See the question and my original answer on StackOverflow

I'm not sure how much it would look "canonical" to you, but you could have a serious look at OData (open data protocol):

OData is a standardized protocol for creating and consuming data APIs. OData builds on core protocols like HTTP and commonly accepted methodologies like REST. The result is a uniform way to expose full-featured data APIs.

Even if you don't implement it as is, there are ideas that could be reused.

Specifically, OData defines batch processing. It's used for executing multiple operations sent in a single HTTP request. So, with OData, you have two choices:

  1. use the GET + query string operation for queries that are not too long
  2. use a POST + multipart body operation for bigger things.

More on maximum uri length in an OData context: OData Url Length Limitations

Also, many security devices (routers, firewall, etc.) will simply not let your option 1, 2 and 3 go through. GET + Body is unusual, GET + a big form value may get killed, and a custom HTTP verb is also very unusual.

Overall, I think the POST + body seems the best choice (whether it's strictly multipart - like in OData - or not is up to you)