PATCH (HTTP)

Last updated April 06, 2023

In computing, the PATCH method is a request method in HTTP for making partial changes to an existing resource.^[1] The PATCH method provides an entity containing a list of changes to be applied to the resource requested using the HTTP Uniform Resource Identifier (URI).^[1] The list of changes are supplied in the form of a PATCH document.^[1] If the requested resource does not exist then the server may create the resource depending on the PATCH document media type and permissions.^[1] The changes described in the PATCH document must be semantically well defined but can have a different media type than the resource being patched.^[2] Languages such as XML or JSON can be used in describing the changes in the PATCH document.

History of PATCH
PUT vs PATCH vs POST
Patching resources
Example
Trade-offs between PUT and PATCH
Caution
Error handling
Malformed patch document
Unsupported patch document
Unprocessable request
Resource not found
Conflicting state
Conflicting modification
Concurrent modification
Security considerations
References

History of PATCH

As per the semantics defined in the HTTP protocol, the GET, PUT, and POST methods need to use a full representation of the resource. The PUT method which can be used for resource creation or replacement is idempotent and can be used only for full updates. The edit forms used in conventional Ruby on Rails application need to create new resources by applying partial updates to a parent resource. Due to this requirement, the PATCH method was added to the HTTP protocol in 2010.^[3]^[4]

PUT vs PATCH vs POST

HTTP is the foundation of data communication for the World Wide Web. It is a request-response protocol which helps users communicate with the server to perform CRUD operations. HTTP defines a number of request methods such as PUT, POST and PATCH to create or update resources.^[5]

The main difference between the PUT and PATCH method is that the PUT method uses the request URI to supply a modified version of the requested resource which replaces the original version of the resource, whereas the PATCH method supplies a set of instructions to modify the resource. If the PATCH document is larger than the size of the new version of the resource sent by the PUT method then the PUT method is preferred.^[1]

The POST method can be used for sending partial updates to a resource. The main difference between the POST and PATCH methods is that the POST method can be used only when it is written to support the applications or the applications support its semantics whereas the PATCH method can be used in a generic way and does not require application support. If the outcome of using the PATCH method is not known then the POST method is preferred.^[1]^[6]

Patching resources

The PATCH method is atomic.^[1] Either all the changes specified by the PATCH method are applied or none of the changes are applied by the server.^[1] There are many ways of checking whether a patch was applied successfully. For example, the 'diff' utility can be applied to the older version and newer version of a file to find the differences between them.^[1]

A cached PATCH response is considered stale. It can only be used for the GET and HEAD requests that may follow the PATCH request.^[1]

The entity headers in the PATCH document are only applicable to the PATCH document and cannot be applied to the requested resource.^[1]

There is no standard format for the PATCH document and it is different for different types of resources. The server has to check whether the PATCH document received is appropriate for the requested resource.^[1]

A JSON Patch document would look like

[{"op":"add","path":"/count","value":1}]

"op" represents the operation performed on the resource. "path" represents the resource being modified. "value" represents the amount being added to the existing resource.^[7] Before applying the changes in the PATCH document, the server has to check whether the PATCH document received is appropriate for the requested resource. If the PATCH request succeeds then it returns a 204 response.^[8]

A XML PATCH document would look like

<addsel="doc/user[@email='xyz@abc.com']"type="@address"> ABC Road </add>

The element <user> is located using the 'email' attribute. A new attribute 'address' with the value "ABC Road" is added to the <user> element.^[9]

Example

A simple PATCH request example

PATCH/example.txtHTTP/1.1   Host: www.example.com   Content-Type: application/example   If-Match: "c0b42b66e"   Content-Length: 120      [Changes: the patch document containing all the changes that need to be made on the resource example.txt]

Successful PATCH response to existing text file:

HTTP/1.1204No Content   Content-Location: /example.txt   ETag: "c0b42b66f"

The response 204 means that the request was processed successfully.^[10]

Trade-offs between PUT and PATCH

Using the PUT method consumes more bandwidth as compared to the PATCH method when only a few changes need to be applied to a resource.^{[ citation needed ]} But when the PATCH method is used, it usually involves fetching the resource from the server, comparing the original and new files, creating and sending a diff file. On the server side, the server has to read the diff file and make the modifications. This involves a lot of overhead compared to the PUT method.^[11] On the other hand, the PUT method requires a GET to be performed before the PUT and it is difficult to ensure that the resource is not modified between the GET and PUT requests.

