HTTP Methods Explained: GET, POST, PUT, DELETE & More (2026)

HTTP Methods Explained: GET, POST, PUT, DELETE and More (2026)

HTTP methods (also called HTTP verbs) define what action you want to perform on a resource. Every API request uses an HTTP method, and using the right one is critical for building correct, secure, and standards-compliant web APIs.

This guide covers all nine standard HTTP methods, when to use each one, and practical code examples for building and consuming APIs.

Quick Reference Table

Method	Purpose	Request Body	Response Body	Safe	Idempotent	Cacheable
GET	Read a resource	No	Yes	Yes	Yes	Yes
POST	Create a resource	Yes	Yes	No	No	No
PUT	Replace a resource	Yes	Optional	No	Yes	No
PATCH	Partial update	Yes	Yes	No	No	No
DELETE	Remove a resource	Optional	Optional	No	Yes	No
HEAD	Get headers only	No	No	Yes	Yes	Yes
OPTIONS	Get allowed methods	No	Yes	Yes	Yes	No
TRACE	Echo the request	No	Yes	Yes	Yes	No
CONNECT	Establish tunnel	No	No	No	No	No

Key Terms

• Safe: Does not modify the resource. Can be called without side effects.
• Idempotent: Calling it multiple times produces the same result as calling it once.
• Cacheable: The response can be stored and reused by browsers and CDNs.

GET

The GET method retrieves a resource. It is the most common HTTP method and is used every time you open a web page, fetch API data, or load an image.

Rules

• Must not have a request body (technically allowed but discouraged by RFC 9110).
• Must not modify server state.
• Should be idempotent and safe.
• Response can be cached.

Examples

# Fetch a list of users
curl -X GET https://api.example.com/users

# Fetch a specific user
curl -X GET https://api.example.com/users/42

# With query parameters
curl -X GET "https://api.example.com/users?page=2&limit=10"

// JavaScript Fetch API
const response = await fetch('https://api.example.com/users/42');
const user = await response.json();

# Python Requests
import requests
response = requests.get('https://api.example.com/users/42')
user = response.json()

Common Response Codes

Code	Meaning
200 OK	Resource returned successfully
304 Not Modified	Cached version is still valid
404 Not Found	Resource does not exist

POST

The POST method creates a new resource or triggers a server-side action. It is the most flexible HTTP method and is used for anything that is not a simple retrieval.

Rules

• Has a request body containing the data to create.
• Is not idempotent -- calling POST twice creates two resources.
• Is not safe -- it modifies server state.
• The server typically returns the created resource with a 201 status.

Examples

# Create a new user
curl -X POST https://api.example.com/users \
  -H "Content-Type: application/json" \
  -d '{"name": "Alice", "email": "alice@example.com"}'

const response = await fetch('https://api.example.com/users', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ name: 'Alice', email: 'alice@example.com' }),
});
const newUser = await response.json();

response = requests.post(
    'https://api.example.com/users',
    json={'name': 'Alice', 'email': 'alice@example.com'}
)
new_user = response.json()

Common Response Codes

Code	Meaning
201 Created	Resource created successfully
400 Bad Request	Invalid data in request body
409 Conflict	Resource already exists (e.g., duplicate email)
422 Unprocessable Entity	Valid syntax but semantic errors

PUT

The PUT method replaces an entire resource with the provided data. If the resource does not exist, some APIs create it (upsert behavior).

Rules

• Requires the complete resource in the request body.
• Is idempotent -- calling PUT with the same data multiple times has the same effect.
• Replaces the entire resource, not just specific fields.

PUT vs. PATCH

This is one of the most common points of confusion in API design:

Aspect	PUT	PATCH
What it sends	Complete resource	Only changed fields
Missing fields	Set to null/default	Left unchanged
Idempotent	Yes	Not necessarily
Use case	Full replacement	Partial update

Examples

# Replace a user entirely
curl -X PUT https://api.example.com/users/42 \
  -H "Content-Type: application/json" \
  -d '{"name": "Alice Updated", "email": "alice@new.com", "age": 30}'

const response = await fetch('https://api.example.com/users/42', {
  method: 'PUT',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    name: 'Alice Updated',
    email: 'alice@new.com',
    age: 30
  }),
});

response = requests.put(
    'https://api.example.com/users/42',
    json={'name': 'Alice Updated', 'email': 'alice@new.com', 'age': 30}
)

Common Response Codes

Code	Meaning
200 OK	Resource replaced successfully
201 Created	Resource did not exist and was created
204 No Content	Replaced successfully, no body returned
404 Not Found	Resource does not exist (if upsert is not supported)

PATCH

The PATCH method applies a partial modification to a resource. You only send the fields you want to change, and everything else stays the same.

Rules

• Only includes the fields being modified.
• Is not necessarily idempotent (depends on implementation).
• Is more bandwidth-efficient than PUT for small changes.

Examples

# Update only the user's email
curl -X PATCH https://api.example.com/users/42 \
  -H "Content-Type: application/json" \
  -d '{"email": "alice@new.com"}'

const response = await fetch('https://api.example.com/users/42', {
  method: 'PATCH',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ email: 'alice@new.com' }),
});

response = requests.patch(
    'https://api.example.com/users/42',
    json={'email': 'alice@new.com'}
)

JSON Patch Format

Some APIs use the formal JSON Patch format (RFC 6902) instead of a plain JSON body:

curl -X PATCH https://api.example.com/users/42 \
  -H "Content-Type: application/json-patch+json" \
  -d '[
    {"op": "replace", "path": "/email", "value": "alice@new.com"},
    {"op": "add", "path": "/phone", "value": "+1234567890"}
  ]'

DELETE

The DELETE method removes a resource from the server.

