The main reason for REST existence is resilience against network errors. To which end all operations should be idempotent.
The basic approach seems reasonable, but the way you describe the DepositAction creation does not sound to be idempotent, which should be fixed. By having client provide unique ID that will be used to detect duplicate requests. So the creation would change to
PUT /card/{card-id}/account/{account-id}/Deposit/{action-id}
AmountToDeposit=100, different parameters...
If another PUT to the same URL is made with the same content as previously, the response should still be 201 created if the content is the same and error if the content is different. This allows the client to simply retransmit the request when it fails, since the client can't tell whether the request or response got lost.
It makes more sense to use PUT, because it just writes the resource and is idempotent, but using POST wouldn't really cause any problem either.
To look at the transaction details the client will GET the same URL, i.e.
GET /card/{card-id}/account/{account-id}/Deposit/{action-id}
GET /card/{card-id}/account/{account-id}/Deposit/{action-id}
and to undo it, it can DELETE it. But if it actually has anything to do with money as the sample suggests, I would suggest PUTting it with added "cancelled" flags instead though for accountability (that there remains trace of created and cancelled transaction).
Now you need to choose a method of creating the unique id. You have several options:
- Issue client-specific prefix earlier in the exchange that must be included.
- Add a special POST request to get blank unique ID from the server. This request does not have to be idempotent (and can't, really), because unused IDs don't really cause any trouble.
- Simply use UUID. Everybody uses them and nobody seems to have any problem with neither the MAC-based ones nor the random ones.