Yes, idempotence is important but it goes hand in hand with verbs. Browsers and API clients work on the assumption that a POST verb is never idempotent and will behave accordingly so it is important to keep that relationship intact.
I agree with the points you make about advantages of using a POST verb to hide sensitive data.
Browsers and API clients work on the assumption that a POST verb is never idempotent and will behave accordingly
Does this mean, they assume other verbs to be always idempotent and also behave accordingly?
I used POST as an example in my statement. What I wanted to say that they will assume what the standard says and behave accordingly.
What about checking for authorization before returning such GET requests? Wouldn't it be another way of protecting sensitive data.
I may be misunderstanding your point but it goes without saying that you always properly protect your API, no matter HTTP method is being used.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.