REST vs GraphQL vs SOAP — Pick Once, Live With It for Years
You can ship any product with any of the three. The question is what you trade for what. Here is a decision guide written by people who have shipped all three in production.
The one-line summary
- REST — the boring, correct default for 80% of public APIs.
- GraphQL — wins when one client needs many shapes of the same data graph.
- SOAP — non-negotiable when integrating with banks, insurers, governments or B2B suites.
Decision matrix
| Concern | REST | GraphQL | SOAP |
|---|---|---|---|
| Caching (HTTP-native) | Excellent | Hard (POST-only) | Hard |
| Over-fetching avoidance | Manual (sparse fieldsets) | Built-in | Operation-shaped |
| Tooling ubiquity | Universal | Strong | Strong (in enterprise) |
| Contract enforcement | OpenAPI (by convention) | Schema (built-in) | WSDL (machine-checked) |
| Mobile latency on slow networks | Many round trips | One request | Heavy XML |
| File uploads | Easy | Awkward (multipart) | MTOM (workable) |
| Public consumer DX | Best | Good | Painful |
| Enterprise integration suites | OK | Rare | Native |
How to choose
- Public API consumed by unknown clients? → REST with OpenAPI.
- One mobile app, one website, both consuming the same complex graph? → GraphQL.
- You're being told to integrate with an existing WSDL? → SOAP. Don't fight it.
- Internal microservices? → gRPC usually beats all three.
The dirty secret
Most production systems use two or three. REST for the public API, GraphQL for the app's BFF, SOAP for the legacy partner integration. Pick per surface, not per company.
Try the same data behind all three
The TotalShiftLeft sandbox exposes the same users / products / orders model behind all three protocols. Run identical scenarios and compare the wire-level shapes:
- REST API — JSON over HTTP, full CRUD
- GraphQL API — same data, queries you shape
- SOAP API — WSDL + 14 operations
Frequently asked questions
What about gRPC?
For internal service-to-service it usually beats all three on performance and contracts. We did not include it because the question was specifically REST/GraphQL/SOAP.
Can a single backend serve all three?
Yes — that is exactly what this sandbox does. One data store, three protocol fronts.
Other free public APIs in this sandbox
Open the live sandbox — REST, GraphQL, SOAP and auth in one place. No signup, no API key.
Open the API Sandbox →Topics: REST vs GraphQL vs SOAP · when to use REST/GraphQL/SOAP · API protocol comparison · GraphQL vs REST · SOAP vs REST