TL;DR — Give each potentially repeatable write (charge card, place order) an Idempotency-Key. First request: lock → do the thing → cache the exact response. Repeats within a TTL? Return the same response and go back to your coffee. Store results in Postgres (unique constraint) or Redis (SETNX + TTL). Add a tiny bit of locking, consistent headers, and you just saved your support team 37 angry emails.
Why Idempotency Keys Still Matter (Yes, in 2025)
- Users double-tap “Pay” like it’s Instagram.
- Mobile networks drop out the moment someone enters a long billing address.
- Gateways and SDKs retry on timeouts and 5xx… politely creating duplicate orders if you let them.
- Idempotency keys make POST behave like a responsible adult.
What Exactly Is an Idempotency Key?
A high-entropy token you attach to a write request (usually an HTTP header).
- First time you see the key → process, persist, and cache the response by that key.
- Next times → short-circuit and return the original response (same status + body).
- Result: no double-charges, no duplicate orders, and your CFO stops side-eyeing you.
Key Design: Scope, Format, and TTL
Scope (who/what does this key represent?)
- Tie it to the user, the endpoint, and a normalized payload or just use a client-generated UUID/ULID.
- Don’t reuse across different actions (placing an order ≠ refunding one).
Format
- Keep it header-friendly (≤128 chars,
base64url/hex). - Make it unguessable. If a toddler can brute-force it, it’s not a key—it’s a suggestion.
TTL
- 24–72 hours is a comfy window for payments/orders. Long enough to survive flaky Wi-Fi; short enough not to hoard storage.
Storage Patterns: Postgres vs Redis (Fight! …Just Kidding)
Postgres (the careful librarian)
- Table with
idempotency_key UNIQUE,http_status,response_body,expires_at. - Pros: transactions, audit trail, easy reporting.
- Cons: a smidge slower than RAM, which is fine for payments.
Redis (the sprinting cheetah)
SET key value NX EX <ttl>to claim the key and set expiry.- Pros: blazing fast; TTL built-in.
- Cons: you may still want to persist final results to a database for audits.
Hybrid: Redis for hot-path locks/dedup; Postgres for the final “source of truth.”
Concurrency & Locking (No, Not the Thread Kind)
- Per-key lock: first request grabs it (via
SETNXor DB transaction). Others with the same key either wait or get a friendly 409/429 withRetry-After. - Return the same response for repeats: same status, same body. Add
Idempotency-Replayed: trueso observability tools can wink knowingly.
Timeouts, Crashes, and Other Spicy Situations
- A timeout doesn’t mean failure. Keep work running in the background; the next retry with the same key gets the final result.
- Partial success (charge captured, DB write failed)? Use compensation tasks/reconciliation and store the final truth under the same key.
- Disaster recovery loves idempotency tables—you can replay safely without cloning orders.
Code You Can Steal (Node/Express + Redis)
// npm i express redis uuid
import express from "express";
import { createClient } from "redis";
import { v4 as uuid } from "uuid";
const app = express();
app.use(express.json());
const redis = createClient();
await redis.connect();
function idemKey(req) {
// prefer client-provided header; fallback to server-issued UUID
return req.get("Idempotency-Key") || uuid();
}
app.post("/v1/orders", async (req, res) => {
const key = `idem:${idemKey(req)}`;
const ttl = 60 * 60 * 24; // 24h
// try to claim the key (processing marker)
const claimed = await redis.set(key, JSON.stringify({ status: "processing" }), { NX: true, EX: ttl });
if (!claimed) {
// key exists — return cached result if any
const cached = JSON.parse(await redis.get(key));
if (cached?.status === "succeeded") {
res.set("Idempotency-Key", key.slice(5));
res.set("Idempotency-Replayed", "true");
return res.status(cached.httpStatus).send(cached.body);
}
// still processing — be nice and ask them to retry
res.set("Retry-After", "5");
return res.status(409).json({ error: "Request in progress. Try again shortly." });
}
// do real work (create order, charge card, etc.)
const order = { id: "ord_" + Math.random().toString(36).slice(2), total: 42.00 };
// cache the exact response for replays
const payload = { status: "succeeded", httpStatus: 201, body: order };
await redis.set(key, JSON.stringify(payload), { XX: true, EX: ttl });
res.set("Idempotency-Key", key.slice(5));
res.set("Idempotency-Replayed", "false");
return res.status(201).json(order);
});
app.listen(3000, () => console.log("API listening on :3000"));
Production note: store final responses in Postgres too if you need audits, reporting, or sleep.
Nitty-Gritty Headers (Because Caching Tools Are Literal)
Request
POST /v1/orders
Idempotency-Key: 01JG…WXYZ
Content-Type: application/json
Response (first or replay)
201 Created
Idempotency-Key: 01JG…WXYZ
Idempotency-Replayed: false|true
Location: /v1/orders/ord_abc123
Pre-Prod Checklist (Print This. Laminate It.)
- Clear key scope and 24–72h TTL
- Dedup via Postgres UNIQUE or Redis SETNX
- Per-key lock with short timeout; return 409/429 +
Retry-Afteron contention - Replays return identical status/body +
Idempotency-Replayedheader - Timeouts continue processing; next retry returns the final result
- Cleanup job + dashboards: hits, misses, conflicts, replays
- Canary the endpoint; watch error rate & replay rate before full rollout
- Document the Idempotency-Key contract in your API docs
FAQ (Short, Sweet, and Possibly Life-Saving)
Isn’t PUT already idempotent?
Yes, and we love PUT. But payments and order creation are usually POST, and retries happen. Keys make POST behave.
Should clients or servers generate the key?
Prefer clients (UUID/ULID). Servers can mint one on first response and echo it back for reuse.
Can I hash the request body as the key?
You can, but please normalize the payload (field order, whitespace) and include user + endpoint to avoid collisions and mischief.
How long should the key live?
Payments: 24–48h is common. Orders: up to 72h if your users are on Mars time.