]"}DELETE — Remove a Resource
DELETE removes the specified resource. It is idempotent — deleting the same resource twice should not fail (return 204 or 404 on the second call).
DELETE /api/users/42 HTTP/1.1Safety and Idempotency
| Method | Safe | Idempotent | Has Body |
|---|---|---|---|
| GET | Yes | Yes | No |
| POST | No | No | Yes |
| PUT | No | Yes | Yes |
| PATCH | No | No | Yes |
| DELETE | No | Yes | Optional |
| HEAD | Yes | Yes | No |
| OPTIONS | Yes | Yes | No |
Less Common Methods
- HEAD — Like GET but returns only headers, no body. Used for checking resource existence.
- OPTIONS — Returns allowed methods. Used by CORS preflight requests.
- TRACE — Echoes the request back. Rarely used, often disabled for security.
Best Practice
Map your CRUD operations consistently: GET for reads, POST for creates, PUT/PATCH for updates, DELETE for removals. Never use GET for operations that modify data — search engine crawlers and prefetching will trigger unintended changes.