Every few years someone announces that SOAP is finally dead, and every year I open another enterprise integration project and find it running the most important connection in the estate. SOAP does not trend on developer forums, it does not appear in tutorials aimed at weekend side projects, and no startup builds its first API with it. Yet when you look inside a bank, a telecom operator, a national government service bus or a large insurer, SOAP is very often the protocol carrying the transactions that absolutely cannot be lost, duplicated or tampered with. Understanding it is not nostalgia. It is a working requirement for anyone integrating with serious enterprise and legacy systems. This guide sits inside my broader enterprise system integration pillar, and it is the counterpart to the modern-web explanation in the REST API guide.
The message up front: SOAP is not a legacy mistake you are unlucky to inherit. It is a formal, contract-first messaging protocol that was designed for exactly the guarantees that regulated, high-value, machine-to-machine systems still need. You do not choose SOAP for a new mobile app. You keep and respect SOAP where formal contracts, message-level security and transactional reliability matter more than developer convenience. Knowing which situation you are in is the whole skill. For where SOAP fits in the wider integration picture, start with the integration pillar.
1. What SOAP is
SOAP stands for Simple Object Access Protocol, although the name is close to a historical accident and the "Simple" part has amused engineers for two decades. It is a messaging protocol standardised by the W3C for exchanging structured information between systems. The current specification is SOAP version 1.2, a W3C Recommendation, which superseded the widely deployed SOAP 1.1 note. At its core SOAP defines one thing very precisely: an XML message format, called the envelope, that wraps whatever data you are sending so that any compliant system on either end knows exactly how to read it.
The key idea that separates SOAP from the informal style of most web APIs is that SOAP is a protocol, not a convention. When people say REST, they usually mean an architectural style with a set of good habits around HTTP. SOAP is the opposite: a formally specified protocol with a mandatory message structure, a formal contract language, and a family of companion standards for security and reliability. Nothing about a SOAP message is left to taste. The envelope is defined, the fault format is defined, the way headers extend the protocol is defined. That rigidity is exactly why large organisations trusted it for the integrations that could not afford ambiguity.
It is also important to understand that SOAP is transport-independent in principle. Although the overwhelming majority of SOAP traffic rides on HTTP, the specification was deliberately written so that the same envelope could travel over other transports such as message queues or SMTP. The envelope is the constant; the transport underneath it is a detail. That design choice tells you a great deal about the mindset SOAP came from: it was built by and for enterprise middleware people who thought in terms of message-oriented systems, not in terms of the web browser.
2. The SOAP envelope and message structure
Every SOAP message is an XML document with one root element: the Envelope. Inside the Envelope there are two children, an optional Header and a mandatory Body. That is the entire top-level shape, and it never varies. The Header carries metadata and protocol extensions such as security tokens, addressing information, transaction context or routing hints. The Body carries the actual payload, meaning the operation being called and its parameters, or the response, or a Fault if something went wrong. This clean separation between the Header, which is about how the message should be handled, and the Body, which is what the message is about, is the structural heart of SOAP.
A concrete request makes the shape obvious. Read from the outside in: the Envelope declares the SOAP namespace, the Header carries a security token, and the Body names the operation and its parameters.
<soap:Header>
<wsse:Security> ... token ... </wsse:Security>
</soap:Header>
<soap:Body>
<GetAccountBalance>
<AccountId>100482</AccountId>
</GetAccountBalance>
</soap:Body>
</soap:Envelope>
Two details in that structure matter more than they look. First, the Header can carry a flag called mustUnderstand. When set, it tells the receiving system that if it does not understand a particular header block, it must reject the whole message rather than quietly ignore it. That is a deliberate safety mechanism: in a security or transaction header, silent ignorance is dangerous, so SOAP lets the sender demand comprehension. Second, errors are not returned as loose HTTP status codes and free text. They are returned as a structured Fault element inside the Body, with a defined code, a human-readable reason, and an optional detail section. Machine-readable, structured error handling is one of the quiet strengths that made SOAP dependable in automated pipelines.
3. WSDL and formal contracts
If the envelope is the message, the Web Services Description Language, or WSDL, is the contract. WSDL is an XML document, standardised by the W3C, that formally and completely describes a SOAP web service: every operation it offers, the exact structure of every input and output message, the data types involved, the faults that can be returned, and the network address where the service lives. It is a machine-readable specification of the entire interface, precise enough that tooling can consume it and generate working client code with no human interpretation in between.
