Stage 1. HTTP Methods: GET, POST, PUT, DELETE
An HTTP method is not a decorative request field. It is a formal part of the contract between client and server. When the method is chosen correctly, an API becomes predictable: easier to document, easier to test, safer to retry, and easier to cache. When method semantics are ignored, failures appear later in production: duplicate operations, broken retry flows, and confusing monitoring signals.
A practical beginner rule is simple: the method should express intent. GET means reading state without changing business data. POST means creating a resource or triggering a non-idempotent action. PUT means replacing a resource at a known URI. DELETE means removing a resource. These definitions are not theoretical; they directly control how surrounding infrastructure behaves.
GET /api/orders/42
POST /api/orders
PUT /api/orders/42
DELETE /api/orders/42
Why does this matter in real systems? Because requests are processed by more than your endpoint code. Browsers, mobile SDKs, gateways, caches, load balancers, and retry mechanisms all rely on method semantics. For example, GET may be cached or preloaded. If a GET call secretly changes state, automatic repeats can trigger business side effects unexpectedly.
Idempotency is another critical concept. An idempotent request can be repeated and still leave the same final state. That is why PUT and DELETE are usually modeled as idempotent, while POST is typically not. This is not academic wording; it is the foundation for safe retry behavior. If a team ignores this distinction, payment and ordering flows become fragile under normal network instability.
POST /api/payments
Idempotency-Key: 7c1f9c91-2f74-4d0f-9f3d-7c2cbcb7c5a1
For critical write flows, an Idempotency-Key helps the server return the original result on retry instead of creating a duplicate operation.
Method design also has to align with status codes. POST creation usually returns 201 Created, GET reads return 200 OK, and successful DELETE often returns 204 No Content. If every endpoint returns 200, clients lose protocol-level clarity and must infer behavior from custom body fields. That increases integration complexity and support cost.
A common beginner mistake is using POST for everything because it feels fast to implement. It works short-term but scales poorly: API design turns into command endpoints with weak semantics. Another frequent mistake is a mutating route like GET /api/orders/42/confirm. It may pass local testing, but production layers (cache, retries, crawlers, prefetchers) can trigger hard-to-debug side effects.
A reliable workflow is: define business intent first, choose method second, then lock status mapping and retry policy. Teams that follow this sequence keep API behavior coherent as the product grows. For beginners, the key mindset shift is to treat HTTP methods as safety mechanisms, not syntax.
Practical scenario
Imagine a checkout flow where a user taps "Pay," the network briefly drops, and the client retries automatically. If payment is implemented as an unprotected POST, the user may be charged twice. With proper method semantics and an idempotency key, the retry safely returns the already-processed result. This example shows that correct HTTP design is directly connected to money flow, user trust, and operational stability.