Discover how to design idempotent APIs that handle duplicate requests, safe client retries, and webhooks under at-least-once delivery guarantees.
Imagine a user tapping a pay button inside a checkout screen. The mobile application sends a request to your API to charge their credit card for one hundred dollars. The request traverses the internet, arrives at your server, and the payment gateway successfully processes the charge. However, just as your server prepares to send back a successful response, a brief network disruption occurs. The client application waits for several seconds, times out, and receives no response. From the perspective of the application, the payment failed.
Faced with this apparent failure, the user clicks the button again, or the mobile application automatically retries the operation. If your system is not designed to handle this retry safely, the server will process the charge a second time. This scenario is a massive issue for business systems, creating immediate customer frustration, financial disputes, and operational overhead. In distributed systems, where network errors are a certainty rather than an exception, building protection against duplicate requests is a core requirement for reliability.
This is where idempotency comes into play. An operation is idempotent if executing it multiple times has the exact same effect as executing it a single time. In this playbook, we will walk through the design of idempotent APIs, providing concrete request/response patterns, database locking strategies, and client-side retry policies. Whether you are building fintech platforms, e-commerce checkouts, or software integrations, this guide will help you achieve clean, exactly-once processing across your entire architecture.
Every network request is a journey across multiple unreliable hops, including routers, cellular towers, and load balancers. When a client sends an HTTP request, there are three distinct phases where a failure can occur:
In the first scenario, the server never saw the request, so retrying is completely safe. In the second and third scenarios, however, the server has already executed the operation or modified its state. If the client retries the request without a way for the server to recognize it as a duplicate, the system will apply the state change again. In a database that records bank transactions, this leads to a double charge. In an e-commerce system, this leads to duplicate order fulfillments.
When we act as a custom software development partner for engineering teams, we often see these issues crop up during legacy system rewrites or high-traffic MVP deadlines. Developers frequently assume that standard database transactions or HTTP status codes solve this. However, the failure happens above the database layer and below the business logic layer. Relational databases can guarantee that a single database transaction is atomic, but they cannot prevent a client from initiating two entirely separate transactions for the same logical action.
To build a reliable system, we must design our API contracts to be idempotent. This means that if a client sends a request to create a payment, and then retries that exact request five times due to network timeouts, the customer is billed exactly once. The subsequent five requests should simply return the cached result of the first successful execution. By building this safety net directly into our APIs, we eliminate the risk of data corruption and ensure a reliable experience for our users.
The core mechanism of an idempotent API is the idempotency key. This is a unique identifier generated by the client that accompanies a request. The server uses this key to recognize whether it has seen the request before. If the key is new, the server processes the request and stores the result. If the key has been processed previously, the server skips the business logic and replays the cached response.
There are two primary strategies for generating these keys:
The most common approach is to have the client generate a Universally Unique Identifier, specifically a UUID v4, which provides 128 bits of high entropy to guarantee uniqueness. This key is sent in a custom HTTP header, such as Idempotency-Key. This decouples the key from the request payload and allows the client to dictate the boundaries of a single transaction.
In some scenarios, you cannot trust the client to generate unique keys reliably. Instead, the server can generate a deterministic key by hashing critical parameters of the request payload, such as the customer ID, the order ID, and the transaction amount. While this prevents client-side generation bugs, it is less flexible because any slight change in the request payload (such as a corrected spelling in a shipping address) will result in a different hash, bypassing the idempotency check.
In our web application design and development projects, we strongly favor the client-generated UUID approach. It gives the client application complete control over when to retry an operation. For instance, if a user changes their mind and wants to purchase a different item, they can generate a new key. If they are retrying a failed attempt for the same item, they reuse the original key. This model is highly flexible and aligns with the standards set by industry leaders like Stripe in their idempotent requests documentation.
To implement this safely, the server must manage the state of each idempotency key through a strict database lifecycle. It is not enough to simply cache the final response; the server must also handle requests that are currently in progress to prevent concurrent executions of the same operation.