This is the single feature that most sharply distinguishes the SOAP world from the typical REST world, and it is why serious enterprises kept using it. In a WSDL-driven integration, the contract exists as a formal artifact before a single line of integration code is written. Both sides agree on the WSDL, and from it their tools generate strongly typed stubs, so the client calls a service operation as if it were a local method and the tooling handles the serialisation into and out of the envelope. When the contract is that explicit, whole categories of integration bug simply cannot happen: field names cannot silently drift, types cannot be guessed wrong, optional and mandatory fields are declared, not discovered in production. For regulated integrations where the interface is negotiated between two organisations and then frozen, a formal contract is not bureaucracy, it is protection.
The insight: the WSDL contract is the real reason SOAP endured. A generation of developers rejected the XML verbosity and never noticed that they were also rejecting a guaranteed, machine-enforced interface contract. Modern REST has spent years rebuilding that idea from the outside in, through OpenAPI and schema specifications, precisely because a formal contract is genuinely valuable. SOAP simply had it built in from the start.
The trade-off is real and worth naming honestly. WSDL is verbose, the tooling can be heavy, and a change to the contract ripples through generated code on both sides, so evolution is deliberate and slow. That rigidity is a burden when you want to iterate fast, and a virtue when you never want the interface to move without both parties agreeing. Which of those you value tells you almost everything about whether SOAP suits your situation.
4. The WS-* standards: security, transactions, reliability
SOAP by itself is only the envelope, but it was designed to be extended through its Header, and around that extension point grew a large family of specifications collectively known as WS-* (pronounced "WS star"). These standards address the hard requirements of enterprise integration that a bare messaging format leaves open. You do not need all of them, and most integrations use only one or two, but knowing the important ones tells you what SOAP was really built to do.
- WS-Security: the most important of the family, standardised by OASIS. It defines how to secure the SOAP message itself, not merely the transport carrying it. That means signing and encrypting parts of the message, and attaching security tokens such as username tokens, X.509 certificates or SAML assertions inside the Header. The distinction from transport security is the whole point, and it is covered in the next section.
- WS-Addressing: puts addressing and routing information, such as the destination, reply-to and message identity, inside the message itself rather than relying on the transport. This lets a SOAP message be routed, correlated and replied to across intermediaries and asynchronous transports where the underlying HTTP connection is not enough.
- WS-ReliableMessaging: guarantees delivery semantics between sender and receiver, such as at-least-once, at-most-once and exactly-once delivery, with acknowledgements and retransmission. In systems that move payments or provisioning orders, "did this message actually arrive, exactly once" is not a nicety, it is a hard requirement.
- WS-AtomicTransaction and WS-Coordination: extend transactional semantics across service boundaries, so that a set of operations spanning multiple services can commit or roll back together. This is the distributed equivalent of a database transaction, and it exists for exactly the multi-system financial operations where partial completion is unacceptable.
The pattern across all of these is consistent: SOAP took the guarantees that enterprise middleware always needed, security at the message level, reliable delivery, distributed transactions, formal addressing, and standardised them so that products from different vendors could interoperate. That is an enormous amount of engineering that REST-style APIs generally push back onto the application developer to solve case by case. Whether you want that machinery or find it excessive depends entirely on whether your problem actually has those requirements.
5. SOAP over HTTP and other transports
In practice, the vast majority of SOAP you will meet travels over HTTP, using an HTTP POST to a single endpoint URL with the SOAP envelope as the request body. This is where a crucial distinction lives that trips up newcomers. Running SOAP over HTTPS gives you transport-level security: the connection between the two endpoints is encrypted, so nobody on the wire can read or tamper with the traffic in transit. But the moment the message arrives and the TLS connection terminates, that protection ends. If the message then passes through intermediaries, gateways or message queues before reaching its final destination, transport security protected only the first hop.
This is exactly the gap WS-Security fills. Message-level security, applied inside the SOAP Header, travels with the message itself. A digitally signed and encrypted SOAP body stays signed and encrypted through every intermediary, across every transport change, all the way to the endpoint that finally decrypts it. In a multi-hop enterprise topology, where a message might cross an enterprise service bus, a partner gateway and an internal broker before it lands, that end-to-end guarantee is the difference between real security and the illusion of it. HTTPS secures the pipe; WS-Security secures the letter inside the pipe. Serious financial and government integrations frequently need the second, which is why SOAP and message-level security appear together so often.