Caution

The PATCH method is not "safe" in the sense of RFC 2616: it may modify resources, not necessarily limited to those mentioned in the URI.^[1]

The PATCH method is not idempotent. It can be made idempotent by using a conditional request.^[1] When a client makes a conditional request to a resource, the request succeeds only if the resource has not been updated since the client last accessed that resource. This also helps in preventing corruption of the resource since some updates to a resource can only be performed starting from a certain base point.^[1]

Error handling

A PATCH request can fail if any of the following errors occur:

Malformed patch document

The server returns a 400 (Bad request) response if the PATCH document is not formatted as required.^[1]

Unsupported patch document

The server returns a 415 (Unsupported Media Type) response with an Accept-Patch response header containing supported media types when the client sends a patch document in a format not implemented by the server. This informs the client that the PATCH document sent by the client cannot be applied to the requested resource.^[1]

Unprocessable request

The server returns a 422 (Unprocessable Entity) response when the server understands the PATCH document but is unable to modify the requested resource either because it causes the resource to become invalid or it results in some other error state.^[1]

Resource not found

The server returns a 404 (Not Found) response when the PATCH document cannot be applied to a non-existent resource.^[1]

Conflicting state

The server returns a 409 (Conflict) response when the server cannot apply a patch for the current state of the resource.^[1]

Conflicting modification

The server returns a 412 (Precondition Failed) response when the precondition supplied by the client using the If-Match or If-Unmodified-Since header fails. If no precondition is supplied and there is a conflicting modification then the server returns a 409 (Conflict) response.^[1]

Concurrent modification

The server returns a 409 (Conflict) response if the PATCH requests to a certain resource need to be applied in a certain order and the server is not able to handle concurrent PATCH requests.^[1]

Security considerations

The PATCH request needs to use mechanisms such as conditional requests using Etags and the If-Match request header to ensure that data is not corrupted while patching.^[1] In case of a failure of a PATCH request or failure of the channel or a timeout, the client can use a GET request to check the state of the resource.^[1] The server has to ensure that malicious clients do not use the PATCH method for consuming excessive server resources.^[1]

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, where hypertext documents include hyperlinks to other resources that the user can easily access, for example by a mouse click or by tapping the screen in a web browser.

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

The Real Time Streaming Protocol (RTSP) is an application-level network protocol designed for multiplexing and packetizing multimedia transport streams over a suitable transport protocol. RTSP is used in entertainment and communications systems to control streaming media servers. The protocol is used for establishing and controlling media sessions between endpoints. Clients of media servers issue commands such as play, record and pause, to facilitate real-time control of the media streaming from the server to a client or from a client to the server.

Time to live (TTL) or hop limit is a mechanism which limits the lifespan or lifetime of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or timespan has elapsed, data is discarded or revalidated. In computer networking, TTL prevents a data packet from circulating indefinitely. In computing applications, TTL is commonly used to improve the performance and manage the caching of data.

A web server is computer software and underlying hardware that accepts requests via HTTP or its secure variant HTTPS. A user agent, commonly a web browser or web crawler, initiates communication by making a request for a web page or other resource using HTTP, and the server responds with the content of that resource or an error message. A web server can also accept and store resources sent from the user agent if configured to do so.

URL redirection, also called URL forwarding, is a World Wide Web technique for making a web page available under more than one URL address. When a web browser attempts to open a URL that has been redirected, a page with a different URL is opened. Similarly, domain redirection or domain forwarding is when all pages in a URL domain are redirected to a different domain, as when wikipedia.com and wikipedia.net are automatically redirected to wikipedia.org.

Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.

The HTTP response status code 303 See Other is a way to redirect web applications to a new URI, particularly after a HTTP POST has been performed, since RFC 2616.

In computing, POST is a request method supported by HTTP used by the World Wide Web. By design, the POST request method requests that a web server accept the data enclosed in the body of the request message, most likely for storing it. It is often used when uploading a file or when submitting a completed web form.

The HTTP Location header field is returned in responses from an HTTP server under two circumstances:

To ask a web browser to load a different web page. In this circumstance, the Location header should be sent with an HTTP status code of 3xx. It is passed as part of the response by a web server when the requested URI has:
To provide information about the location of a newly created resource. In this circumstance, the Location header should be sent with an HTTP status code of 201 or 202.

