← Back to glossary

REST (Representational State Transfer)

architecture Beginner

Also Known As

RESTful API Representational State Transfer REST API

TL;DR

An architectural style for distributed hypermedia systems using HTTP verbs, stateless interactions, and resource-oriented URLs.

Explanation

REST (Roy Fielding, 2000) defines six constraints: client-server, stateless, cacheable, uniform interface, layered system, and optional code-on-demand. Practical REST APIs use HTTP verbs semantically (GET retrieves, POST creates, PUT/PATCH updates, DELETE removes), identify resources via URLs, and communicate state via standard status codes (200, 201, 400, 401, 403, 404, 422, 500). True RESTfulness (HATEOAS) is rarely fully implemented — most APIs are REST-like (sometimes called Level 2 of the Richardson Maturity Model). Use consistent status codes and error bodies across all endpoints.

Common Misconception

✗ Any HTTP API that uses JSON is RESTful. True REST requires statelessness, a uniform interface, resource-based URLs, and HATEOAS (hypermedia links in responses). Most "REST" APIs are actually RPC over HTTP — pragmatically fine, but not architecturally REST.

Why It Matters

REST constraints (stateless, uniform interface, resource-based URLs) make APIs predictable and cacheable — violating them produces RPC-over-HTTP that loses the benefits of HTTP infrastructure.

Common Mistakes

Verbs in URLs: POST /getUser, GET /createOrder — use nouns and HTTP methods correctly.
Stateful REST: storing session data server-side between requests — each request must be self-contained.
Using GET for state-changing operations — GET must be safe and idempotent; use POST/PUT/PATCH/DELETE.
Returning HTTP 200 for errors — use the appropriate 4xx/5xx status code.

Code Examples

✗ Vulnerable

// RPC-style URLs with wrong HTTP methods:
GET  /api/getUser?id=1        // Wrong: verb in URL, should be GET /users/1
POST /api/deleteUser          // Wrong: should be DELETE /users/1
GET  /api/createOrder         // Wrong: GET mutates state — must be POST /orders
POST /api/updateUserProfile   // Wrong: should be PATCH /users/1/profile

✓ Fixed

# Resource-oriented URLs + correct HTTP verbs
GET    /users          # list
POST   /users          # create
GET    /users/{id}     # read
PUT    /users/{id}     # full replace
PATCH  /users/{id}     # partial update
DELETE /users/{id}     # delete

# PHP: return appropriate status codes
return response()->json($user, 201);   // Created
return response()->json(null, 204);    // No Content (DELETE)
return response()->json($errors, 422); // Unprocessable Entity

References

Tags

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,445 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Perplexity 8 Ahrefs 7 Amazonbot 6 Unknown AI 2 Google 1 SEMrush 1

Also referenced

API Design Principles 27 CORS Misconfiguration 24 GraphQL 19

How they use it

crawler 24 pre-tracking 1

Related categories

security 4.2k architecture 1.9k

⚡ DEV INTEL Tools & Severity

🟡 Medium ⚙ Fix effort: Medium

⚡ Quick Fix

REST is a set of constraints, not a protocol — use HTTP verbs correctly (GET safe/idempotent, POST create, PUT/PATCH update, DELETE remove), return appropriate status codes, and keep resources as nouns in URLs

📦 Applies To

any web api

🔗 Prerequisites

HTTP Status Codes API Design Principles Hypermedia APIs — HATEOAS

🔍 Detection Hints

POST used for everything including reads; GET endpoint with side effects; verbs in URL paths (/api/getUser); wrong HTTP status codes

Auto-detectable: ✗ No postman spectral openapi-validator

⚠ Related Problems

HTTP Status Codes API Design Principles GraphQL vs REST vs gRPC

🤖 AI Agent

Confidence: Medium False Positives: High ✗ Manual fix Fix: Medium Context: File Tests: Update