I am designing an (as-RESTful-as-possible) API and would like to know how you would best solve the following:
- Assume we are designing a TLS endpoint to retrieve some resource:
GET /objects/{id}
- We don't want object
{id}s
to be stored in our web server logs, so we want to avoid using querystring or URI params; which leaves us with params in the request body. (assume the data is such that the id is sensitive and we don't have access to another non-sensitive id) - I understand that it is recommended against having parameters in a GET request body. HTTP GET with request body
- I understand that using POST to get data is also recommended against as it leads more towards an RPC design style and may generally be confusing.
How can (should) we design the API GET
endpoint to avoid using query or URI params that could be logged?
Is it acceptable to use POST in this scenario or is there another creative way?
(Note: this API will NOT be exposed to third-parties)