<span class="mw-page-title-main">WebSocket</span> Computer network protocol

WebSocket is a computer communications protocol, providing full-duplex communication channels over a single TCP connection. The WebSocket protocol was standardized by the IETF as RFC 6455 in 2011. The current API specification allowing web applications to use this protocol is known as WebSockets. It is a living standard maintained by the WHATWG and a successor to The WebSocket API from the W3C.

Constrained Application Protocol (CoAP) is a specialized Internet application protocol for constrained devices, as defined in RFC 7252. It enables those constrained devices called "nodes" to communicate with the wider Internet using similar protocols. CoAP is designed for use between devices on the same constrained network, between devices and general nodes on the Internet, and between devices on different constrained networks both joined by an internet. CoAP is also being used via other mechanisms, such as SMS on mobile communication networks.

The Session Initiation Protocol (SIP) is the signaling protocol selected by the 3rd Generation Partnership Project (3GPP) to create and control multimedia sessions with two or more participants in the IP Multimedia Subsystem (IMS), and therefore is a key element in the IMS framework.

JSON Web Token is a proposed Internet standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims. The tokens are signed either using a private secret or a public/private key.

The Automatic Certificate Management Environment (ACME) protocol is a communications protocol for automating interactions between certificate authorities and their users' servers, allowing the automated deployment of public key infrastructure at very low cost. It was designed by the Internet Security Research Group (ISRG) for their Let's Encrypt service.

Application Layer Transport Optimization (ALTO) is a protocol that allows internet clients to obtain information that compares the network properties of paths to other endpoints. Typically, this would be used to identify the lowest-cost location to access a copy of some sort of content.

References

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Dusseault, L.; Snell, J. (2010). "PATCH Method for HTTP". doi:10.17487/RFC5789. S2CID 42062521 . Retrieved 2015-09-12.{{cite journal}}: Cite journal requires |journal= (help)
↑ "Don't Patch Like An Idiot". Don't Patch Like An Idiot. 14 February 2014. Retrieved 16 September 2015.
↑ RFC 5789
↑ "History of PATCH". weblog.rubyonrails.org. Retrieved 25 September 2015.
↑ "Hypertext Transfer Protocol -- HTTP/1.1" . Retrieved 13 September 2015.
↑ "Why PATCH is Good for Your HTTP API". Why PATCH is Good for Your HTTP API. Retrieved 16 September 2015.
↑ "JSON Patch - draft-ietf-appsawg-json-patch-08". Ietf Datatracker. Retrieved 13 September 2015.
↑ "PATCH". MDN Web Docs. Retrieved 2018-10-11.
↑ Urpalainen, J. (2008). "XML RFC". tools.ietf.org. doi:10.17487/RFC5261 . Retrieved 25 September 2015.
↑ "PATCH". MDN Web Docs. Retrieved 2018-10-12.
↑ Darren (7 May 2014). "REST API Best Practices 3: Partial Updates - PATCH vs PUT". www.blogger.com. Retrieved 13 September 2015.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[RFC5789-1] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Dusseault, L.; Snell, J. (2010). "PATCH Method for HTTP". doi:10.17487/RFC5789. S2CID 42062521 . Retrieved 2015-09-12.{{cite journal}}: Cite journal requires |journal= (help)

[2] "Don't Patch Like An Idiot". Don't Patch Like An Idiot. 14 February 2014. Retrieved 16 September 2015.

[3] RFC 5789

[History_of_PATCH-4] "History of PATCH". weblog.rubyonrails.org. Retrieved 25 September 2015.

[RFC2616-5] "Hypertext Transfer Protocol -- HTTP/1.1" . Retrieved 13 September 2015.

[6] "Why PATCH is Good for Your HTTP API". Why PATCH is Good for Your HTTP API. Retrieved 16 September 2015.

[RFCJSONPATCH-7] "JSON Patch - draft-ietf-appsawg-json-patch-08". Ietf Datatracker. Retrieved 13 September 2015.

[8] "PATCH". MDN Web Docs. Retrieved 2018-10-11.

[XML_RFC-9] Urpalainen, J. (2008). "XML RFC". tools.ietf.org. doi:10.17487/RFC5261 . Retrieved 25 September 2015.

[10] "PATCH". MDN Web Docs. Retrieved 2018-10-12.

[51elliot-11] Darren (7 May 2014). "REST API Best Practices 3: Partial Updates - PATCH vs PUT". www.blogger.com. Retrieved 13 September 2015.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]