If you build APIs today, chances are your default stack looks like REST plus JSON. It’s fast to implement, easy to test, and friendly to browsers and mobile apps. Because of that, XML is often treated as a relic—something you only meet when integrating with an older enterprise system.
But the reality is more nuanced. XML is still very relevant for APIs, just not always in the same places where JSON dominates. SOAP-based services continue to run critical workloads in finance, telecom, healthcare, and government. XML also powers contracts, schemas, document formats, and message-level features that many modern teams still need.
This article breaks down what SOAP and REST really are, how XML fits into the picture, and how to decide which approach makes sense for your API based on practical requirements—contracts, security, performance, tooling, and long-term maintainability.
SOAP vs REST: First, Let’s Clarify What We’re Comparing
A common confusion is comparing SOAP and REST as if they were direct equivalents. They are not.
- SOAP is a protocol for structured message exchange. It defines how messages are formatted (XML), how errors are represented (Faults), and how metadata can travel with the message (Headers).
- REST is an architectural style. It describes principles for building web APIs around resources and standard HTTP semantics (GET, POST, PUT, DELETE), often using JSON, but not necessarily.
That difference matters: SOAP comes with a formal messaging framework, while REST is more of a design approach. In practice, REST is often paired with JSON because it is lightweight and matches modern web development. SOAP is paired with XML because the SOAP specification is built around XML.
How XML Fits Into SOAP
SOAP messages are XML documents with a standardized structure. Whether you are calling “GetCustomerDetails” or “SubmitPayment,” the message is wrapped in a consistent envelope so that any SOAP-aware system knows how to interpret it.
A SOAP message typically includes:
- Envelope (required): the root container that declares the message as SOAP.
- Header (optional): metadata such as security tokens, routing information, transaction IDs, policies.
- Body (required): the business payload (request/response).
- Fault (optional): standardized error structure.
This structure is one reason SOAP is popular in large organizations. It separates “business data” from “control metadata” in a consistent way that can be processed across layers such as gateways, security systems, and intermediaries.
Does REST Require JSON? No. But It Usually Uses It.
REST does not require JSON. A REST API can use XML, plain text, HTML, CSV, or even binary formats. What defines REST is the resource-based design and the use of HTTP semantics.
However, JSON became the default for REST APIs because it is:
- compact (smaller payloads than XML),
- easy to parse in JavaScript,
- friendly to frontend development,
- simple to debug and test.
Many frameworks support content negotiation through HTTP headers:
Content-Type: what format the request body is inAccept: what format the client wants in the response
So yes, REST can use XML—but most modern REST APIs don’t, because the main advantages of REST are often paired with developer experience, fast iteration, and JSON-first clients.
Messaging vs Resources: The Core Philosophical Difference
SOAP is message-based. You send a message that describes an operation, and the service responds with a message. The emphasis is on the message structure and the contract.
REST is resource-based. You interact with resources (users, orders, files) via standard HTTP methods. The emphasis is on a uniform interface, cacheability, and predictable semantics.
This difference is why SOAP services often look like “remote procedure calls” (RPC), while REST services tend to look like “resource manipulation.” In practice, both patterns can be implemented well or poorly, but the design starting point is different.
SOAP vs REST: A Practical Comparison
| Aspect | SOAP | REST |
|---|---|---|
| Nature | Protocol | Architectural style |
| Default format | XML | JSON (commonly) |
| Contract approach | WSDL + XSD (strong contract) | OpenAPI + conventions (varies by team) |
| Error handling | SOAP Faults | HTTP status codes + response body |
| Metadata support | Headers with standardized patterns | Headers + custom conventions |
| Typical use | Enterprise integration, regulated industries | Public APIs, web/mobile apps, microservices |
If you read this table and think “REST looks easier,” you’re not wrong. The real question is what your system needs: strict contracts and enterprise features, or agility and simplicity.
Contracts and Validation: XSD vs OpenAPI
One of the biggest reasons XML remains relevant is schema validation. SOAP ecosystems often rely on XSD (XML Schema Definition) to formally define message structures and data types.
This is not just documentation. XSD can be used for strict validation at runtime, making it easier to reject invalid messages before they reach business logic. This reduces integration ambiguity and improves reliability when multiple parties are involved.
REST commonly uses OpenAPI (Swagger) to describe endpoints, request bodies, and responses. OpenAPI is extremely useful, but teams vary in how strictly they enforce it. Some organizations validate requests against OpenAPI schemas; others treat it primarily as documentation.
This difference leads to a practical pattern:
- SOAP often enforces the contract by default through tooling and schemas.
- REST can enforce contracts, but it requires disciplined practices and consistent validation strategy.
Security: Message-Level vs Transport-Level Thinking
Security is often where SOAP’s design philosophy becomes most visible. SOAP is frequently paired with standards that support message-level security—meaning the message itself can carry security data, signatures, and encryption features in a structured way.
