Idempotency, Explained Through the Retry That Doesn't Double-Charge
A practical look at idempotency keys: why a retried payment request shouldn't charge a card twice, how the pattern works, and where it quietly breaks in production.
You click “Pay,” the spinner hangs, and nothing happens. So you click again. Behind the scenes, the first request actually succeeded — your bank approved the charge — but the response never made it back to your phone because the connection dropped. Your second click fires an identical request. Without protection, you just paid twice.
This is the problem idempotency solves. The word sounds academic, but the failure it prevents is concrete: the same operation running more than once and changing your data more than once. We’ll walk through it using the payment example because it’s the one where the cost of getting it wrong is measured in real dollars and refund tickets.
What “idempotent” actually means
An operation is idempotent if running it once produces the same result as running it ten times. The classic distinction lives in HTTP. GET /account/123 is naturally idempotent — reading your balance a hundred times doesn’t change it. DELETE /session/abc is idempotent too: the session is gone after the first call, and the next nine calls find nothing to delete and leave the world unchanged.
The trouble is POST. POST /charges creates a new charge every time it runs. That’s the correct default for creating things — you usually want a second POST to make a second resource. But for a payment, a second charge is exactly the bug. The operation is not idempotent by nature, so you have to make it idempotent on purpose.
How an idempotency key works
The pattern that became the industry standard is the idempotency key, popularized by Stripe’s API. The client generates a unique value — typically a UUID — and attaches it to the request, usually in an Idempotency-Key header. Critically, the client generates it before sending and reuses the same key on every retry of that one logical operation.
The server’s job is then mechanical:
- Read the key from the incoming request.
- Look it up in a store of keys it has already processed.
- If the key is new, process the charge, then save the key alongside the response it produced.
- If the key already exists, skip the work entirely and return the saved response from the first time.
That fourth step is the whole trick. The retried request gets back the original “charge succeeded” response — same status code, same charge ID — so the client sees success and stops retrying. The card is never touched a second time.
| Aspect | No idempotency key | With idempotency key |
|---|---|---|
| Client retries after timeout | Second charge created | Original response replayed |
| Where uniqueness lives | Nowhere | Client-generated key, stored server-side |
| Cost of a dropped response | Duplicate side effect | Safe, no extra effect |
| Cleanup | Manual refunds | None needed |
The key has to be generated by the client, not the server, and it has to be tied to the user’s intent — one checkout, one key. If you generate a fresh key on each retry, you’ve defeated the entire mechanism: every retry looks new, and you’re back to double-charging.
Where idempotency quietly breaks
The concept is simple. The production failures are where it gets interesting, because they hide in the gaps between “check the key” and “do the work.”
The race between check and write. Two retries can arrive at nearly the same instant. Both look up the key, both find nothing, both proceed to charge. The fix is to make the key reservation atomic — a unique constraint on the key column, or an atomic “insert if not exists.” The first request wins the insert; the second hits a conflict and waits for or reads the first one’s result instead of charging.
Storing the key after the side effect instead of before. If you charge the card and then save the key, a crash in between leaves you with a completed charge and no record that the key was used. The next retry sees a fresh key and charges again. Reserve the key first, do the work, then record the result against the reserved key.
Caching errors as if they were successes. If the first request fails with a transient 500, you generally do not want to replay that 500 forever. Most implementations only persist the response for successful or definitively-failed operations, and let genuinely transient failures be retried. Decide this deliberately — it’s the difference between a retry that recovers and one that’s permanently stuck.
Reusing a key for a different request body. A robust server fingerprints the request payload alongside the key. If the same key arrives with a different body, that’s a client bug, and returning the old response would be wrong. Stripe, for instance, rejects a key reused with mismatched parameters rather than silently replaying.
If you’re building this into a payment or order flow and want a second pair of eyes on the check-then-write race or the key lifetime, an AI pair-programmer that reads your whole repo can catch the non-atomic lookup before it ships.
Cursor
An AI code editor that reads across your codebase, useful for tracing where an idempotency key is generated, stored, and checked — and flagging the gaps between those steps.
Free tier; Pro around $20/month
Affiliate link · We earn a commission at no cost to you.
The mental model worth keeping: a retry is not a new intention, it’s the same intention asking again. Idempotency is how your server tells the difference. Get the key generated on the client, reserve it atomically before the side effect, and replay the stored result — and the retry that used to double-charge becomes a non-event.
FAQ
Is idempotency the same as a database transaction?
Where should I store idempotency keys?
Do GET requests need idempotency keys?
Related reading
2026-06-22
TCP vs UDP, Explained Through What Breaks When You Pick Wrong
TCP and UDP aren't interchangeable. We walk through the exact failure modes — head-of-line blocking, silent packet loss, Nagle delays — that show up when you pick the wrong transport.
2026-06-22
Write-Ahead Logging: How Databases Survive a Power Cut
How write-ahead logging keeps your data intact when the machine dies mid-write — the log-first rule, fsync, checkpoints, and why PostgreSQL and SQLite both rely on it.
2026-06-22
Backpressure, Explained Through a Queue That Won't Fall Over
What backpressure actually is, why an unbounded queue is a memory leak in disguise, and the four strategies a producer can take when a consumer falls behind.
2026-06-22
What a Bloom Filter Actually Saves You (and When It Lies)
A bloom filter trades a small false-positive rate for big memory savings. Here is the math behind the trade, where it pays off, and the failure mode that bites people.
2026-06-12
Git Plumbing in Practice: How CI, Review Tools, and AI Agents Build on Git's Primitives
How CI runners, stacked-diff CLIs, code review systems, and AI coding agents build on Git's object model — blobs, trees, commits, and refs — instead of reinventing version control, and how to start building on the plumbing yourself.
Get the best tools, weekly
One email every Friday. No spam, unsubscribe anytime.