So apparently i were doing something wrong.
So to help other people with this. You don't actually need Security token to run query(on some cases).
All what you need to do is to add in request body <urn:sessionToken> tag with valid token, and do not specify in HTTP headers X-Security-Token and cookie.
Code looks like this in node JS.
var body = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:xtk:queryDef">' +
'<soapenv:Header/><soapenv:Body><urn:ExecuteQuery><urn:sessiontoken>'+this.token+'</urn:sessiontoken><urn:entity>' +
'<queryDef operation="select" schema="nms:recipient">' +
'<select><node expr="@email"/><node expr="@lastName"/><node expr="@firstName"/></select>' +
'<where><condition expr="@email = \'email@gmail.com\'"/></where>' +
'</queryDef>' +
'</urn:entity></urn:ExecuteQuery></soapenv:Body></soapenv:Envelope>';
request({
headers : {
"Content-Type" : "text/xml; charset=utf-8",
"SOAPAction" : "xtk:queryDef#ExecuteQuery"
},
uri: "https://neweratickets-s.neolane.net/nl/jsp/soaprouter.jsp",
body: body,
method: 'POST'
}, (err, response, body) => {
console.log(err);
console.log(body);
//All OK here.
});
Hope this helps.