WS-Security provides a framework for securing SOAP messages based on XML Encryption, XML Signature and the notion of security tokens. XML Encryption is used to provide confidentiality protection for portions of a SOAP envelope while XML Signature is used to provide integrity protection for the same. Security tokens typically provide some notion of identity along with information pertaining to keys used to perform cryptographic operations. Multiple security tokens can be used in a message allowing different portions of the SOAP envelope to be secured for different intermediaries. Examples of security tokens include X509 certificates, Kerberos tickets and Username tokens. While WS-Security specifies mechanisms for placing security tokens in SOAP messages and referring to those tokens from encrypted or signed data it does not define how security tokens are actually acquired; that job can either be programmatic, or performed by calling a token issuing service as specified by WS-Trust.

WS-Trust builds on the framework provided by WS-Security, defining SOAP based mechanisms for brokering trust relationships, requesting and returning security tokens. While the specification has a myriad of options, the core premise is straightforward; requests can be made asking a Security Token Service to return a security token with some particular characteristics. The request is itself based on some existing security token that the requester and the Security Token Service already have some knowledge of. This often translates to the request being signed by the requestor.