API Design

Debugging & Real-World · Lesson 05

Idempotency in practice

A user double-clicks the "Pay" button. Your server's response is lost in transit and the client retries. Both scenarios send the same request twice — and without idempotency, both cause a double charge. Idempotency keys turn "retry safely" from a hopeful claim into a mechanical guarantee.

⏱ 13 min Difficulty: core Prereq: Lesson 07 (HTTP), rel-02, dbg-04

By the end you'll be able to

The problem: two sends, two effects

An operation is idempotent if applying it multiple times produces the same result as applying it once. GET, PUT, and DELETE are designed to be idempotent. POST is not — two identical POST requests to /charges are intended to create two charges. That's fine in a world with perfectly reliable networks, but networks are not perfectly reliable.

Consider this sequence:

Scenario: The double charge

A user clicks "Pay $49." Your client sends a POST to /v1/charges. The server processes the charge, deducts $49 from the card, and sends a 200 response. The response is lost in transit — a TCP timeout. The client's HTTP library, seeing no response, retries the same POST. The server receives a second POST with an identical body and charges the card again. The user is now charged $98.

The user complains. Your server logs show two successful charges with identical amounts and identical metadata. Neither is "wrong" in isolation — both were valid API calls. The system did exactly what it was told, twice.

The same failure mode appears in other shapes: a "Pay" button with no loading state that a user clicks twice before seeing a response; a background job that retries on any error, not just safe ones; a webhook that fires twice for the same event.

The fix: idempotency keys end-to-end

An idempotency key is a client-generated unique identifier attached to a request. The server uses it as a deduplication key: the first request with a given key is processed and the result is cached; any subsequent request with the same key returns the cached result without re-executing the operation.

The key property: the client generates the key before sending the request, and reuses the same key on retries. This way, even if the response was lost and the request is sent again, the server recognizes it as a repeat and returns the cached response — the charge is not re-executed.

Client key = uuid() POST /charges Idempotency-Key: key-abc Server 1st request: process + cache result for key-abc Dedup store key-abc → 201 + charge_id write 201 Created (first response) retry: same key-abc → returns cached 201, no second charge
The client generates the key once and reuses it on retries. The server caches the result and returns it on duplicate requests — the operation runs exactly once regardless of how many times the request is sent.

How idempotency keys work over HTTP

The client sends the key in a request header. Stripe uses Idempotency-Key; PayPal uses PayPal-Request-Id; other providers may use X-Idempotency-Key. The value should be a UUID (version 4) generated fresh for each logical operation — not for each retry of the same operation.

# First attempt — client generates a key before sending curl -X POST https://api.example.com/v1/charges \ -H "Authorization: Bearer sk_live_abc" \ -H "Idempotency-Key: 3f8a1b2c-9d4e-47f6-a8b3-1c2d3e4f5a6b" \ -H "Content-Type: application/json" \ -d '{"amount":4900,"currency":"usd","customer_id":"cus_123"}' HTTP/2 201 {"id":"charge_abc","amount":4900,"status":"succeeded"} # Network timeout — client retries with the SAME key curl -X POST https://api.example.com/v1/charges \ -H "Authorization: Bearer sk_live_abc" \ -H "Idempotency-Key: 3f8a1b2c-9d4e-47f6-a8b3-1c2d3e4f5a6b" \ -H "Content-Type: application/json" \ -d '{"amount":4900,"currency":"usd","customer_id":"cus_123"}' HTTP/2 201 {"id":"charge_abc","amount":4900,"status":"succeeded"} # Identical response — same charge_id returned. No second charge created.

Implementing the dedup store

The server-side implementation requires a store that maps idempotency keys to cached responses. The store must persist at least as long as the retry window you want to support (24–48 hours is common). Redis with a TTL works well; a database table also works. The critical operations:

