What is the difference between authenticating users and authenticating APIs in MuleSoft Anypoint Platform?

Authenticating users means verifying the identity of individuals who log into the Anypoint Platform web interface to manage APIs and integrations. Authenticating APIs involves verifying the identity of client applications or services attempting to consume APIs deployed on the platform.

Can I use Single Sign-On (SSO) for Anypoint Platform?

Yes, Anypoint Platform supports Single Sign-On (SSO) through integration with external Identity Providers (IdPs) using protocols like SAML 2.0 and OpenID Connect, allowing users to authenticate with their corporate credentials.

How do I secure my APIs with OAuth 2.0 in MuleSoft Anypoint Platform?

You secure APIs with OAuth 2.0 by applying an OAuth 2.0 policy in API Manager. This policy can enforce various grant types and integrate with Anypoint Platform's built-in OAuth provider or an external one.

Where should I store sensitive API credentials like client secrets?

Sensitive API credentials should never be hardcoded. They should be stored securely using environment variables, Anypoint Platform's Secrets Manager, or external secret management solutions like HashiCorp Vault, retrieved at runtime, and rotated regularly.

What is Client ID Enforcement in Anypoint Platform?

Client ID Enforcement is an API Manager policy that requires client applications to provide a unique client_id (and optionally a client_secret) in their API requests. It provides a basic level of client identification and access control.

Is HTTP Basic Authentication considered secure for MuleSoft APIs?

HTTP Basic Authentication is only considered secure if used exclusively over HTTPS/TLS to encrypt credentials in transit. For public-facing APIs or those handling sensitive data, OAuth 2.0 or JWT authentication are generally preferred due to their enhanced security features.

How does MuleSoft Anypoint Platform handle API key management?

MuleSoft Anypoint Platform integrates API key management through its client application registration process in Anypoint Exchange and API Manager. When an application requests API access, a client_id and client_secret (functioning as API keys) are generated, which can then be enforced via policies.

MuleSoft Anypoint Platform Authentication Methods (2026)

Authentication overview

MuleSoft Anypoint Platform provides a comprehensive set of authentication mechanisms to secure access to its various components, including the Anypoint Platform user interface, deployed APIs, and integrated applications. These mechanisms ensure that only authorized entities—whether human users or client applications—can interact with the platform and the resources it manages. The platform's authentication capabilities are designed to support enterprise-grade requirements, including compliance with standards like Salesforce SOC 2 Type II and GDPR regulations.

Authentication within Anypoint Platform typically addresses two primary scenarios:

Platform User Authentication: Securing access to the Anypoint Platform's control plane, including API Manager, Runtime Manager, Exchange, and Access Management. This governs who can design, deploy, manage, and monitor APIs and integrations.
API and Application Authentication: Securing access to APIs and applications deployed on Mule runtimes. This controls how external or internal client applications can consume APIs exposed through Anypoint Platform.

The choice of authentication method depends on the specific use case, the sensitivity of the data, and the security requirements of the accessing client. MuleSoft emphasizes a layered security approach, combining authentication with authorization, threat protection, and auditing capabilities to establish a secure integration environment.

Supported authentication methods

MuleSoft Anypoint Platform supports a range of authentication methods for both platform access and securing APIs. These methods are designed to accommodate various security postures and integration patterns. The following table provides an overview of commonly supported methods:

Method	When to Use	Security Level
OAuth 2.0 / OpenID Connect	Securing RESTful APIs for web, mobile, or third-party applications; delegated authorization scenarios. Recommended for high-security APIs. Learn more about OAuth 2.0.	High
Basic Authentication	Internal APIs or integrations where HTTPS is guaranteed; legacy system integration. Not suitable for public-facing APIs without additional layers.	Moderate (if HTTPS enforced)
Client ID Enforcement	Simple API access control for known clients, often combined with an API key. Provides basic client identification.	Low to Moderate
JWT Authentication	Microservices communication, single sign-on (SSO), stateless authentication. Tokens carry claims about the user/client.	High
SAML (Security Assertion Markup Language)	Single Sign-On (SSO) for Anypoint Platform users, integrating with corporate identity providers. MuleSoft SAML configuration details.	High
Custom Policies	Implementing bespoke authentication logic or integrating with proprietary identity systems not covered by standard methods.	Configurable

Authentication for Anypoint Platform Users

Users accessing the Anypoint Platform's web interface can authenticate using several methods:

Anypoint Platform Credentials: Standard username and password managed directly within Anypoint Platform Access Management.
SAML 2.0: Integration with external Identity Providers (IdPs) like Okta, Azure AD, or PingFederate for Single Sign-On. This allows users to authenticate using their corporate credentials. MuleSoft's guide to SAML IdP configuration explains the setup process.
OpenID Connect: Similar to SAML, Anypoint Platform can be configured to use OpenID Connect for user authentication, leveraging modern identity protocols.

Authentication for APIs and Applications

When securing APIs deployed through Anypoint Platform, API Manager provides policies to enforce various authentication schemes:

OAuth 2.0 Policies: Enforce OAuth 2.0 for API access, supporting various grant types (e.g., client credentials, authorization code). Anypoint Platform can act as an OAuth provider or integrate with external OAuth providers. MuleSoft's OAuth 2.0 overview provides further details.
Basic Authentication Policy: Requires clients to provide a username and password, typically transmitted via an Authorization: Basic header.
Client ID Enforcement Policy: Requires clients to pass a unique client_id and optionally a client_secret, which Anypoint Platform validates.
JSON Web Token (JWT) Validation Policy: Validates incoming JWTs, ensuring their integrity and authenticity based on a shared secret or public key.
Custom Policies: Developers can create custom policies to implement specific authentication logic, interact with proprietary identity systems, or integrate advanced security mechanisms.

