X
Akamai to acquire LayerX to enforce AI usage control on any browser. Get details
Akamai
Log in
Log in Close
Cloud Manager
Manage your cloud computing services
Log in Close
Control Center
Manage your security and delivery services

What Is a SOAP API?

Simple Object Access Protocol, better known as SOAP, is a standards-based messaging protocol specification. Introduced in 1998, SOAP and a handful of other web standards became the foundation for a generation of enterprise technologies. SOAP APIs are especially handy when it’s necessary for a server and client to exchange data in a structured format, as SOAP messages are built in extensible markup language (XML).

Thinking about SOAP APIs brings to mind a middle school taunt along the lines of “The ’90s called. They want their pants back.” Revolutionary in its day, the technology can sometimes now feel dated. Yet, the Simple Object Access Protocol (SOAP) has exhibited more staying power than many of its detractors would like to admit. If you’re involved in enterprise architecture or application integration, it pays to know a bit about SOAP APIs — where they came from, what they do, where they can be effective, and the vulnerabilities they can potentially create.

What is SOAP?

SOAP is a standards-based messaging protocol specification. SOAP messages exchange structured information using XML as the message format. In a nutshell, a SOAP message is essentially an XML document that consists of four different elements:

  • SOAP envelope: establishes the XML document as a SOAP message
  • SOAP header: includes information on the header details
  • SOAP body: includes information on the SOAP requests and the responses
  • SOAP fault: includes information on any errors that occur

With SOAP, an application can invoke a web service, send or retrieve data, or issue a procedure call. A SOAP message travels using application-layer protocols like Hypertext Transport Protocol (HTTP), though it can also run on Simple Mail Transfer Protocol (SMTP), Java Message Service (JMS), and others.

Diagram illustrating how a web API works.

The history of SOAP

To understand the importance of the Simple Object Access Protocol (SOAP), it’s necessary to know what came before it and the problems its creators set out to solve. SOAP enables two or more applications, built in any language and running on any platform to exchange data and procedure calls across virtually any kind of network. This may not seem so special in 2022, but there was a time when the very idea of such interoperability would have seemed like science fiction.

Getting two or more computer systems to communicate and interoperate is a challenge that goes back at least to the early 1960s. And while many innovative developments made it incrementally easier to achieve this goal, by the 1990s, many industry insiders had reached the conclusion that a radical change was needed. Interfaces between applications were either custom-coded or built using cumbersome proprietary middleware products. Companies spent fortunes and person-years managing these fragile connections and buying connector sets.

The answer was for the major industry players to come together and agree upon a set of open standards for application integration, data exchange, and interoperation. By 1998, these standards had come into existence and were ratified by the Internet Engineering Task Force (IETF). In addition to SOAP, these so-called “web services standards” included Web Services Description Language (WSDL), which describes how a SOAP web service works, and Universal Description, Discovery, and Integration (UDDI), which is a format for a SOAP web service directory.

SOAP and its accompanying web services standards became the foundation for an entire generation of dominant enterprise technologies. The web services standards were the basis for the massive, entirely new Microsoft .NET framework, the Oracle PeopleSoft platform and portfolio, IBM’s WebSphere integration platform and portfolio, SAP NetWeaver, and others. They represented a profound revolution in software development, application integration, and enterprise architecture.

SOAP’s relationship to XML

SOAP messages are built in the Extensible Markup Language (XML). The SOAP standard specifies the XML schema used to create a SOAP message. This includes the “envelope” for the SOAP message, which defines the message structure and destination. The SOAP XML schema also includes encoding rules that represent data types, as well as a convention for representing procedure calls and responses.

When to use SOAP

SOAP is useful in a variety of situations. It is good when synchronous processing is occurring, perhaps coupled with the need to invoke certain APIs subsequently. SOAP APIs are handy when it’s necessary for a server and client to exchange data in a structured format. SOAP is also effective for the seamless processing of stateful operations, i.e., when an application needs to maintain the state from one request to another.

In some cases, there may be no choice but to use SOAP, e.g., when it’s the default integration protocol for a packaged application. There is also the likelihood that you’ll encounter a legacy and shadow SOAP API that was deployed by a former employee.

SOAP-supported transfer protocols

Transfer protocols are based upon the use of rules or instructions for data exchange over the internet. Currently, the protocol uses low-level protocols including IPv4 that simply transmits the packets to the other site. Some higher transfer layers like TCP assure data delivery. Finally, web browsers can use application-level protocols for communicating and storing data on servers without actually determining the connection itself. SOAP supports several transfer protocols, including specialized low-level ones. SOAP allows communication via TCP protocol — an intermediate-level data exchange system working via an internet network.

Advantages of SOAP

Despite the stigma that SOAP carries of being an outdated technology, its longevity and long track record of use would actually imply that the protocol is quite effective. Let’s take a look at a few of the notable benefits of using SOAP:

  • Compatible with all programming languages. Due to the fact that SOAP is rooted in the XML format, it is interoperable with all programming languages and provides a standardized way of exchanging data between different software systems. This means that developers can create applications that can access data from different sources.

  • Perfect solution for working with multiple extensions. With WSDL, for example, a developer gets the information they need to develop and implement a SOAP API with relative ease. SOAP’s multiple extensions, like WS Addressing, WS Security, and WS Federation, are also helpful as pre-built app components.

  • A way to exchange data in a secure and reliable manner. While both SOAP and REST APIs can utilize HTTPS (SSL/TLS) for encryption, SOAP has additional built-in security features through WS-Security standards. These features provide advanced security capabilities beyond transport-layer encryption, such as message-level security, encryption, and digital signatures.