  1. On receiving a request: look up the idempotency key in the store. If found, return the cached response immediately — do not re-execute the operation.
  2. If not found: execute the operation (charge the card, create the record), capture the response, write the key + response to the store, then return the response.
  3. Handle the in-flight race: if two requests with the same key arrive simultaneously, one should execute and the other should wait for the result. Use a database lock or a Redis SET NX (set if not exists) to prevent concurrent processing of the same key.
# Server-side dedup store (Python pseudocode) import uuid, json from datetime import timedelta def create_charge(request): key = request.headers.get("Idempotency-Key") # Validate key format if not key: return error("Idempotency-Key header is required for POST /charges", 422) # Check the dedup store first cached = redis.get(f"idem:{key}") if cached: return json.loads(cached) # Return cached response, no re-execution # Atomically claim the key (SET NX prevents races) acquired = redis.set(f"idem:{key}", "PENDING", nx=True, ex=3600) if not acquired: # Another request is processing this key right now return error("concurrent_request", 409) # Execute the operation try: charge = payment_provider.charge( amount=request.body["amount"], customer=request.body["customer_id"] ) response = {"id": charge.id, "amount": charge.amount, "status": charge.status} status_code = 201 except PaymentError as e: response = {"error": e.code, "message": e.message} status_code = 402 # Cache errors too — don't retry a card_declined # Write result to cache (TTL: 48 hours) redis.set(f"idem:{key}", json.dumps({"body": response, "status": status_code}), ex=int(timedelta(hours=48).total_seconds())) return response, status_code
⚠️ Cache error responses too

If the first request results in a card_declined error, should a retry return the same error or try the card again? The answer: return the same error. Retrying an operation that definitively failed is wasteful and potentially harmful (repeatedly attempting a blocked card may trigger fraud detection). Cache both success and error responses. The only responses that should NOT be cached are transient infrastructure errors (500, 503) — those are safe to retry.

Idempotent webhook consumers

Webhook handlers are the consumer side of the same problem. As covered in Lesson 04, the provider delivers at-least-once — your handler may process the same event twice. The idempotency key in this case is the event's unique ID provided by the provider.

# Idempotent webhook consumer — record event IDs in a DB table CREATE TABLE processed_webhook_events ( event_id TEXT PRIMARY KEY, processed_at TIMESTAMPTZ NOT NULL DEFAULT now(), outcome TEXT NOT NULL -- 'succeeded', 'failed', etc. ); # In the handler: def handle_payment_event(event): # Check if already processed exists = db.query( "SELECT 1 FROM processed_webhook_events WHERE event_id = $1", event["id"] ) if exists: return 200 # Already handled — return success to prevent retries # Process the event with db.transaction(): order = db.find_order(event["metadata"]["order_id"]) order.update_status("paid") # Record this event ID in the same transaction db.execute( "INSERT INTO processed_webhook_events (event_id, outcome) VALUES ($1, $2)", event["id"], "succeeded" ) # If the transaction fails, the event_id is not recorded → safe to retry
✅ Record the event ID in the same database transaction as the business operation

If you record the event ID in one step and update the order in another step, a crash between the two steps leaves your system in an inconsistent state — either the event is marked processed but the order wasn't updated, or the order was updated but the event wasn't recorded and will be re-processed. Do both in a single atomic transaction so either both happen or neither does.

Idempotency and the request body must match

What happens if a client sends the same idempotency key with a different request body? For example, key abc123 first with amount: 4900, then with amount: 2500? The server should return an error — the key is associated with a specific operation, and allowing the body to change would make the guarantee meaningless. The standard response is 422 with an error code like idempotency_key_in_use.

Clients can use this as a debugging signal: if they're getting idempotency_key_in_use errors, they're accidentally reusing keys across different operations — a bug in how they generate keys.

# Second request — same key, different amount curl -X POST https://api.example.com/v1/charges \ -H "Idempotency-Key: 3f8a1b2c-9d4e-47f6-a8b3-1c2d3e4f5a6b" \ -d '{"amount":2500,"currency":"usd","customer_id":"cus_123"}' HTTP/2 422 {"error":"idempotency_key_in_use","message":"This key was already used with a different request body. Generate a new key for a different operation."}

Tying it together: end-to-end idempotency

A fully idempotent payment flow looks like this:

  1. Client generates a UUID before the user clicks "Pay." Store it associated with the user's current checkout session.
  2. Client sends the charge request with the UUID in the Idempotency-Key header.
  3. Server checks the dedup store before executing the charge. If the key exists, return the cached response.
  4. If new: charge the card, cache the result with the key (both success and card errors), return the response.
  5. On network failure: the client retries with the same key. The server returns the cached result. The card is not charged again.
  6. Payment provider sends a webhook confirming the charge. Your webhook handler deduplicates by event ID in the same database transaction as the order status update.
  7. Result: regardless of how many times the request was sent (double-click, network retry, webhook retry), the user is charged exactly once.
🎯 Interview angle

Idempotency is a common system design topic at companies with payment or transaction systems (Stripe, Airbnb, Lyft, Uber). The question usually starts as "how would you prevent double charges?" Candidates who answer "check for duplicates" without explaining the idempotency key pattern (client-generated UUID, sent as a header, cached on the server) are giving an incomplete answer. The three-part explanation — key generation, dedup store, caching error responses — is the complete answer. Also note that this concept extends to any non-idempotent operation: sending an email, creating a subscription, provisioning infrastructure.

Under the hood: how it actually works

Idempotency keys look simple from the outside — "send a header, get dedup." The mechanism that makes it safe under concurrent duplicates is the interesting part.

The dedupe store: keyed by idempotency key, atomic insert-if-absent

The server maintains a store (Redis or a database table) whose schema is conceptually:

-- Database table equivalent
CREATE TABLE idempotency_keys (
    key        TEXT        PRIMARY KEY,       -- the UUID the client sent
    status     TEXT        NOT NULL,          -- 'pending' | 'complete'
    request_hash TEXT      NOT NULL,          -- hash of the request body (body-mismatch guard)
    response   JSONB,                         -- cached {status_code, body}
    created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
    expires_at TIMESTAMPTZ NOT NULL           -- TTL: typically now() + 48 h
);

Atomic insert-if-absent: how SET NX prevents races

The critical invariant is: exactly one thread must execute the underlying operation, even when two requests with the same key arrive simultaneously. A plain "check then execute" is a race — both threads can read "key not found" and both proceed to charge the card. The fix is an atomic insert-if-absent:

The losing concurrent request sees the key in pending state. The correct behaviour is a short-circuit: return a 409 Conflict (or optionally poll and wait a few seconds for the pendingcomplete transition). This is safer than blocking indefinitely — the winning request may have crashed, leaving the key stuck at pending without a result.

Storing and replaying the first response

After the operation completes (success or deterministic error), the server overwrites the pending row with the full response — both the status code and the body. Subsequent requests look up the key, find it complete, and replay the stored response verbatim. The client cannot tell whether it received a live response or a cached replay — that is the guarantee. The stored body must include everything the client needs (charge ID, amount, status), not just a "seen" flag.

The TTL trade-off

The TTL controls how long the server remembers a key. Longer TTLs give clients more time to retry after extended outages but consume more storage. The practical formula: TTL should exceed the longest plausible retry window for your clients. For a payment API, 24–48 hours covers mobile apps that go offline and retry next morning. After the TTL, the key is evicted — a retry with the same key would be treated as a fresh request. This is why clients must not reuse keys across sessions: the key should be tied to one logical operation and discarded after success.

Traced duplicate: two simultaneous POSTs, one charge

# Two clients (or two retries) send the same idempotency key simultaneously # Both arrive within milliseconds of each other POST /v1/charges Idempotency-Key: 3f8a1b2c-9d4e-47f6-a8b3-1c2d3e4f5a6b (Client A) POST /v1/charges Idempotency-Key: 3f8a1b2c-9d4e-47f6-a8b3-1c2d3e4f5a6b (Client B, ~2 ms later) # Server thread A: # SET idem:3f8a... "pending" NX EX 172800 → OK (wins the race) Thread A: key acquired → proceeds to charge card # Server thread B (2 ms later): # SET idem:3f8a... "pending" NX EX 172800 → nil (key already exists) Thread B: key in "pending" state → return 409 { "error": "concurrent_request" } # Client B receives 409 and polls or retries after 1–2 seconds # # Thread A finishes: charge succeeds → charge_id = charge_abc # redis.set("idem:3f8a...", JSON({status:201, body:{id:"charge_abc",amount:4900}}), EX 172800) Thread A returns 201 { "id": "charge_abc", "amount": 4900, "status": "succeeded" } # Client B retries 1.5 s later: POST /v1/charges Idempotency-Key: 3f8a1b2c-9d4e-47f6-a8b3-1c2d3e4f5a6b (Client B retry) # GET idem:3f8a... → status="complete", response={201, {id:"charge_abc",...}} Server returns cached 201 { "id": "charge_abc", "amount": 4900, "status": "succeeded" } # One charge, two callers, identical responses. Card not charged twice.
⚠️ "Pending" keys need a safety expiry or you leak resources