Getting your credentials

The process for obtaining credentials depends on whether you are authenticating a user to the Anypoint Platform or authenticating a client application to an API.

For Anypoint Platform User Access:

Direct Anypoint Platform Credentials: If your organization uses Anypoint Platform's native user management, your administrator will create your user account and provide initial login details. You can manage your password within the Anypoint Platform Access Management section.
SAML/OpenID Connect (SSO): If SSO is configured, you will use your corporate credentials (e.g., your corporate email and password) to log in via your organization's Identity Provider. The Anypoint Platform will redirect you to the IdP for authentication.

For API and Application Access:

For client applications that need to consume APIs managed by Anypoint Platform, credentials are typically tied to an API client application defined within API Manager or Anypoint Exchange:

Register Client Application: In Anypoint Exchange, developers of client applications can request access to an API. This process typically involves registering their application, which generates a client_id and client_secret. MuleSoft's guide on requesting API access explains this workflow.
OAuth 2.0: If the API is secured with OAuth 2.0, the client application will use its client_id and client_secret (for grant types like Client Credentials) to obtain an access token from the configured OAuth provider (which can be Anypoint Platform itself or an external service). This access token is then used in subsequent API calls.
API Keys/Client ID Enforcement: For APIs secured with Client ID enforcement, the client_id (and sometimes client_secret) obtained during application registration is passed directly in the API request headers or query parameters.
Basic Authentication: For APIs using Basic Auth, the API provider will typically issue a username and password unique to the client application, which are then base64-encoded and sent in the Authorization header.

It is crucial to manage these credentials securely, treating client_secret values and API keys with the same level of protection as passwords. Never embed sensitive credentials directly in source code or expose them in client-side applications.

Authenticated request example

Here's an example of an authenticated request to a MuleSoft-managed API using OAuth 2.0 Client Credentials grant type, a common method for server-to-server communication. This assumes you have registered your client application in Anypoint Exchange and received a client_id and client_secret.

Step 1: Obtain an Access Token

First, your client application requests an access token from the Anypoint Platform's OAuth provider endpoint.

curl -X POST \
  https://anypoint.mulesoft.com/apiplatform/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET'

A successful response will return a JSON object containing the access_token and its expires_in duration:

{
  "access_token": "eyJraWQiOiJmMTlhZmYwMy0yOWQ3LTQyMWUtYmNiOC0zNmY5MDFjOGI3NjkiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...",
  "token_type": "bearer",
  "expires_in": 3600
}

Step 2: Make Authenticated API Call

With the obtained access_token, you can now make requests to the protected API by including it in the Authorization header as a Bearer token.

curl -X GET \
  https://your-api-domain.mule-api.com/your-resource \
  -H 'Authorization: Bearer EYJraWQiOiJmMTlhZmYwMy0yOWQ3LTQyMWUtYmNiOC0zNmY5MDFjOGI3NjkiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...'

Replace https://your-api-domain.mule-api.com/your-resource with the actual endpoint of your API and the Bearer token with the one you received. This demonstrates a standard way to interact with APIs secured by Anypoint Platform using OAuth 2.0.

Security best practices

Adhering to security best practices is essential when configuring and using authentication within MuleSoft Anypoint Platform to protect sensitive data and maintain system integrity.

Least Privilege Principle: Grant only the minimum necessary permissions to users and service accounts. For Anypoint Platform users, use roles and permissions to restrict access to specific environments, APIs, and platform functionalities. For client applications, ensure their assigned scopes or permissions are narrowly defined for their intended purpose. MuleSoft's documentation on roles and permissions details how to implement this.
Strong Passwords and MFA: Enforce strong password policies for Anypoint Platform user accounts. Whenever possible, enable and require Multi-Factor Authentication (MFA) for platform access to add an extra layer of security.
Centralized Identity Management: Integrate Anypoint Platform with your organization's existing Identity Provider (IdP) using SAML or OpenID Connect for centralized user authentication and improved security posture through SSO and consistent policy enforcement.
Secure Credential Storage: Never hardcode sensitive credentials (API keys, client secrets, passwords) directly into application code. Utilize secure configuration management, environment variables, or Anypoint Platform's Secrets Manager or external secret management solutions (e.g., HashiCorp Vault) to store and retrieve credentials at runtime.
Rotate Credentials Regularly: Implement a strategy for regular rotation of API keys, client secrets, and other application credentials to minimize the risk of compromise over time.
Use OAuth 2.0 for APIs: For most modern API integrations, especially those involving external clients or user delegation, prioritize OAuth 2.0 over less secure methods like Basic Authentication. Ensure proper grant types are chosen based on the client type and use case.
Validate and Expire JWTs: When using JWTs, always validate the token's signature, issuer, audience, and expiration. Configure short expiry times for access tokens and use refresh tokens securely for extended sessions. Refer to RFC 7519 for JWT specifications.
HTTPS Everywhere: Ensure all communication with Anypoint Platform and between your applications and APIs is exclusively over HTTPS (TLS/SSL) to encrypt data in transit and prevent eavesdropping and man-in-the-middle attacks.
API Gateway Policies: Leverage Anypoint Platform's API Gateway capabilities to apply authentication policies, rate limiting, IP whitelisting, and threat protection policies at the edge of your APIs.
Regular Auditing and Monitoring: Continuously monitor access logs and audit trails within Anypoint Platform to detect unusual activity or potential security breaches. Configure alerts for failed login attempts or unauthorized access attempts.