We can represent the database schema for tracking these keys using a structured format. The table below details the essential columns needed to manage idempotency state:
| Column Name | Data Type | Description |
|---|---|---|
idempotency_key |
VARCHAR(255) | The unique primary key provided by the client in the header. |
request_hash |
VARCHAR(64) | A SHA-256 hash of the request body to prevent key reuse with different parameters. |
status |
VARCHAR(50) | The execution state of the request, either processing or completed. |
response_status |
INTEGER | The HTTP status code of the completed execution to replay to the client. |
response_body |
TEXT | The cached JSON response body of the completed execution. |
created_at |
TIMESTAMP | The timestamp when the key was first registered, used for cleanup policies. |
When a request arrives, the server follows a strict sequence of validation steps:
idempotency_key.processing, the server returns an HTTP 409 Conflict status code, indicating that an identical request is already being handled.completed, the server compares the SHA-256 hash of the incoming request body with the saved request_hash. If they do not match, the server returns an HTTP 400 Bad Request to prevent a client from accidentally reusing an old key for a completely different transaction.response_body and response_status without executing any business logic.processing and continues to execute the business logic.completed, stores the response code and body, and sends the response back to the client.We have integrated this lifecycle into our projects to secure checkout flows and inventory adjustments, ensuring that even under heavy network instability, the database remains consistent and free of duplicate entries.
When implementing the idempotency lifecycle in a distributed system, you must choose a reliable locking mechanism to prevent two app instances from processing the same key simultaneously. There are two primary technologies for handling these locks: PostgreSQL advisory locks and Redis distributed locking.
If your application already uses PostgreSQL as its primary database, advisory locks are often the simplest and safest choice. Advisory locks are application-defined locks managed directly by Postgres. By using transactional advisory locks via the pg_try_advisory_xact_lock function, the lock is tied directly to the lifecycle of your database transaction. If the transaction commits successfully, the lock is released. If the transaction fails or the application server crashes mid-execution, Postgres automatically rolls back the transaction and releases the lock immediately, preventing "ghost locks" that remain stuck open.
For high-throughput, low-latency microservices that do not share a single SQL database, Redis is an excellent alternative. You can acquire a lock using the Redis SET command with the NX (only set if not exists) and EX (expiration time) options. This creates an atomic in-memory lock with a safety Time-to-Live (TTL). However, Redis locks require careful management. If your business logic takes longer than the lock's TTL, the lock will expire, allowing a concurrent request to acquire it and cause a double execution. To prevent this, you must implement a lock renewal mechanism (a "redlock" pattern or a background thread that periodically extends the lock's expiration while the process is active).
In our article on how we scaled a fintech database to handle peak traffic, we emphasized that minimizing operational complexity is key to maintaining system uptime. If you are already running on Postgres, using native advisory locks eliminates the need to maintain and monitor a separate Redis cluster, keeping your infrastructure clean and highly reliable.
A common failure mode in distributed systems occurs when a client sends a request, experiences a minor network jitter, and immediately sends a retry request. Because of load balancing, the first request may land on Server A, while the retry lands on Server B just a few milliseconds later.
If your application does not handle concurrency correctly, both servers will execute their checks simultaneously. Server A queries the database and finds no record for the idempotency key. At the exact same millisecond, Server B queries the database and also finds no record. Both servers conclude that this is a brand-new request. Both servers then proceed to execute the business logic, leading to a distributed double charge.
To prevent this race condition, the check and the write operations must be completely atomic. You cannot perform a standard SELECT query followed by an INSERT query. Instead, you must use one of the following atomic patterns:
idempotency_key column in your SQL database. When a request arrives, attempt to perform an immediate INSERT of a "processing" record. If the insert succeeds, proceed with the business logic. If the database throws a unique constraint violation error, you know another server is already processing the request, and you can safely return a 409 Conflict or poll for the result.SETNX command to set a temporary lock key. Because Redis is single-threaded, it guarantees that only one request can successfully write the key.pg_try_advisory_xact_lock to attempt to acquire a lock immediately on the hash of the idempotency key. If the function returns false, abort the request and return a conflict status.When we design systems for clients, we reject over-engineered solutions in favor of robust database-level constraints. As we write in our blog post on why modern engineering teams reject software hype, relying on boring, battle-tested database primitives like unique constraints is almost always safer than trying to coordinate state across complex, custom application-level distributed locks.
