I am designing a game server API that allows a player to spend some game currency to "explore" a region (randomly getting some resource from that region). As this API call deducts player's game currency, it's not idempotent and unsafe, so I can't use GET, PUT, DELETE, leaving only POST. So my design is
POST /regions/:id/explore
Note that the verb/action is part of the URI, instead of in the HTTP method. Is this API RESTful? If yes, why? if no, what would be a RESTful design for this API?
There's a lot of discussion on whether REST URIs should have verbs or not, but that's merely a fetish. When it comes to URIs, what determines if your API is more or less RESTful isn't their design, but how your client obtains them. If you can't change your URIs anytime you want, it's not RESTful. If your clients are reading URI patterns from documentation and replacing fields like :id with values to build the final URIs to be used, that's not RESTful, it doesn't matter what the content of the URI is. Do some research on HATEOAS for more information on that.
With that part out of the way, POST is the method used for any action that isn't standardized by HTTP, which means you can usually do almost anything you want and still say it's RESTful, as long as it's clearly documented and the URI isn't from out-of-band information. You can guess what a GET, PUT, PATCH or DELETE does based on the HTTP standard, but you can't guess what a POST does.
Just be careful that you don't make your POSTs like an RPC method. For instance, don't do something where the resource the POST is applied to is identified by the payload instead of the URI. In your case, something like:
POST /explore
{"region_id": :id}
This is what's really meant by the mantra to avoid verbs or method names in the URI.
