Retries Demand Idempotency

The principle

Agents retry on timeouts, rate limits, and transient errors, but a failed call that never returned may have already succeeded on the server. Without an idempotency key, the retry that 'fixes' a network blip quietly double-charges the card, double-sends the email, or double-books the room. Safe retries depend on the server being able to dedupe.

Why it happens

The dangerous retry is the one after an ambiguous failure. The server may have charged the card, sent the email, or created the record, while the client only saw a timeout. Retrying without dedupe repeats the side effect. Idempotency keys solve this by naming the logical action: the server stores the first result and replays it for later attempts with the same key. Backoff and jitter matter too, because synchronized retries can overload the dependency you are trying to recover. Any retryable side effect needs both controls.

Watch for

• A side-effecting tool call is retried on timeout with no key that lets the server recognize a duplicate.
• Retries fire immediately or on a fixed interval rather than with exponential backoff and jitter.
• You have seen duplicate charges, emails, or records traced to a network blip rather than a logic bug.

Apply it

1. Generate a unique idempotency key per logical action and send it on every side-effecting call so the server can dedupe.
2. Never let the agent blindly retry a non-idempotent operation without that key.
3. Retry with exponential backoff and jitter so synchronized retries do not amplify load on a struggling dependency.

Sources and further reading

• Making retries safe with idempotent APIs · AWS Builders' Library
• Idempotent requests (Stripe API Documentation) · Stripe