There are situations where resource creation requires more than one step.

Example

A session resource is created when a user authenticates. So the API call responsible for authentication would be a POST to example.com/api/sessions.

We use a password-authenticated key exchange for authentication. This requires the sending of two messages to the server: AuthInit and AuthFinish. The session should only be created once the user is authenticated (after successful processing of AuthFinish).

But since there are now two steps to creating a session, where should each of the two requests be send?

Potential Solution 1: two endpoints

AuthInit -> example.com/api/sessions/init

AuthFinish -> example.com/api/sessions/finish

Potential Solution 2: one endpoint handles both

AuthInit -> example.com/api/sessions

AuthFinish -> example.com/api/sessions