Rules

• Is idempotent -- deleting an already-deleted resource should not error (return 204 or 404).
• May or may not have a request body (most APIs do not use one).
• Successful deletion typically returns 204 No Content.

Examples

# Delete a user
curl -X DELETE https://api.example.com/users/42

const response = await fetch('https://api.example.com/users/42', {
  method: 'DELETE',
});

response = requests.delete('https://api.example.com/users/42')

Common Response Codes

Code	Meaning
200 OK	Deleted, response body contains deleted resource
204 No Content	Deleted successfully, no body
404 Not Found	Resource does not exist
409 Conflict	Cannot delete (e.g., has dependent resources)

HEAD

The HEAD method is identical to GET but returns only the response headers, no body. It is used to check if a resource exists, get its size, or check its last-modified date without downloading the full content.

Examples

# Check if a file exists and get its size
curl -I https://example.com/large-file.zip

Response:

HTTP/2 200
Content-Type: application/zip
Content-Length: 524288000
Last-Modified: Mon, 03 Feb 2026 10:00:00 GMT

Use Cases

• Check if a resource exists before downloading
• Get the Content-Length to estimate download time
• Check Last-Modified or ETag for cache validation
• Verify URL redirects without downloading

OPTIONS

The OPTIONS method returns the HTTP methods that a server supports for a given URL. It is most commonly seen in CORS preflight requests.

Examples

curl -X OPTIONS https://api.example.com/users -i

Response:

HTTP/2 204
Allow: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization

CORS Preflight

Browsers automatically send an OPTIONS request before certain cross-origin requests. This is called a preflight request:

Browser -> OPTIONS /api/users (preflight)
Server  <- 204 with CORS headers
Browser -> POST /api/users (actual request)
Server  <- 201 Created

TRACE

The TRACE method echoes the received request back to the client. It is used for debugging to see what intermediate proxies modify in the request.

curl -X TRACE https://example.com

TRACE is usually disabled on production servers for security reasons (it can expose headers like cookies to attackers).

CONNECT

The CONNECT method establishes a tunnel to the server, typically for HTTPS through an HTTP proxy. You rarely use this directly in application code.

CONNECT api.example.com:443 HTTP/1.1
Host: api.example.com

Designing RESTful APIs with HTTP Methods

Here is how HTTP methods map to standard CRUD operations:

Operation	HTTP Method	Endpoint	Example
List all	GET	/users	Get all users
Get one	GET	/users/:id	Get user 42
Create	POST	/users	Create new user
Replace	PUT	/users/:id	Replace user 42
Update	PATCH	/users/:id	Update user 42's email
Delete	DELETE	/users/:id	Delete user 42

Express.js Example

const express = require('express');
const app = express();
app.use(express.json());

// GET /users - List all users
app.get('/users', (req, res) => {
  res.json(users);
});

// GET /users/:id - Get one user
app.get('/users/:id', (req, res) => {
  const user = users.find(u => u.id === req.params.id);
  if (!user) return res.status(404).json({ error: 'Not found' });
  res.json(user);
});

// POST /users - Create a user
app.post('/users', (req, res) => {
  const user = { id: generateId(), ...req.body };
  users.push(user);
  res.status(201).json(user);
});

// PUT /users/:id - Replace a user
app.put('/users/:id', (req, res) => {
  const index = users.findIndex(u => u.id === req.params.id);
  if (index === -1) return res.status(404).json({ error: 'Not found' });
  users[index] = { id: req.params.id, ...req.body };
  res.json(users[index]);
});

// PATCH /users/:id - Partial update
app.patch('/users/:id', (req, res) => {
  const user = users.find(u => u.id === req.params.id);
  if (!user) return res.status(404).json({ error: 'Not found' });
  Object.assign(user, req.body);
  res.json(user);
});

// DELETE /users/:id - Delete a user
app.delete('/users/:id', (req, res) => {
  const index = users.findIndex(u => u.id === req.params.id);
  if (index === -1) return res.status(404).json({ error: 'Not found' });
  users.splice(index, 1);
  res.status(204).send();
});

Common Mistakes

Using GET for actions that modify data: GET should never change server state. Use POST for actions like sending emails, processing payments, or triggering workflows.

Using POST for everything: While POST works for any operation, using the correct method makes your API predictable and self-documenting.

Using PUT when you mean PATCH: If you are only updating one field, use PATCH. PUT should replace the entire resource.

Not returning the correct status code: Return 201 for POST (not 200), 204 for DELETE (not 200), and 404 when a resource is not found (not 200 with an error message).

Wrapping Up

HTTP methods are the foundation of every web API. Using them correctly makes your APIs predictable, cacheable, and standards-compliant. GET for reading, POST for creating, PUT for replacing, PATCH for updating, DELETE for removing -- master these five and you cover 99% of API design needs.

If you are building applications that consume AI-generated media through APIs -- images, videos, audio, or talking avatars -- check out Hypereal AI for a unified REST API with standard HTTP methods and clean response formats.

Try Hypereal AI free -- 35 credits, no credit card required.