REST APIs typically rely on transport-level security (HTTPS) plus token-based authentication (OAuth, JWT, API keys). This works extremely well for most modern web use cases.
So why do some organizations still prefer SOAP security models? Because message-level security can matter when:
- messages pass through multiple intermediaries,
- parts of a message must be signed or encrypted independently,
- auditability and compliance require strict message integrity,
- systems are integrated across organizational boundaries with formal governance.
That doesn’t mean REST cannot be secure. It can be highly secure. But SOAP’s XML-centric standards were designed for environments where security requirements are more formal and layered.
Performance and Payload Size: The XML Tradeoff
XML is often criticized for being verbose. That’s true: XML typically produces larger payloads than JSON for equivalent data. Larger payloads can increase bandwidth usage and latency, especially on mobile networks or high-volume public APIs.
XML parsing can also be heavier than JSON parsing in many environments. That said, performance depends on context. For example:
- For small payloads, performance differences may be negligible.
- For large payloads, streaming XML parsers (SAX/StAX) can process data efficiently without loading the entire document into memory.
- For systems where the business logic is expensive (payments, fraud checks, complex workflows), parsing overhead may not be the main bottleneck.
| Factor | SOAP/XML | REST/JSON |
|---|---|---|
| Payload size | Usually larger | Usually smaller |
| Parsing overhead | Often higher | Often lower |
| Streaming support | Strong (SAX/StAX patterns) | Possible, but less standardized |
| Best for public web/mobile | Less common | Very common |
In short: if your priority is lightweight, fast-moving APIs for web and mobile, JSON wins. If your priority is formal contracts and enterprise messaging, XML can still be the better fit.
Tooling and Developer Experience
A major reason REST became so popular is developer experience. You can open Postman, send JSON, and iterate quickly. Documentation is often generated from OpenAPI, and onboarding new developers can be smooth.
SOAP development often relies on WSDL-driven tooling. Many platforms can generate client libraries from WSDL and schemas, which is powerful in contract-heavy environments. But it can also feel more rigid, especially when you want to experiment quickly.
Here’s the tradeoff:
- SOAP tooling can reduce integration errors by enforcing strict message shapes.
- REST tooling can accelerate iteration and improve accessibility for frontend and mobile teams.
In mature organizations, both approaches can be “easy,” because the ecosystem and standards are already in place. In smaller teams or startups, REST is typically easier to adopt.
When XML Is Still the Right Choice for APIs
XML remains relevant when your API is part of an environment that values stability, contracts, and standardized messaging features. Typical scenarios include:
- B2B enterprise integration: multiple organizations need a formal contract and predictable compatibility.
- Regulated industries: compliance, auditability, and strict schemas matter.
- Legacy system interoperability: existing SOAP infrastructure is stable and mission-critical.
- Complex workflows: operations that benefit from message-level metadata and standardized fault handling.
- Long-lived APIs: where “breaking changes” are extremely expensive.
In these environments, XML is not used because teams are behind the times. It’s used because XML, schemas, and SOAP standards provide a dependable integration framework.
When REST Is Clearly a Better Fit
REST (usually with JSON) tends to be the best fit when your API needs to be:
- easy to consume from browsers and mobile apps,
- fast to iterate and evolve,
- simple to test and debug,
- lightweight for high-traffic public usage,
- aligned with modern API ecosystems and tooling.
If your API is public or primarily frontend-driven, JSON-based REST is usually the practical default.
So, Is XML Still Relevant for APIs?
Yes—but selectively. XML is no longer the default format for modern web APIs, yet it remains critical in enterprise API ecosystems and document-centric workflows. SOAP-based APIs still power many high-stakes systems, and XML schemas remain a strong solution for contract validation.
A more accurate question than “Is XML relevant?” is: “Where does XML provide unique value?” The answer is: environments that need formal contracts, schema validation, metadata-rich messaging, and standardized enterprise features.
A Simple Decision Framework
If you need a quick decision framework, ask:
- Do we need strict schema validation and a formal contract? (If yes, XML/SOAP may be beneficial.)
- Is this API public and consumed by web/mobile clients? (If yes, REST/JSON is usually best.)
- Do we rely on enterprise standards for security, policy, or governance? (SOAP ecosystems often fit.)
- How long must this API remain compatible without breaking changes? (Contract-first approaches help.)
- What does our organization already use successfully? (Ecosystem fit matters.)
Conclusion
SOAP and REST reflect different priorities. REST excels in modern web development because it is simple, flexible, and pairs naturally with JSON. SOAP remains valuable where strict contracts, schema validation, formal governance, and standardized messaging features are required—and XML is central to that value.
XML is not “dead.” It’s just no longer the default format for every API. If you work with enterprise integrations, regulated industries, or long-lived systems, XML remains a practical and important tool. If you build public web and mobile APIs, JSON-based REST will likely stay your primary choice.