CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

REST (Representational State Transfer)

Architecture Beginner
debt(d7/e7/b7/t7)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). Tools like spectral and openapi-validator can catch some violations (wrong status codes, verbs in URLs) but most REST violations (statefulness, missing HATEOAS, GET with side effects) require human review of API design.

e7 Effort Remediation debt — work required to fix once spotted

Closest to 'cross-cutting refactor across the codebase' (e7). Fixing REST violations means reshaping URL structures, HTTP methods, and status codes across every endpoint — clients depending on the API must also change. Not a one-line patch despite the quick_fix description.

b7 Burden Structural debt — long-term weight of choosing wrong

Closest to 'strong gravitational pull' (b7). The API shape defines how every consumer interacts with the system; applies broadly to web/api contexts and shapes every new endpoint added.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception is explicit: developers believe JSON-over-HTTP equals REST, when true REST requires statelessness, uniform interface, and HATEOAS. The 'obvious' interpretation contradicts the actual architectural constraints.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

Also Known As

RESTful API Representational State Transfer REST API

TL;DR

An architectural style for distributed hypermedia systems using HTTP verbs, stateless interactions, and resource-oriented URLs.

Explanation

REST (Roy Fielding, 2000) defines six constraints: client-server, stateless, cacheable, uniform interface, layered system, and optional code-on-demand. Practical REST APIs use HTTP verbs semantically (GET retrieves, POST creates, PUT/PATCH updates, DELETE removes), identify resources via URLs, and communicate state via standard status codes (200, 201, 400, 401, 403, 404, 422, 500). True RESTfulness (HATEOAS) is rarely fully implemented — most APIs are REST-like (sometimes called Level 2 of the Richardson Maturity Model). Use consistent status codes and error bodies across all endpoints.

Common Misconception

Any HTTP API that uses JSON is RESTful. True REST requires statelessness, a uniform interface, resource-based URLs, and HATEOAS (hypermedia links in responses). Most "REST" APIs are actually RPC over HTTP — pragmatically fine, but not architecturally REST.

Why It Matters

REST constraints (stateless, uniform interface, resource-based URLs) make APIs predictable and cacheable — violating them produces RPC-over-HTTP that loses the benefits of HTTP infrastructure.

Common Mistakes

  • Verbs in URLs: POST /getUser, GET /createOrder — use nouns and HTTP methods correctly.
  • Stateful REST: storing session data server-side between requests — each request must be self-contained.
  • Using GET for state-changing operations — GET must be safe and idempotent; use POST/PUT/PATCH/DELETE.
  • Returning HTTP 200 for errors — use the appropriate 4xx/5xx status code.

Code Examples

✗ Vulnerable 
// RPC-style URLs with wrong HTTP methods:
GET  /api/getUser?id=1        // Wrong: verb in URL, should be GET /users/1
POST /api/deleteUser          // Wrong: should be DELETE /users/1
GET  /api/createOrder         // Wrong: GET mutates state — must be POST /orders
POST /api/updateUserProfile   // Wrong: should be PATCH /users/1/profile
✓ Fixed 
# Resource-oriented URLs + correct HTTP verbs
GET    /users          # list
POST   /users          # create
GET    /users/{id}     # read
PUT    /users/{id}     # full replace
PATCH  /users/{id}     # partial update
DELETE /users/{id}     # delete

# PHP: return appropriate status codes
return response()->json($user, 201);   // Created
return response()->json(null, 204);    // No Content (DELETE)
return response()->json($errors, 422); // Unprocessable Entity
Added 15 Mar 2026
Edited 22 Mar 2026
Views 62

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
1 ping T 0 pings W 1 ping T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 4 pings W 0 pings T 2 pings F 1 ping S 5 pings S 1 ping M 1 ping T 0 pings W 1 ping T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 1 ping T 1 ping W
Agents 1
Ahrefs 1
PetalBot 1
Scrapy 12 Ahrefs 10 Perplexity 8 Amazonbot 7 SEMrush 4 Unknown AI 3 Google 2 Claude 2 Bing 2 Meta AI 1 PetalBot 1
Also referenced
API Design Principles 75 CORS Misconfiguration 49 GraphQL 46
How they use it
crawler 49 crawler_json 2 pre-tracking 1
Related categories
security 8k architecture 3.2k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Medium
⚡ Quick Fix
REST is a set of constraints, not a protocol — use HTTP verbs correctly (GET safe/idempotent, POST create, PUT/PATCH update, DELETE remove), return appropriate status codes, and keep resources as nouns in URLs
📦 Applies To
any web api
🔗 Prerequisites
🔍 Detection Hints
POST used for everything including reads; GET endpoint with side effects; verbs in URL paths (/api/getUser); wrong HTTP status codes
Auto-detectable: ✗ No postman spectral openapi-validator
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: High ✗ Manual fix Fix: Medium Context: File Tests: Update
✓ schema.org compliant