While the server is responsible for enforcing idempotency, the client application must be designed to retry failed requests safely. If a client simply retries a request immediately after a failure, it can create a major issue known as the thundering herd problem.
If your backend experiences a brief database slowdown or a network hiccup, hundreds of clients might suddenly fail simultaneously. If all of those clients immediately retry their requests, they will flood the recovering backend with a massive wave of traffic, knocking it offline again. To prevent this, clients must implement exponential backoff with jitter.
A resilient client retry policy consists of three core components:
When we design mobile architectures, as part of our mobile app design & development services, we build these resilient retry policies directly into our network client wrappers. This ensures that our client-side code behaves as a good citizen to our backend servers, reducing server load and improving overall system stability during outages.
Webhooks are HTTP POST requests sent by external platforms (such as Stripe, Shopify, or Svix) to notify your application about events, such as a successful payment, a new user registration, or a processed order. While webhooks are incredibly convenient, they come with an uncomfortable operational reality: almost all major providers operate on an at-least-once delivery guarantee.
This means the provider guarantees they will deliver the event to your server, but they do not guarantee they will deliver it only once. If your server takes too long to respond, or if there is a brief network blip after your server processes the webhook but before the provider receives the 200 OK response, the provider will assume the delivery failed and will retry sending the exact same webhook.
To build a reliable webhook receiver, follow this structured checklist:
Stripe-Signature or Webhook-Signature). Always verify this signature using your provider's shared secret before processing the payload to prevent spoofing and replay attacks.evt_123 or Shopify's webhook ID) that remains constant across all retries. Use this identifier as your idempotency key.processed_webhooks table. Before executing any business logic, check if the ID already exists. If it does, skip processing and return a 200 OK immediately.200 OK to the sender. A separate background worker can then consume the queue and process the event asynchronously.In our work on micro-interactions design for securing mobile checkout trust, we have seen how processing webhooks cleanly prevents broken UI states, ensuring that order confirmations and payment statuses update reliably without confusing the end-user.
When developers talk about distributed systems, they often search for the holy grail: exactly-once delivery. They want to guarantee that a message is delivered across the network precisely once, with zero duplication and zero loss. However, in the field of distributed computing, exactly-once delivery is a mathematical impossibility.
This constraint is proven by the classic thought experiment known as the Two Generals Problem. Imagine two generals, General A and General B, who need to coordinate an attack on a city. They can only communicate by sending foot messengers across enemy territory, where the messengers might be captured. General A sends a message: "Attack at 9 AM." However, General A cannot attack unless they are certain General B received the message. General B receives the message and sends an acknowledgment back: "Confirmed, we will attack at 9 AM." But General B cannot attack unless they are certain General A received the confirmation. This loop of acknowledgments continues infinitely, proving that certain consensus cannot be reached over an unreliable communication channel.
In modern web development, your server and the client are the two generals, and the internet is the enemy territory. When a client sends a request to your API, and the network drops, there is no way for the client to know if:
Because the client cannot distinguish between these scenarios, it has only two options: fire-and-forget (which leads to data loss) or retry (which leads to duplicates). Therefore, we must accept that at-least-once delivery is the only viable model for reliable systems. What we call "exactly-once semantics" is not achieved by perfect delivery, but rather by combining at-least-once delivery with idempotent processing on the receiver side.
This distinction is something we help engineering teams navigate when integrating AI and scaling systems without rewrites. By shifting the focus from impossible network guarantees to robust application-level idempotency, we build systems that remain resilient even when the underlying network is highly unstable.
When designing your own idempotent APIs, it is incredibly valuable to look at how industry giants have structured their developer interfaces. Let us analyze two of the most successful implementations in the software ecosystem: Stripe and Svix.
Stripe allows developers to send an Idempotency-Key header with any POST request. Their implementation has several key characteristics:
Svix, a leading enterprise webhook platform, handles idempotency on both the sending and receiving sides. They pass a unique webhook-id in the headers of every webhook they dispatch. They recommend that receivers store these IDs in an in-memory store like Redis with a TTL that outlives the webhook provider's retry window (typically 3 to 7 days). This ensures that even if Svix retries a webhook delivery over several days, the receiver will never process the same event twice.
