« All posts

HTTP Gets a New Method: How QUERY Reshapes API Design

RFC 10008 defines HTTP's new QUERY method, letting APIs send safe, idempotent, cacheable complex queries without abusing POST semantics.

RFC 10008, finalized in June 2026, adds a new HTTP method called QUERY, formalizing a workaround developers have used for years: sending complex search or filter logic through POST because GET can't carry a request body. QUERY is defined as safe and idempotent like GET, but it accepts request content the way POST does, closing a long-standing semantic gap in API design.

The stakes go beyond convention. HTTP method tokens are contracts that caches, proxies, and monitoring tools rely on to reason about a request without understanding the application behind it. Overloading POST for read-only searches broke that contract; QUERY restores it by explicitly requiring a Content-Type that defines how the request body should be interpreted, and mandating that servers reject mismatched or missing types.

The most consequential detail is caching. Traditional caches key on method and URI alone, which fails for QUERY since two requests to the same endpoint can carry completely different query bodies. RFC 10008 requires cache keys to incorporate request content and metadata, and lets servers optionally expose a query or its result as its own retrievable URI. This makes QUERY genuinely cacheable in principle, but real-world support depends on infrastructure catching up to the spec.