Disadvantages of SOAP

On the downside, SOAP has shown some pretty clear weaknesses when compared to some of the newer-generation protocols. Let’s review some of the key disadvantages of using SOAP vs. protocols like REST or GraphQL:

  • SOAP is comparatively complex and time-consuming. The SOAP syntax tends to be challenging compared to its RESTful alternative. Performance can be an issue because parsing XML data can be CPU- and memory intensive.

  • “Language-agnostic” format comes with strings attached. And while SOAP is theoretically vendor-neutral, implementing it often involves committing to a stack, such as Microsoft, which not everyone wants to do.

SOAP creates some exposure to cyber risk as well. SOAP API cybersecurity vulnerabilities include denial-of-service (DoS) attacks, ‍XML injection, ‍SQL injection, command injection, and more. SOAP is also vulnerable to spoofing and man-in-the-middle (MITM) attacks. Web service security tools can mitigate many of these risks.

SOAP vs. REST APIs

Use of SOAP and the web services standards has been in decline since the emergence of Representational State Transfer (REST) as the primary basis for APIs, data exchange, and web application integration. There’s an idea that REST “replaced” SOAP. This is true, in a limited way, but it’s worth noting the differences between the two.

  • SOAP is a protocol, in contrast to REST, which is an architectural style
  • SOAP uses web services to expose functionality to clients, versus REST, which relies on URLs to access components of a REST service
  • SOAP requires more bandwidth than REST
  • SOAP works exclusively with XML formats, versus REST, which can work with XML, plain text, XML, Hypertext Markup Language (HTML), and JavaScript Object Notation (JSON)
  • SOAP cannot use REST, but REST can use SOAP

SOAP vs. GraphQL

SOAP and GraphQL are two different protocols that are used to communicate with web services. They both have their own advantages and disadvantages, but they are both widely used today. SOAP is a request-response protocol that uses XML for the request and response.

GraphQL, on the other hand, has been gaining popularity over the years because it offers more flexibility than SOAP. One of the most notable advantages is that it provides a way to query data from multiple sources without having to use multiple APIs. It also allows for better performance because it doesn’t require XML parsing or serialization.

SOAP WS-Security

SOAP integrates the WS-Security functionality. Using these protocols, we can determine security measures in transactions and provide privacy guidelines for data integrity in a transactional environment. A further advantage is that it supports encrypted and cryptography signed documents. WS-Security allows your message to not just have HTTPS encryption but also have authentication data in a message. It must also ensure that the data whose transits outside the HTTPS protocol are retrieved only by the correct processing on that server and not by the correct server itself.

REST Security

The REST API only supports HTTP security methods. If applications send messages using an HTTPS connection, then this message can only be secured by HTTPS communication. This means that the message is encrypted only at the time of transport from customer to services. It works well for public websites. Because REST APIs don’t feature security capabilities and extension capabilities as SOAP APIs do, security depends upon the API’s own architectures. A REST API can have a specific security mechanism that allows only authenticated users to access it.

Frequently Asked Questions

SOAP is an XML-based format used for exchanging information in web service interactions. Simple Object Access Protocol (SOAP) APIs offer several essential features not found in other APIs. For starters, SOAP APIs are language and platform-independent, meaning they can use various transport protocols, including HTTP and HTTPS, unlike REST APIs, which often rely on HTTPS.

SOAP APIs are also highly secure, which makes them ideal for financial institutions and other organizations that deal with sensitive data. You can use SOAP APIs with or without a security platform. Built-in error handling means you can quickly determine the cause of any problems you may encounter with SOAP APIs, which many businesses value.

SOAP is one of the earliest APIs, with the first iteration appearing as XML-RPC in 1998. However, even though SOAP APIs have been around for a long time, they’re still used in certain situations today. For example, the enhanced security of SOAP APIs makes it easier to follow an API security checklist to ensure a secure SDLC management process.

REST or RESTful APIs have become the most popular choice for APIs in recent years because of their simplicity and scalability. You can still use SOAP APIs, but REST APIs may be better for your business, depending on your security needs.

There are several ways to create a SOAP API. If you’re using a specific API management tool, you can find a guide for creating a SOAP API with that software. You can also use the Python programming language to make SOAP API calls.

There’s no single best method for creating SOAP APIs. But no matter how you create your API, following API security best practices is crucial. You can use API security testing to ensure your SOAP API is secure and working correctly.

Banks and web services, like PayPal and UPS, often use SOAP APIs because they’re highly secure and reliable, which helps protect sensitive data. SOAP APIs have robust security features, making them an ideal choice for businesses that prioritize data integrity and confidentiality. These SOAP API examples showcase its application in industries where enhanced security is crucial.

Why customers choose Akamai

Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.

Related Blog Posts

Attackers do not need to start by asking for secrets.
Attackers do not need to start by asking for secrets.
AI Reconnaissance: The Missing Layer in Chatbot Security
Read how Akamai threat researchers uncovered how attackers use benign-looking questions for AI reconnaissance, and why dynamic runtime guardrails are critical.
Read more
Your DNS is a gold mine of exploitable misconfigurations.
Your DNS is a gold mine of exploitable misconfigurations.
DNS Is Your Most Critical — and Most Misconfigured — Security Control
DNS has evolved from a basic networking utility into a critical security control layer. Learn about the DNS misconfigurations that today’s attackers actively exploit.
Read more
Using real-time intelligence, Akamai stops machine-speed attacks before they reach the core cloud.
Using real-time intelligence, Akamai stops machine-speed attacks before they reach the core cloud.
How Akamai Defended an Indian Bank Against Record-Breaking DDoS Attacks
Learn how Akamai successfully neutralized one of the largest DDoS attacks ever recorded in the Indian banking sector before a single customer was impacted.
Read more

Explore all Akamai Security Solutions

Start your free trial and see what a difference having the world’s largest and most trusted cloud delivery platform can make.

Take me there