At Algoramming, we provide tech partnership & consultation to help organizations design clean, standardized API contracts that mimic these industry-standard patterns, reducing friction for external developers and ensuring long-term maintainability.
An idempotency layer is only as good as your ability to monitor it. If your idempotency system breaks, it can fail silently, leading to duplicate transactions that are incredibly difficult to debug. To maintain operational visibility, you must track key metrics and build clean error recovery paths.
To understand how your idempotency layer is performing in production, you should monitor three primary metrics:
409 Conflict. This indicates that clients are retrying requests while the first attempt is still processing, which could point to slow database performance.What happens if your application server crashes in the middle of processing a request? The idempotency key will be left in the database with a status of processing forever, blocking any future retries from the client.
To handle this, you must implement an auto-expiry or garbage collection mechanism. If you are using Redis, you can set a TTL on the lock key. If you are using PostgreSQL, you can run a background worker (a cron job) that periodically searches for records that have been stuck in the processing state for more than 15 minutes, marks them as failed, and deletes them, allowing the client to safely retry.
In our engineering playbook on the anatomy of an API leak and incident response, we emphasize that structured logging and distributed tracing are critical during system failures. By including the idempotency key in every log line and database query, your support team can instantly trace a failed retry back to its original execution, drastically reducing resolution times.
Historically, the implementation of idempotency keys has been highly fragmented. Stripe uses Idempotency-Key, PayPal uses PayPal-Request-Id, and other APIs use custom headers like X-Idempotency-Key. This lack of standardization makes it difficult to build generic API gateways or reusable client SDK libraries.
To solve this, the Internet Engineering Task Force (IETF) has been actively working on a standardized specification: draft-ietf-httpapi-idempotency-key-header-07. This draft outlines a standard HTTP request header field named Idempotency-Key that clients can use to make non-idempotent HTTP methods (such as POST or PATCH) fault-tolerant.
The standard specifies several key behaviors:
Idempotency-Key value should be a structured string, typically a UUID.422 Unprocessable Entity or 400 Bad Request with a standardized error payload.Adopting this standardized draft today future-proofs your API design. As modern API gateways and web browsers begin to support this header natively (as seen in recent experimental implementations by major browser engines), your backend will be fully compatible with the next generation of web infrastructure.
When client teams partner with us for custom software development, we ensure that their systems are built on these emerging open standards, preventing technical debt and making certain their APIs remain clean, modern, and highly reliable for years to come.
Key takeaways
- Exactly-once is an application-level guarantee: Because network delivery guarantees are at-least-once by design, achieving exactly-once semantics requires idempotent processing on the receiver side.
- Atomic locks prevent race conditions: Use database-level unique constraints or atomic Redis commands to prevent concurrent duplicate requests from running simultaneously.
- PostgreSQL advisory locks are safer for SQL backends: If your application uses Postgres, transactional advisory locks automatically clean up on server crashes, avoiding stale locks.
- Standardize on IETF patterns: Build your APIs to align with the evolving
Idempotency-KeyHTTP header draft to future-proof your developer platform.
If you are planning an API integration, migrating from a legacy architecture, or designing a high-stakes transaction system, having an experienced engineering partner makes all the difference. We can help you structure your database schemas, implement resilient client-side SDKs, and build APIs that scale smoothly under heavy traffic. If you are looking to build a reliable, high-performance platform, explore our web application design and development services, and let's discuss how we can help your team succeed.
01 · RelatedThe June 2026 ServiceNow unauthenticated API data exposure highlights why technical leaders must treat API security as a core release requirement, not a compliance exercise.
Read post
02 · RelatedFollowing the ServiceNow customer data exposure incident, we break down why unauthenticated APIs are the biggest risk to your product roadmap and provide a concrete Q3 security timeline.
Read post
03 · RelatedLearn how to integrate WCAG 2.2 web accessibility standards directly into your frontend engineering workflow and CI/CD pipelines without sacrificing development velocity.
Read postWe will reply in plain English within one business day, NDA on request. Discovery call is free.