Because the envelope is transport-independent, the same SOAP message can also be carried over other transports where the situation demands it. SOAP over a message queue such as JMS or IBM MQ is common in asynchronous, guaranteed-delivery enterprise scenarios, where the queue provides durability and the SOAP envelope provides the standardised message structure and headers. This flexibility is a direct consequence of the design choice discussed earlier: by keeping the envelope separate from the transport, SOAP could serve both the synchronous request-response world of HTTP and the asynchronous, store-and-forward world of message-oriented middleware with the same message format.
6. SOAP versus REST at a glance
The comparison people reach for immediately is SOAP against REST, and it is worth doing carefully because the two are not really the same kind of thing. SOAP is a formal protocol; REST is an architectural style, usually expressed over HTTP with JSON. Comparing them is a little like comparing a legal contract to a good working relationship, and the right choice depends on how much formality your situation genuinely requires. The table below is the quick contrast I use to frame the decision, and there is a dedicated REST versus SOAP comparison for the deeper trade-offs.
| Dimension | SOAP | REST |
|---|---|---|
| What it is | A formal messaging protocol | An architectural style over HTTP |
| Message format | XML only, fixed envelope | Usually JSON, format flexible |
| Contract | WSDL, formal & machine-enforced | OpenAPI, optional & add-on |
| State | Stateful patterns supported | Stateless by principle |
| Security | Message-level via WS-Security | Transport-level via HTTPS/OAuth |
| Best for | Banking, telecom, formal B2B, legacy | Web, mobile, public APIs, fast iteration |
The honest reading of that table is that neither wins in the abstract. REST is the correct default for public, web and mobile APIs where speed of development, lightweight payloads and broad developer familiarity matter most. SOAP is the correct choice when the interface must be a formally negotiated contract, when security has to be enforced at the message rather than only the connection, and when reliability and transactional guarantees are non-negotiable. Most modern greenfield work should be REST. Most modern integration work still has to speak SOAP somewhere, because the systems of record on the other side were built when SOAP was the enterprise standard.
7. Where SOAP still wins
SOAP is not merely surviving through inertia. There are categories where its design still makes it the better fit, and recognising them keeps you from wasting effort trying to replace something that is doing its job.
- Banking and payments: core banking platforms, payment switches and inter-bank messaging place enormous weight on formal contracts, message-level security and exactly-once, transactional reliability. These are precisely the guarantees the WS-* stack was built to provide, and they are why SOAP remains deeply embedded in financial infrastructure.
- Telecom provisioning: operator support systems, number provisioning and inter-carrier interfaces were largely standardised in the SOAP era, and the interfaces are formal, long-lived and shared between organisations that will not casually agree to change them. WSDL contracts suit that environment perfectly.
- Government and regulated B2B: national gateways, tax and customs filing, healthcare clearing and other regulated exchanges frequently mandate SOAP with WS-Security, because the compliance requirement is specifically for signed, non-repudiable, contract-defined messages.
- Legacy enterprise systems: large ERP, insurance and utilities platforms exposed their integration surfaces as SOAP services years ago, and those services still run. Even Microsoft Dynamics 365 Business Central retains SOAP web services alongside its modern REST endpoints, as covered in the Business Central APIs and integrations guide.
- Formal enterprise contracts between organisations: whenever two separate companies must agree an interface, freeze it, and hold each other to it, a machine-enforced WSDL contract with defined faults and mandatory field types is genuinely valuable. It removes the ambiguity that informal APIs leave to trust and goodwill.
The common thread is formality and stakes. SOAP earns its place wherever the cost of an ambiguous interface, an unsecured message or a duplicated transaction is high enough that heavyweight guarantees are worth their overhead. That is not most public APIs, but it is a great deal of the plumbing that runs regulated industry.
8. Working with SOAP today
If you are integrating with a SOAP service now, the experience is more comfortable than its reputation suggests, precisely because the formal contract does so much for you. The normal workflow starts with the WSDL. You obtain the service's WSDL document, point your platform's tooling at it, and generate typed client code, called stubs or proxies, that expose each operation as a callable method. From there you populate the request objects, invoke the operation, and read a typed response, while the tooling handles serialising into and out of the envelope for you. Every major enterprise platform, whether .NET, Java, PHP with its SOAP extension, or an integration bus, has mature WSDL-driven tooling for exactly this.
