Request/responseBeginner

REST APIs

A REST API is a request/response interface over HTTP in which each call asks a named endpoint to read or change a resource and returns exactly one structured reply with a status code indicating the outcome.

Quick answer: A REST API is a request/response interface over HTTP in which each call asks a named endpoint to read or change a resource and returns exactly one structured reply with a status code indicating the outcome.

In simple words

REST is a question-and-answer style of talking to a server. Your code sends one HTTP request — for example, place this order — and gets back one HTTP response with a code and a body. Each call is self-contained: you say what you want, the server does it and replies, and the conversation ends until you ask again.

Purpose

REST gives trading systems a simple, well-understood way to perform discrete actions — placing an order, cancelling it, fetching positions — where a single definite answer per request is exactly what you need.

Professional explanation

The request/response model

Every REST interaction is one request producing one response. The request carries a method (the verb), a URL (which resource), headers (metadata such as authentication and content type) and optionally a body (the payload, usually JSON). The server processes it and returns a response with a status code, headers and a body. Crucially, standard REST is stateless per call: the server does not remember your previous request, so everything needed to interpret this one — including your auth token — travels with it. This statelessness makes REST easy to scale and reason about, but it also means REST cannot, by itself, push you updates; you only learn something changed by asking again.

Endpoints and resources

A REST API is organised around resources, each addressed by an endpoint URL. A broker API might expose /orders for the order collection, /orders/{id} for a specific order, /positions for open positions and /instruments for the tradable universe. The path names the thing; the method names the operation on it. Good API design keeps endpoints noun-like and predictable, so /orders with a POST creates an order and /orders with a GET lists them. Reading the documentation to learn the exact endpoint names, required fields and response shapes is the unavoidable first step of integrating any broker.

HTTP methods and their semantics

The verbs carry meaning that matters for safety. GET reads and must not change state, so it is safe to repeat freely. POST typically creates something — an order — and is generally not idempotent, meaning two identical POSTs can create two orders. PUT and PATCH modify an existing resource, and DELETE removes or cancels one; these are usually idempotent, so repeating them lands in the same final state. This distinction is not academic in trading: because POST is not naturally idempotent, a retried order-placement POST can double-send, which is precisely why order creation needs explicit idempotency safeguards while a cancel (DELETE) can be retried more freely.

Status codes: the outcome signal

The three-digit status code is the first thing your code must inspect. 2xx means success — 200 OK for a completed read, 201 Created for a new order. 4xx means the request was wrong and will keep failing unless you change it: 400 bad request, 401 unauthorised (auth failed), 403 forbidden (not allowed), 404 not found, 429 too many requests (rate limited). 5xx means the server failed — 500 internal error, 502/503/504 gateway or availability problems — and may succeed if retried later. The families map cleanly onto behaviour: never retry a 400 unchanged, back off and retry a 429 or 5xx, and treat a 401 as a signal to refresh credentials. Reading the numeric code and the error body together, rather than assuming success, is fundamental.

Payloads, content types and parsing

Most broker REST APIs speak JSON: your request body is a JSON object of order fields, and the response body is JSON you must parse. The Content-Type header declares the format, and mismatches (sending form-encoded data where JSON is expected, or vice versa) produce confusing 400s. Your client should validate that the response is well-formed and contains the fields you expect before using them — a 200 status with an unexpected body shape, perhaps due to an API version change, can otherwise be misread as a successful order. Defensive parsing, not blind trust, is the norm.

When to use REST in a trading system

REST is the right tool for actions and point-in-time queries: place, modify, cancel an order; fetch current positions, funds, margins, holdings; pull a batch of historical candles. It is the wrong tool for continuous real-time data, because polling a REST endpoint every fraction of a second to simulate a live feed is wasteful, laggy and rate-limit-hostile — that job belongs to a WebSocket. A clean architecture uses REST for the transactional spine of the system and a stream for the firehose of market ticks and order updates.

Common HTTP methods in a broker API

MethodPurposeIdempotent?
GETRead data (positions, quotes, order status)Yes — safe to repeat
POSTCreate a resource (place an order)No — can double-create
PUT / PATCHModify an existing orderUsually yes
DELETECancel an order / remove a resourceUsually yes

Practical example

Illustrative example (Indian market)

Your system decides to buy 1 lot of Nifty. It sends POST /orders with a JSON body specifying exchange NFO, the tradingsymbol, transaction_type BUY, quantity 75, order_type MARKET and product NRML, plus an auth header. The broker replies 201 Created with an order id. Your code then polls GET /orders/{id} and reads status TRIGGER PENDING then COMPLETE. Because the POST is not idempotent, your client attached a unique client reference and logged the order id, so that if the network had dropped the 201 you could query by that reference instead of blindly re-POSTing and risking two lots. Every number here is illustrative.

Indian broker REST APIs typically expose separate product and validity fields (MIS, CNC, NRML; DAY, IOC) that map directly onto exchange order attributes. A 400 response often means an invalid combination — for instance requesting delivery product on an index future — so reading the error body, which usually names the offending field, saves hours versus assuming the API is down.

