I want to delete protections from database. To do this, I need to pass list pf IDs to the backend and also some flag removeBackup = true/false
Should I use DELETE with request body or maybe append list of Ids (of type UUID, so these ids are long) as a query params and witgh additional flag as query param?
The best choice would be POST but I want to delete some records...
Should I use DELETE
No.
The semantics of DELETE are defined by RFC 7231 section-4.3.5.
Note this observation:
Relatively few resources allow the DELETE method -- its primary use is for remote authoring environments, where the user has some direction regarding its effect.
The semantics of DELETE those of the transporting documents over a network domain; and that's not what you want - the semantics of the side effect that you are trying to perform are specific to your domain.
Should I use DELETE with request body
No, because the payload of a DELETE message has no defined semantics. (In practice: if you have enough control over the environment in which the client is running, you might be able to get away with it. It's a fault, but not necessarily a fault that will lead to a failure.)
append list of Ids... as a query params
This one you can do, but it's a bit of a stretch.
Mechanically, it is perfectly straight forward; you can easily describe a list of query parameters in a URI template, which acts as a sort of generalization of a web form. And you can certainly send a DELETE request using that constructed URI -- after all, the point of the uniform interface is that all resources understand the HTTP method tokens the same way.
Furthermore, the semantics of DELETE are idempotent, which is a nice win: if the response to the DELETE request is lost, we can just resend the request again, knowing that a server will understand that a second copy of the request doesn't change the meaning.
But it's a bit RPC; in the sense that what we are really doing is sending to the server a document that describes some work that we want to do, but instead of putting the description of the work into the document, we are putting the description of the work into the URI.
A better choice here would be to admit that we aren't trying to delete a document, but instead to deliver a document to the web server so that it can read the instructions within it and do something useful. DELETE is not the right method token to use for that case.
The best choice would be POST but I want to delete some records...
It is okay to use POST. Remember, the world wide web was catastrophically successful with just GET and POST in its preferred hypertext media type (HTML).
PUT would also be a reasonable choice here. You need to think about the documents somewhat differently, but the payoff is that PUT, like DELETE, has idempotent semantics.
The somewhat differently: think about delivering (a copy of a ) problem ticket to the inbox of your db administrator. The document is a description of the work you want, HTTP semantics describe the transfer of the document, and the changes made to the database are a side effect of a successful delivery of the document.
If you are planning to delete multiple items, technically you are doing one of the following two things.
You are deleting items of a parent resource: In which case you can go with PUT of parent resource(Or PATCH depends on your choice)
Not following REST semantics : It is not necessary that all our use cases will be fit into REST style, sometimes we might need to deviate from REST style. For eg. batch updates, performance/security aspects on a resource that we are dealing etc. In your case you are trying to execute a batch. This is quite common use case in more of the API publishers. In fact amazon, google etc support batch api which will mostly be done in POST. Since it is not defined in REST, we can choose the way we think is better. Following are some of the ways that you can do with batch scripts.
Whatever you use, make sure you document it properly for your clients.
