API Styles Deep Dive · 7 of 7

SOAP — XML, WSDL, and the Enterprise Stack

SOAP is a protocol from the late 1990s for exchanging XML messages over HTTP (or anything else). It's heavy by today's standards, but its strict contracts and built-in security made it the default in regulated industries — and you'll still meet it integrating with banks, payment networks, governments, telcos, and old SAP/Oracle systems. You don't choose SOAP; SOAP chooses you.

XMLWSDLWS-SecurityEnterpriseLegacy
← Back to APIs & Networking
Quick Facts

What SOAP Is

Basic Concepts

  • Origin: "Simple Object Access Protocol", Microsoft & IBM, late 1990s. W3C standard from 2003.
  • Envelope: every message is an XML <Envelope> with a <Header> (auth, addressing, transactions) and a <Body> (the actual payload or fault).
  • WSDL — Web Services Description Language: an XML file describing every operation, its inputs, outputs, and faults. The contract.
  • Tooling generates clients — point a code generator at the WSDL and you get typed stubs in Java, .NET, Python, etc.
  • WS-* spec stack: WS-Security (signing & encryption at the message level), WS-Addressing, WS-ReliableMessaging, WS-AtomicTransaction, and many more. Heavy, comprehensive, and rarely all needed at once.
  • Transport-agnostic: usually HTTP, but SOAP can ride SMTP, JMS, or message queues.
Why It Stuck

What SOAP Got Right

The Contract Comes First

WSDL is a strongly-typed, machine-readable contract. Generate clients in any language; the wire shape and types are guaranteed to match. This is the same idea gRPC and OpenAPI deliver today — SOAP did it 20 years earlier, just with a lot more XML.

Built-in Security at the Message Level

WS-Security signs and encrypts parts of the message (not just the transport), so a SOAP envelope can pass through intermediaries without losing its integrity guarantees. Banks, governments, and healthcare systems lean on this — the message is signed end-to-end regardless of how many hops it makes.

Reliable Messaging and Transactions

WS-ReliableMessaging delivers exactly-once even over flaky transports. WS-AtomicTransaction coordinates distributed transactions across SOAP services. Heavy machinery, but it's there if your industry's compliance requires it.

Why It Lost

Where SOAP Showed Its Age

XML Verbosity

The same payload that's 100 bytes of JSON is a kilobyte of XML with namespaces and envelopes. CPU cost to parse, network cost to ship, human cost to read — all higher.

Tooling-Heavy

You can't curl a SOAP service meaningfully. You parse a WSDL, generate stubs, compile, run. The "open a browser, hit the URL, see JSON" workflow doesn't exist. Productivity in modern IDEs depends on plugins; in scripting languages it's outright painful.

WS-* Sprawl

The standards stack tried to solve every distributed-systems problem at the protocol layer. The result was an enormous spec surface where no two implementations agreed on every corner. The pendulum swung to "do less at the protocol layer, push concerns to the app" — REST, then gRPC.

Browser-Hostile

SOAP doesn't fit the web. Calling a SOAP service from JavaScript is awkward; XML is verbose to construct; CORS and security headers were never designed with SOAP in mind. As browsers became the dominant API client, SOAP's relevance faded.

In the Wild

Where You'll Still Meet It

  • Banking and payment networks — SWIFT, FIX adjacency, card-network integrations, many ACH/SEPA gateways.
  • Insurance — claims, underwriting, and reinsurance protocols.
  • Telecom — provisioning, billing, and OSS/BSS systems built before 2010.
  • Government and healthcare integrations — eHealth interfaces, customs, tax filing endpoints, social-security systems.
  • SAP, Oracle, and old Microsoft BizTalk pipelines — enterprise SOA from the 2000s.
  • Shipping carriers' legacy APIs — FedEx, UPS, and DHL had SOAP for years; many have REST now but the SOAP surfaces still exist.
Pragmatics

How to Survive a SOAP Integration

  • Get the WSDL early. The contract is the integration. Generate clients with wsimport (Java), svcutil (.NET), zeep (Python), or node-soap.
  • Don't hand-write XML. The namespace and ordering rules are unforgiving. Let the generated client do it.
  • Read the partner's interpretation of WS-*. Specs allow ambiguity; partners pick interpretations. Their integration guide is more important than the spec.
  • Wrap it in an anti-corruption layer. Don't let SOAP types and exceptions leak into your domain. Translate at the boundary.
  • Log raw envelopes (with PII redacted). When something goes wrong, you'll need the actual XML, not a parsed object.
  • Test against their sandbox early — SOAP errors range from "missing namespace" to "wrong WS-Security policy" and they're hard to diagnose without the partner's logs.
Decision

When You Pick SOAP

You don't, anymore — for new APIs, REST or gRPC are the right call. SOAP comes up only when you're integrating with a partner who already speaks it. When that happens, accept the contract, generate the client, build a clean adapter, and don't fight the protocol.

Continue

Other API Styles

← REST ← GraphQL ← gRPC ← WebSockets ← Server-Sent Events ← Webhooks ↑ Back to APIs & Networking