Advantages

  • Simple, universal and well-documented — every language has an HTTP client
  • Stateless calls are easy to test, log, replay and reason about individually
  • Status codes give a clear, standard signal of success, client error or server error
  • Ideal for discrete actions and point-in-time queries where one definite answer is wanted

Limitations

  • Cannot push updates — you only learn of changes by polling, which adds latency and load
  • POST is not idempotent by default, so retried order requests can double-send without safeguards
  • Each call carries overhead (connection, headers, auth), making high-frequency polling inefficient
  • A 200 status does not guarantee the body is the shape you expect after an API version change
  • Aggressive polling quickly runs into rate limits and bans

Common mistakes

  • Treating any 2xx as success without parsing the body and confirming the order state
  • Retrying a failed POST order request blindly, creating duplicate orders
  • Retrying a 400 (bad request) unchanged instead of fixing the malformed input
  • Polling a REST quote endpoint in a tight loop instead of subscribing to a WebSocket
  • Ignoring the 401 vs 429 distinction — refreshing tokens when you should be backing off, or vice versa
  • Assuming all brokers use identical endpoint names, fields and status conventions

Professional usage

Professional systems wrap the raw HTTP client in a typed layer that centralises authentication, retries, timeouts and status-code handling, so strategy code never touches URLs directly. They map status-code families to explicit policies (retry, refresh, fail, alert), attach client-side idempotency references to order POSTs, and set aggressive but sane timeouts so a hung request cannot stall the whole loop. Every request and response is logged with correlation ids for post-trade reconciliation and debugging.

Key takeaways

  • REST is a stateless request/response model: one call, one endpoint, one status-coded reply
  • Methods carry meaning — GET reads safely, POST creates and can double-send, DELETE cancels idempotently
  • Status codes are the outcome signal: 2xx success, 4xx your fault, 5xx server's fault; act accordingly
  • Use REST for actions and queries, not for streaming live prices — that is a WebSocket's job

Frequently asked questions

What is a REST API?
A REST API is a request/response interface over HTTP where each call targets a named endpoint with a method and returns one structured reply carrying a status code. It is stateless per call, so everything needed to process a request travels with it, including authentication.
What does REST stand for?
Representational State Transfer. In practice for trading it means an HTTP-based, resource-oriented interface where you use standard methods on endpoints and receive standard status codes. The theory matters less than the predictable request/response behaviour.
What are HTTP methods used for?
They name the operation on a resource: GET reads, POST creates, PUT/PATCH modify, DELETE removes or cancels. In a broker API, placing an order is a POST, cancelling is a DELETE, and querying status is a GET.
What do HTTP status codes mean?
The first digit sets the family: 2xx is success, 4xx is a client-side error you must fix, and 5xx is a server-side failure that may pass on retry. Reading the exact code — 401, 429, 500 — tells your code whether to refresh auth, back off, or retry.
Should I retry a failed REST request?
It depends on the code. Retry 429 and 5xx with backoff because they are often transient; do not retry a 400 unchanged because the request itself is wrong. Retry order-creating POSTs only with an idempotency safeguard so you do not double-send.
Why is POST not safe to retry for orders?
POST typically creates a new resource, so two identical order POSTs can create two orders. If the response is lost to a network drop, blindly re-POSTing risks a duplicate; you should query by a client reference or idempotency key instead.
What is an endpoint?
An endpoint is a URL that addresses a resource, such as /orders or /positions. The path identifies the thing and the HTTP method identifies the operation on it. Learning a broker's exact endpoints and fields is the first integration step.
Is REST good for live market data?
No. REST requires you to poll, which adds latency and load and quickly hits rate limits. Continuous live ticks and order updates belong on a WebSocket stream; REST is for discrete actions and snapshots.
What format do REST APIs use?
Most broker REST APIs exchange JSON, declared by the Content-Type header. Your client sends a JSON body and parses a JSON response, validating that the fields you need are present rather than trusting the shape blindly.
What does a 401 versus a 429 mean?
A 401 means authentication failed or the token expired, so you should refresh credentials and re-authenticate. A 429 means you exceeded the rate limit, so you should slow down and back off. Confusing them leads to the wrong recovery action.
Does a 200 OK mean my order was placed correctly?
It means the request was processed successfully at the HTTP level, but you must still parse the body to confirm the order id and status. An API version change or edge case can return 200 with an unexpected body, so confirm rather than assume.
How is REST different from RPC or GraphQL?
REST is resource-oriented around endpoints and standard HTTP methods; RPC calls named procedures; GraphQL lets the client shape one flexible query. Most Indian broker APIs are REST-style plus a WebSocket, so REST is the model you will use most.
Do all brokers implement REST the same way?
No. Endpoint names, required fields, product codes and even status conventions differ between brokers. Always read the specific broker's documentation and never assume one broker's contract maps onto another's.

Voice search & related questions

Natural-language questions people ask about REST APIs.

What is a REST API in plain words?
It is a question-and-answer way for your code to talk to a server: you send one request, you get one reply with a status code, and then the conversation ends until you ask again.
When should I use REST in trading?
Use it for actions and snapshots — placing or cancelling an order, checking positions or funds. For a live price feed, use a WebSocket instead.
What does a 429 error mean?
It means you sent too many requests too fast and hit the rate limit. Slow down and back off before trying again, rather than hammering the endpoint.
Can I just keep asking REST for live prices?
You can, but it is a bad idea. Polling adds lag, wastes requests and trips rate limits. A WebSocket stream is the right tool for continuous ticks.
Why can retrying an order be dangerous?
Because placing an order is usually a POST, and two identical POSTs can create two orders. Retry only with an idempotency key or after checking whether the first one went through.
What is the simplest way to read a status code?
Look at the first digit: 2 means it worked, 4 means your request was wrong, 5 means the server had a problem. That alone tells you roughly what to do next.

Sources & references

    Last reviewed 11 July 2026. Educational content only — not investment advice. Markets and rules change; verify current conventions with SEBI, NSE/BSE and your broker.

    Educational content only — not investment advice. Examples use illustrative numbers and simplified models. Algorithmic trading and derivatives involve substantial risk. See our Risk Disclosure and SEBI Disclaimer.