A few practical realities are worth carrying into any SOAP integration. Namespaces matter and are a frequent source of errors, so match them exactly as the WSDL declares them. Faults are structured, so handle the Fault element properly rather than treating any non-success as an opaque failure; the code, reason and detail fields usually tell you precisely what went wrong. If the service requires WS-Security, get the token type, signing and encryption requirements confirmed early, because message-level security is where most SOAP integrations lose the most time. And when you are testing, tools that understand WSDL will let you explore and exercise the service before you write integration code, which shortens the loop considerably.
The honest caution: do not try to make a SOAP service behave like REST, and do not try to strip it down because the XML looks heavy. The verbosity is doing work. If a service demands a signed envelope with a specific security header and a mustUnderstand flag, that is a requirement, not decoration, and shortcutting it will fail in ways that are slow to diagnose. Meet the contract on its own terms. Equally, resist the urge to rip out a working SOAP integration purely to modernise the stack. Replacing a stable, contract-defined interface with a fashionable one is a large risk for little functional gain, and the systems on the other side rarely move on your schedule. For the broader view of when integration modernisation is worth it, see the system integration primer.
The pragmatic position I hold across integration projects is simple. Build new interfaces in REST unless a specific requirement points otherwise. Respect and maintain existing SOAP interfaces where they carry high-stakes, contract-defined traffic. And when a project spans both worlds, which most enterprise projects do, treat the integration layer itself as the place where SOAP and REST meet, translating cleanly between the formal contract on one side and the lightweight API on the other. That is exactly the boundary an integration specialist is paid to get right.
9. References
The standards discussed in this guide are real, named specifications maintained by recognised bodies. If you want the authoritative detail, go to the source rather than to secondary summaries:
- SOAP Version 1.2, a W3C Recommendation defining the messaging framework, the envelope, and the processing model. The earlier SOAP 1.1 remains a widely deployed W3C Note.
- Web Services Description Language (WSDL), the W3C specification for describing web service interfaces, operations, messages and bindings.
- WS-Security (Web Services Security), an OASIS standard defining message-level security for SOAP, including signing, encryption and security tokens such as X.509 and SAML.
- WS-Addressing, a W3C specification for transport-neutral addressing and message correlation.
- WS-ReliableMessaging and WS-AtomicTransaction / WS-Coordination, OASIS standards providing reliable delivery semantics and distributed transaction coordination across SOAP services.
Consult the current published versions from the W3C and OASIS directly, as these specifications are the definitive contract for any conforming implementation you will integrate against.
Final thoughts
SOAP is not the future of APIs, and it was never trying to be the future of the consumer web. It is a formal, contract-first, message-oriented protocol that was engineered for the guarantees regulated, high-value, machine-to-machine systems genuinely need: an explicit interface contract in WSDL, message-level security through WS-Security, and reliable, transactional delivery through the wider WS-* family. Those requirements did not disappear because JSON became popular. They simply moved to the parts of the industry that do not make the noise, the banks, the carriers, the government gateways and the enterprise systems of record.
For anyone doing serious enterprise integration, the practical stance is not to love SOAP or to hate it, but to read the situation correctly. When you are building an open, fast-moving, developer-facing API, reach for REST. When you are integrating with a system whose interface is a formally negotiated, security-hardened, contract-defined SOAP service, respect it, meet it on its own terms, and let the formality do the work it was designed to do. Knowing which of those you are looking at, and building the layer where they meet, is the difference between an integration that quietly works for a decade and one that keeps breaking in ways nobody expected.
Integrating with a SOAP or legacy enterprise service?
Independent advisory on SOAP and REST integration, WSDL contracts, WS-Security, and bridging legacy enterprise systems with modern APIs. 22+ years across ERP, EAM, CAFM and enterprise integration. No product margins, no reseller arrangements.
Book a conversationRelated reading: Enterprise system integration explained (pillar), REST API explained, REST versus SOAP compared, What is system integration, Business Central APIs and integrations.
Muhammad Abbas
CMMS / CAFM Manager & Enterprise Integration Specialist · 22+ years across ERP, EAM, CAFM and enterprise integration.
Work with me