cottton cottton - 2 months ago 7x
HTTP Question

Http GET and DELETE multiple entity requests at once (PHP)

As the title says - is it valid?

What do i mean

If i call an endpoint with GET
is it then valid to do


to let the server return multiple entities at once?

I could not see any note about in the rfc docs. Also - looking at the status codes to return - it seems not build that way.

So i guess a GET or DELETE or HEAD request is for one entity only?

EDIT: language is PHP btw

EDIT2: this is what i want to avoid:

I dont want to use the body.


You can make valid HTTP requests but go against the design of HTTP. I'm focusing in my answer on correct HTTP design.

First, when you do a GET requests, you always receive a representation of a resource. Even if a URL represents something like a 'collection of resources', there is no strict definition of this in HTTP. That list of resources can still represent multiple 'entities' coming from your data-model.

So a call to /users can return multiple user-entities.

Similarly, a DELETE to users could mean that you are deleting the entire /users collection and everything in it.

One issue that I see, and don't have a great answer on is that you're using the the query string to delete multiple resources. I think this is fine for GET / HEAD, but I question whether it's correct for DELETE as well. It definitely feels a bit 'weird' to me because I feel that a DELETE on /users?foo=bar should delete /users and commonly it will due to how most frameworks work. Should it? I'm actually not sure. REST is not strictly a standard so we can't go and find answers there, so all I got is that it 'feels wrong'. I realize that you're not strictly asking for REST, so from a strict HTTP perspective it's definitely ok.

However, you could structure your urls to not look like:


but instead something like this:


I've seen others do this, and it feels a bit less wrong to me. But this is mostly conjecture.

Regardless if you do a DELETE on multiple entities like that, the request should either succeed or do nothing at all. Partial success is not accepted, so you can just use the usual 200/204 response codes to indicate a successful delete.