What Is HTTP QUERY? RFC 10008 Explained for API Developers
RFC 10008 (June 2026) adds HTTP QUERY โ safe, idempotent, cacheable reads with a request body. First new HTTP method since PATCH (2010). vs GET, POST, when to use it, Accept-Query, CORS, and adoption reality.
Does HTTP finally have GET with a body? Almost โ RFC 10008 (The HTTP QUERY Method, published June 15, 2026) standardizes QUERY: the first new HTTP method in 16 years since PATCH (RFC 5789, 2010).
X/Grok trending framed it simply: no more stuffing complex search filters into 800-character URLs; no more POST for read-only search. The RFC authors โ Julian Reschke, James Snell (Cloudflare), Mike Bishop (Akamai) โ spent a decade in the HTTPBIS working group getting there.
TL;DR โ what people are asking
Question
Answer
What is QUERY?
Safe + idempotent + cacheable request with a body describing the query
GET vs QUERY?
GET = params in URL; QUERY = params in body (no URL length pain)
POST vs QUERY?
POST = may mutate state; QUERY = read-only semantics for the target resource
First since when?
PATCH (2010) โ QUERY registered June 2026
Header to discover?
Accept-Query lists supported query media types
Browser catch?
CORS preflight required โ QUERY is not safelisted
Zero writes?
HTTP-safe โ DB-read-only โ logging and temp URLs still happen
The problem QUERY solves
Classic list/search pattern today:
GET /feed?q=foo&limit=10&sort=-published HTTP/1.1
Host: example.org
Nested JSON filters in query strings are ugly and lossy
Logging & bookmarks
URIs show up in logs, analytics, browser history
Resource explosion
Every filter combo becomes a distinct cache key / "resource"
Teams then abuse POST for reads:
POST /feed HTTP/1.1
Host: example.org
Content-Type: application/json
{"q":"foo","filters":{"tags":["ai","api"]},"limit":10}
POST works mechanically โ but retries are scary, caches ignore it for reads, and intermediaries cannot tell this is a safe search without out-of-band docs.
Servers MUST reject missing or inconsistent Content-Type (400, 415, 422 as appropriate).
2. Discover support with Accept-Query
HEAD /contacts HTTP/1.1
Host: example.org
HTTP/1.1 200 OK
Accept-Query: application/x-www-form-urlencoded, application/sql
Or check OPTIONS โ Allow: GET, QUERY, HEAD.
3. Repeat without resending the body
Successful QUERY responses may include:
Content-Location โ GET this URI for these results
Location โ GET this URI to re-run the same query later
That lets clients move from QUERY โ GET for polling and conditional requests (If-None-Match, If-Modified-Since).
4. Caching is harder than GET
Caches may store QUERY responses, but the cache key must include the request body and metadata. Mis-normalization = false cache hits. Mitigation: Location URIs clients can GET instead.
5. CORS preflight
Per Fetch spec, QUERY is not CORS-safelisted โ browsers will preflight cross-origin QUERY. Plan for OPTIONS handling in public APIs.
For short queries, RFC itself says: if it's this small, use GET.
What QUERY is not
"Safe" does not mean free or write-free
RFC defines safe as: no change to the target resource's state. Servers may still:
Write temporary stored-query or stored-result resources
Log request bodies (prefer QUERY over GET when sensitive filters should not hit URL logs โ RFC security section)
Hit databases that read but still generate load, replicas, and billing
@yacineMTB on X (replying to adoption threads): "Queries, unfortunately, are not 0 writes for the vast majority of cases." Correct at the infrastructure layer.
Not a replacement for GraphQL or gRPC
QUERY standardizes HTTP semantics for search-shaped REST endpoints. It does not replace:
It does give OpenAPI designers a first-class verb for POST /search anti-patterns.
Migration patterns for API teams
Today
Tomorrow
POST /api/users/search
QUERY /api/users
GET /api/logs?filter=... (10KB URL)
QUERY /api/logs + JSON body
POST /reports/run (read-only)
QUERY /reports
GraphQL POST (unchanged)
Still GraphQL
Checklist before shipping QUERY:
Idempotent handler โ same body โ same logical result (modulo data changes)
No target-resource mutation โ writes go to POST/PUT/PATCH
Expose Accept-Query on resources that support multiple query formats
CDN/proxy config โ allow QUERY method; verify cache key includes body
CORS โ add OPTIONS + Access-Control-Allow-Methods: QUERY
Client libraries โ most need custom method string until native support
Adoption timeline (realistic)
Layer
June 2026 status
IETF / IANA
โ RFC 10008 Proposed Standard
curl / HTTP clients
Manual --request QUERY possible where supported
Frameworks (Express, FastAPI, etc.)
Patch incoming; route registration varies
API gateways (Cloudflare, Akamai)
Authors' employers โ watch vendor blogs
Browsers fetch()
No default yet; preflight either way
OpenAPI 3.x
Community extensions / 3.1 query verb discussions
Vincent Eliezer's X quip โ "Even internet protocols are shipping faster than GTA 6" โ is fair. Standards ship โ your stack supports it tomorrow.
FAQ โ quick answers
Why not SEARCH? Early drafts used SEARCH (WebDAV heritage). RFC appendix explains QUERY won โ clearer relation to URI query components, less WebDAV baggage, explicit media-type semantics.
Can I use QUERY from Claude Code / agents? Yes once your HTTP client allows custom methods โ same as any REST surface agents call via MCP or tools. Document idempotency so agents can retry safely.
Does QUERY help AI search APIs? Indirectly โ fat retrieval filters (RAG metadata, JSONPath over corpora) fit QUERY's body model better than GET. Pair with GEO content strategy on the data you expose, not the HTTP verb alone.