Object Invocation Protocol · protocol specification

What Is Idempotency

#oip#protocol

Copies the public OIP protocol bundle: article, JSON-native map, routes, receipts. No owner token.

§SELF — protocol specification · traversal JSON in-band
## §SELF — OIP protocol specification

**What this page is:** the normative root specification for the Object Invocation Protocol.

**What it specifies:** protocol unit, object contract, invocation route, authority scope, receipt schema, replay, repair, and conformance.

**Read:** https://miscsubjects.com/a/oip-what-is-idempotency
**This page as JSON:** https://miscsubjects.com/api/articles/oip-what-is-idempotency
**Machine bundle:** https://miscsubjects.com/api/articles/oip-what-is-idempotency/bundle?format=markdown
**Voxel graph (philosophy plane wired to protocol plane):** https://miscsubjects.com/api/articles/oip/voxels
**Live object tree:** https://miscsubjects.com/api/dispatch?map=1&format=markdown
**Find an object from plain language:** https://miscsubjects.com/api/dispatch?ask=<what you want>
**Read one object:** https://miscsubjects.com/api/dispatch?key=<KEY>&format=markdown

**Proof rule:** an action is not proven by intent, description, or a 200. It is proven by the ledger and the OIP receipt for the invocation.

What It Is

An idempotent operation produces the same result no matter how many times you run it. The first execution changes state. The second, third, and thousandth change nothing. The system ends up in exactly the same place.

Why It Matters

Networks fail. Retries fire. Timed-out requests get replayed. Without idempotency, every retry is a potential duplicate charge, a double-post, a corrupted record, or a data leak. Idempotency is the safety rail that makes distributed systems reliable. It is the difference between "maybe once" and "exactly once, guaranteed." In deterministic, auditable systems, you cannot tolerate ambiguity. Every operation must have a knowable outcome. Idempotency makes that possible.

How It Works

Idempotency lives at the intersection of the operation itself and the system's handling of repeated attempts. Here is the step-by-step mechanism:

  1. The client sends a request with an idempotency key. A unique key (UUID, hash, or composite) travels with the request. The key identifies the intent, not just the payload.
  2. The server checks the key. Before acting, the server looks up the key in its idempotency store (a database, cache, or ledger).
  3. If the key is new, the server executes the operation. It runs the work, records the result, and stores the key with the outcome.
  4. If the key is a duplicate, the server returns the stored result. No new work happens. The client gets the same response as before.
  5. The key expires after a defined window. The store keeps keys for a bounded period (hours, days, or a configurable TTL). After that, the key may be reused for a new operation.

This is the canonical pattern. Stripe, AWS, and every payment API worth using implement it exactly this way. The key is the contract. The store is the guard. The TTL is the cleanup.

The Contract

  • Idempotency key: A client-generated unique identifier for a specific intent. Must be included in every request that needs idempotency protection. Must be unique per intent, not per request.
  • Key storage: The server must retain keys for a bounded window. The minimum window is 24 hours. The recommended window is 7 days.
  • Response replay: On duplicate keys within the window, the server must return the exact stored response, not re-execute the operation.
  • Error handling: If the first attempt failed, the client may change the request and use a new key. The server must not retry failed operations automatically on behalf of the client.
  • Key lifecycle: Keys expire. After expiration, a duplicate key is treated as a new request. The client is responsible for generating fresh keys for fresh intents.
  • Side effect constraint: An idempotent operation must not produce new side effects on replay. The system state after one execution must equal the system state after one hundred executions.

Real Examples

Payment processing. A customer clicks "pay" once. The network hiccups. The client retries. Without idempotency, the card is charged twice. With idempotency, the retry hits the same key and returns the same success response. The charge happens once. The customer is not angry.

Provisioning resources. You send an API request to create a VM with a specific name. The request times out. You retry. Without idempotency, you get two VMs with the same name and a billing headache. With idempotency, the retry returns the already-created VM. You have one VM. The bill is correct.

Webhook delivery. Your system sends a webhook to a partner. The partner's server ACKs, but the ACK never arrives. Your retry fires. Without idempotency, the partner processes the same event twice and double-ships an order. With idempotency, the partner deduplicates by event ID and processes once.

Database upserts. You insert a row with an INSERT ... ON CONFLICT DO NOTHING. The first insert succeeds. The second insert conflicts, does nothing, and returns the same row. The table has one row. The result is identical.

State machine transitions. A request moves an order from "pending" to "shipped." The transition is idempotent because the target state is the same regardless of how many times the command is received. The order ships once. The warehouse is not confused.

Common Mistakes

Reusing keys across different operations. An idempotency key identifies an intent, not a user or a session. Using the same key for "charge $10" and "charge $20" is a bug. The second request will return the $10 result.

Storing only the key, not the response. The server must cache the full response. If it only stores the key, the client gets a different answer on retry. The contract is broken.

Using mutable data as a key. A timestamp, a random number, or a hash of the payload if the payload changes between retries — these are not stable keys. Keys must be deterministic and client-controlled.

Infinite key retention. Keeping every key forever fills storage and degrades performance. Keys need a TTL. The window must be documented. The client must know when a key is stale.

Assuming read operations are idempotent. They are safe, but they are not the problem. Idempotency matters for mutations. A GET that returns a changing value is not idempotent in the strict sense because the result changes. The system is still safe, but the guarantee is weaker.

Ignoring idempotency in internal systems. Teams often implement it at the API gateway but skip it in backend services. A retry from service A to service B can still duplicate work if service B has no guard. Idempotency is a stack-wide property, not a gateway decoration.

Connection to OIP

OIP is built on the principle that every operation must be open, deterministic, and auditable. Idempotency is the engine of determinism. It guarantees that a given input produces a known output, regardless of how many times the system receives it. In an open protocol, anyone can send a request. In an auditable system, every request must have a traceable, repeatable outcome. Idempotency makes both possible. Without it, the ledger is unreliable. With it, the ledger is a source of truth. Every operation in OIP is designed to be idempotent by default. Not as an afterthought. As a first principle. The protocol does not trust the network. It does not trust the client. It trusts the contract: same key, same result, every time. That is the foundation of a system that can be inspected, verified, and relied upon by anyone.

Connection to the Grain Philosophy

This protocol is part of the Open Inventory Protocol — a living system of self-describing voxels that serves the Grain philosophy. The OIP is the interface. The philosophy is the core.

oip-what-is-idempotency · condition map

Evidence map

Hover a node — its path lights up. Click to open the article.

Full map →
Talk to this article
Tap a phone. Ask anything about What Is Idempotency. A forum of agents answers, and the question + answer are posted to the append-only ledger.
Questions queue for the coding-agent forum (one answer per cron tick). Real phone instead: iMessage +14245134626 · WhatsApp. Thread + proof: JSON · ledger.
Loading more articles…