If thread A crashes after claiming the key but before writing the result, the key is stuck at pending indefinitely with no result. Subsequent retries by the client will always get 409. The fix: set a short TTL on the pending entry (e.g., 30 s), separate from the long TTL on completed entries. After 30 s, a retry from the client will get a cache miss and start fresh — executing the operation with a clean slate. Stripe's implementation effectively uses this approach under the hood.

🧠 Quick check

1. When should a client generate an idempotency key?

The client generates the key once before the first attempt and uses the same key on every retry of the same logical operation. Generating a new key on each retry defeats the purpose — the server would see each retry as a fresh request with no cached result. The server never generates the key; it only uses the key the client provides to look up cached results.

2. A charge request returns a card_declined error. The client retries immediately with the same idempotency key. What should the server return?

A card decline is a deterministic result (the issuing bank declined it). Retrying the charge will not change that outcome. The server should cache the error response and return it on retries — this prevents unnecessary charges to the card network and protects against fraud detection triggers from repeated failed attempts. Only transient infrastructure errors (500, 503) warrant a retry.

3. Why should you record a webhook event ID in the same database transaction as the business operation it triggers?

If you record the event ID first and the business operation fails, the event appears processed but the actual work wasn't done. If you do the business operation first and crash before recording the event ID, the event will be re-delivered and re-processed. Recording both atomically in one transaction means either both commit or neither does — the operation is either fully done or fully not done, with no inconsistent in-between state.

4. A client sends a request with idempotency key key-xyz and amount $49. Later, they send another request with the same key but amount $25. What should the server do?

An idempotency key is bound to a specific operation — it cannot be repurposed for a different request body. Silently returning the $49 result for a $25 request would confuse the client; executing a new charge would violate idempotency. The server returns a 422 telling the client that this key is already in use and a new key must be generated for the new operation.

✍️ Exercise: trace a double-charge failure and fix it

A production system is creating duplicate subscriptions. Investigation reveals that the subscription-creation endpoint does not accept or check idempotency keys. Occasional network timeouts cause the client's HTTP library to retry the POST, and both the original and the retry create separate subscriptions.

Write a plan (5 steps) for adding end-to-end idempotency to this flow. Consider: key generation, server-side dedup, transaction atomicity, and what to do about existing duplicates.

Model answer:

  1. Client: generate a key per subscription attempt. Before calling the API, generate a UUID and store it with the user's session. This key is reused for all retries of this specific subscription creation. The key is discarded once the operation either succeeds or deterministically fails (not on transient errors).
  2. Server: add an Idempotency-Key header check. Make the header required for POST /subscriptions. Return 422 if the header is absent. This is a breaking change for existing clients — add it in a versioned endpoint (/v2/subscriptions) or via a migration with a deprecation notice for existing callers.
  3. Server: implement the dedup store. Use a Redis key idem:sub:{key} with a 48-hour TTL. On first receipt: claim the key with SET NX, create the subscription, cache the result. On subsequent receipt: return the cached response without re-executing.
  4. Server: wrap key recording and subscription creation in one transaction. If the subscription creation fails due to a database error, the key claim should be released (or left as PENDING with an expiry so the client can retry). On success, update the Redis entry from PENDING to the full cached response atomically.
  5. Existing duplicates: reconcile manually. Query for subscriptions created within 30 seconds of each other for the same customer and product. Merge or cancel duplicates, issue refunds where applicable, and add a monitoring query to alert on future duplicates before a fix is deployed.

Rubric: ✓ Client generates key before request, reuses on retry ✓ Server checks key before executing ✓ Dedup store with expiry ✓ Atomic transaction covers both key write and business operation ✓ Plan addresses existing duplicates (not just future ones).

Key takeaways

Sources & further reading