REST practices for validating a resource

Question

I am currently implementing a "token" REST service.

A token is just a string, built from some parameters, which is then hashed and expires after a certain amount of time.

I want to have an endpoint in my REST service which can validate a token, but I'm not 100% sure how to implement it in a RESTful way

1. I assume this should be done via GET because it doesn't change state and so long as i set cache controls correctly it can be cached for a sensible amount of time. i.e mysite.com/token/kjfhwekjfwekj
2. What are the appropriate return codes? I would assume 200 if it is valid, but what about if it's invalid? I feel a 400 is wrong because although the resource itself is invalid, the client isn't calling the endpoint incorrectly. Is 404 correct here? If we think of tokens as short lived resources I guess so?

Answer 1

GET is the correct HTTP verb to check a token.

Assuming that 'invalid' for a token means that:

1. it never existed, or
2. it existed but does not exist anymore.

Do you want the client of your service to be able to know the difference?

• If yes, return 404 Not Found for case 1, and 410 Gone for case 2.
• If no, return 404 Not Found.

If the token exists, 200 OK is correct.

Answer 2

If you want to be Restful, probably the best is to use the HEAD method, because you are not requesting for a token, you just want to know if the token exists.

HEAD method is for requesting metadata of a resource. GET is for retrieve resources

Answer 3

The server has the symmetric hashing key; it can be used to validate if the incoming token was generated by someone other than itself.