Keep SOAP auth and transaction metadata in the header contract the carrier actually processes.
SOAP header structure is part of the carrier contract. Auth tokens, UsernameToken blocks, API credentials, and transaction identifiers often belong in specific namespaces and element positions that the carrier stack inspects before it touches the business payload. If those fields drift into the body or use the wrong namespace, the XML can remain well formed while authentication still fails.
Keep one shared header builder, treat correlation IDs as first-class header data, and test header output explicitly. Header bugs are operational bugs because they break auth, traceability, and support workflows at the same time.