REST vs GraphQL vs SOAP: A Practical Side-by-Side for 2026
The same operation in three protocols. Pick the right one for the job — and test it right.
The same operation, three protocols
The most illustrative way to compare REST, GraphQL, and SOAP is to do the same thing in all three: get user with id = 1.
REST
/api/v1/users/1curl -X GET 'https://demo.totalshiftleft.ai/api/v1/users/1'GET /api/v1/users/1
→ 200 OK
→ { "id": "1", "name": "Alice", "email": "alice@example.com", "role": "user" }
GraphQL
/graphqlcurl -X POST 'https://demo.totalshiftleft.ai/graphql' \
-H 'Content-Type: application/json' \
-d '{"query":"{ user(id: \"1\") { id name email } }"}'POST /graphql
Body: { "query": "{ user(id: \"1\") { id name email } }" }
→ 200 OK
→ { "data": { "user": { "id": "1", "name": "Alice", "email": "alice@example.com" } } }
SOAP
/soapcurl -X POST 'https://demo.totalshiftleft.ai/soap' \
-H 'Content-Type: application/json' \
-d '"<?xml version=\"1.0\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"><soap:Body><GetUser xmlns=\"http://demo.totalshiftleft.ai/users\"><Id>1</Id></GetUser></soap:Body></soap:Envelope>"'POST /soap
Body: <soap:Envelope>...<GetUser><Id>1</Id></GetUser>...</soap:Envelope>
→ 200 OK
→ <soap:Envelope>...<GetUserResponse><User>...</User></GetUserResponse>...</soap:Envelope>
Same result. Radically different mechanics.
Side-by-side comparison
| REST | GraphQL | SOAP | |
|---|---|---|---|
| Year | ~2000 | 2012 (FB), 2015 (OSS) | 1998 |
| Format | Usually JSON | JSON (query is GraphQL) | XML |
| Endpoint model | Many (per resource) | One (/graphql) | One (per service) |
| Methods | GET/POST/PUT/PATCH/DELETE | POST only | POST only |
| Contract | OpenAPI (optional) | SDL schema (required) | WSDL (required) |
| Contract strictness | Conventional | Enforced by server | Enforced end-to-end |
| Over/under-fetching | Common | Solved by design | Common |
| Caching | HTTP-native on GETs | Custom (Apollo/Relay) | Custom |
| Versioning | URL or header | Deprecation fields | Namespace version |
| Error reporting | HTTP status + body | 200 + errors array | HTTP 500 + SOAP Fault |
| Browser-friendly | Yes | Yes | Painful |
| Binary data | Native (binary bodies) | Workarounds | Native (MTOM) |
| Real-time | No (use WS/SSE) | Subscriptions (via WS) | WS-* extensions |
| Typical industries | Web, mobile, public | Modern SaaS, large orgs | Banking, gov, legacy enterprise |
| Tooling maturity | Excellent | Excellent | Mature but heavy |
| Learning curve | Low | Medium | High |
When REST is the right choice
Pick REST when:
- Your API is resource-oriented (users, orders, products).
- Most clients want the full resource, not a slice.
- HTTP caching matters (public content, CDNs).
- You want the lowest possible learning curve for consumers.
- You're building a simple CRUD backend for a single known client.
REST's sweet spot: 80% of APIs. It's the default for good reason.
When GraphQL is the right choice
Pick GraphQL when:
- You have many clients (web + iOS + Android + smart TV) and each needs different fields.
- Your data has many relationships and clients want to traverse them in one query.
- You want a single typed contract shared between frontend and backend.
- You're aggregating data from multiple microservices into one API surface.
- You can invest in GraphQL-specific infra (DataLoaders, query analysis, N+1 detection).
GraphQL's sweet spot: large product organizations with multiple frontends and complex data. Overkill for small CRUD apps.
When SOAP is the right choice
Pick SOAP when (or realize you don't get a choice):
- You're integrating with a bank, insurance core system, government service, or legacy enterprise platform.
- You need WS-Security, WS-ReliableMessaging, or other formal standards your compliance team requires.
- You're extending an existing SOAP ecosystem and consistency matters more than modernization.
SOAP's sweet spot in 2026 is narrow but deep: regulated industries where the cost of replacement outweighs the cost of maintenance.
Testing differences in one table
| Test concern | REST | GraphQL | SOAP |
|---|---|---|---|
| Status code | Primary signal | Mostly useless (check errors array) | 500 often = fault, not broken |
| Shape assertion | JSON path | JSON path on data | XPath |
| Schema validation | OpenAPI (optional) | Schema (strong) | XSD (strict) |
| Contract drift | Manual or via tool | graphql-inspector | WSDL diff |
| Negative cases | 400/401/403/404/409/422 | errors[].extensions.code | SOAP Fault detail |
| Performance bug | Slow endpoints | N+1 resolvers | Large envelope parsing |
| Test data volume | Small JSON | Small JSON | Large XML envelopes |
The practical takeaway: testing patterns don't transfer. A REST-only tester walking into a GraphQL project will miss schema drift, N+1 bugs, and error-array checks. A REST-only tester walking into a SOAP project will write XPath wrong for a week.
How ShiftLeft handles all three
ShiftLeft treats protocol as a generator input: you point it at an OpenAPI spec, a GraphQL schema, or a WSDL, and it produces appropriate test cases for that protocol's semantics — HTTP-status assertions for REST, error-array checks for GraphQL, fault-detail checks for SOAP. The test execution engine normalizes results so a failing test looks the same in the report whether it hit a REST, GraphQL, or SOAP endpoint.
The learning-center sandbox exposes all three protocols against the same underlying data, which is deliberate: you can run the same test idea through all three and see how the implementation differs.
A migration decision tree
Thinking about migrating? A rough guide:
- SOAP → REST: common, pays off if the legacy system isn't deeply entangled in WS-*. Budget 3–6 months per service, plus client updates.
- SOAP → GraphQL: rare, only makes sense if you're rebuilding the client tier too.
- REST → GraphQL: common in large orgs with many clients. Usually ends up with both running in parallel for years.
- GraphQL → REST: rare, usually means the GraphQL complexity wasn't justified by the use case.
- Any → WebSocket: not a migration — WebSockets are additive for real-time features.
Summary
- REST: default for 80% of APIs. Simple, cacheable, ubiquitous.
- GraphQL: great for multi-client, relationship-heavy data. Demands discipline.
- SOAP: alive in regulated industries. Strict contracts, verbose, still worth knowing.
None is dead, none is strictly better. The right protocol is the one that fits the constraints of the system you're building.
What's next
Protocols done. Next cluster: authentication — how APIs know who you are, and how to test auth without creating holes.
Related lessons
REST is the default API style on the web. Here's what it actually means — stripped of jargon and with runnable examples.
GraphQL lets the client decide what data to fetch. Here's how it works and when it beats REST.
SOAP isn't dead — it runs banks, insurance, and government. Here's how it actually works.
Read more on the blog
Master API testing with this complete guide covering strategies, tools, security testing, automation, and best practices for modern development teams in 2026.
A vendor-by-vendor comparison of the 10 leading API test automation tools in 2025 — Postman, ReadyAPI, Katalon, REST Assured, Karate, Apidog, Schemathesis, Bruno, Tricentis, and shift-left AI-first platforms — with decision criteria, market positioning, and why spec-driven shift-left wins at CI/CD scale.