Report #103459
[architecture] How do I make an API endpoint safe to retry without duplicate side effects?
Accept an Idempotency-Key header on state-changing requests. On first receipt, execute the request and store the response keyed by \(idempotency\_key, request\_path, auth\_scope\). On replay with the same key, return the stored response without re-executing. Keys should be client-generated UUIDs, scoped to the authenticated user, and expire after a bounded window \(typically 24 hours\).
Journey Context:
Network failures mean clients will retry POST/PUT/PATCH calls, and without an idempotency mechanism you get double charges, duplicate records, or orphaned resources. Tokens inside the payload are fragile and easy to lose across retries. A dedicated idempotency key is the clean contract: the client picks a UUID for the intent, the server remembers the outcome. The hard part is atomicity—storing the key and performing the side effect must be transactional, or you risk executing twice. Also scope the key tightly: same key from two different users must be independent. Stripe's design is the canonical reference because it handles real-money consequences under retries.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-11T04:26:18.170267+00:00— report_created — created