Menu
We have an "RESTful" endpoint that returns a newly created storage token. All the information required to generate the token is contained in the bearer token so no body is required for the request. The request causes no database change because the token is not stored. A subsequent request, without any intervening database change, provides a different token in the response. What's the right method, POST or GET?
One proposal is a GET and a GET/id where the id is the identifier for a resource used in the token creation process, not for the token itself. Alternative is a POST.
Since there's a beer riding on the result I will try not to take sides too obviously. Resources like the rules on GET and POST from IETF and the discussion of the two methods at https://restfulapi.net/http-methods/#get was not sufficient to persuade either side, in part due to differences about whether it is appropriate for a GET to return something different if the underlying resource has not changed between the requests and whether "a random token that we generate" is a new "resource" when not stored in the database.
748
To generate an API tokenIn Admin Center, click Apps and integrations in the sidebar, then select APIs > Zendesk APIs. Click the Settings tab, and make sure Token Access is enabled. Click the Add API token button to the right of Active API Tokens. The token is generated and displayed.
You should absolutely use POST to generate a token.
GET is used for retrieval of a collection of existing resources or a specific resource identified by a supplied path parameter.
In this case you are not really generating a resource on the server at all. You don't store any data and there's nothing to retrieve later. So there's no REpresentational State Transfer.
However, as the token you are creating is going to be different on each call (iat and exp claims, assuming you're using JWT) and should not be cached by any intermediary. HTTP agents will treat POST requests as non-idempotent, making it the best choice for a token issuing endpoint.
See also for example the OAuth2 token endpoint mandating POST.
198
REST is not a specification, it is an architectural style. The HTTP methods have very specific meaning. RESTful means in particular, that resources should be created by POST and return a URL of the created resource.
What's the right method, POST or GET?
This is easy to answer. If you want your service be RESTful, it should be POST.
But ask yourself also questions that are much harder to answer:
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
