What is the most important tip for working with API Manager?

Keep the policy bundle small and ordered. Five well-chosen policies beat ten that nobody can audit. Client ID and Rate Limit come first; data-shape policies follow.

DevelopmentAdvanced

API Manager

Q: API Manager is part of which platform?

API Manager is a component of the MuleSoft Anypoint Platform, which Salesforce acquired in 2018.

Q: Which of the following is NOT typically configured in API Manager?

Apex triggers are Salesforce platform code and are not managed by API Manager. API Manager handles API proxy policies like rate limiting, client ID enforcement, and IP filtering.

Q: What is the primary purpose of API Manager?

API Manager provides a proxy and policy layer so that APIs can be secured, rate-limited, and monitored without changing the underlying implementation.

API Manager is the MuleSoft Anypoint Platform component that governs APIs at run time.

Hear it

§ 01

Definition

API Manager is the MuleSoft Anypoint Platform component that governs APIs at run time. It applies policies (rate limiting, authentication, IP whitelisting, header injection, JSON threat protection), tracks consumer applications and contracts, monitors traffic, and enforces SLAs. Where Anypoint Exchange and the API Catalog handle discovery and documentation, API Manager handles run-time enforcement. Every API call passes through the policies configured in API Manager before reaching the underlying implementation, which gives the platform team a single control plane to govern what consumers can do.

Inside the API-Led Connectivity model, API Manager sits in front of every System, Process, and Experience API. Each API is registered, a policy bundle is applied (typically rate limit plus auth plus an SLA tier), and consumer applications request access by signing up for a Client ID and Secret. Consumer activity is tracked through Contracts. The result is a clear audit trail: which consumers called which APIs, when, how many times, and whether they hit limits. Without API Manager, run-time governance falls to ad hoc enforcement inside each implementation, which scales poorly and produces inconsistent behaviour across the integration estate.

§ 02

How API Manager governs APIs at run time

Policies, the core enforcement primitive

A Policy is a reusable rule applied to an API: Rate Limit (X calls per minute), Client ID Enforcement (consumer must present a registered Client ID), OAuth 2.0 Token Enforcement, IP Whitelist, Header Injection, JSON Schema Validation, Threat Protection. Policies are applied in order; an API can have multiple. The platform ships dozens of standard policies; custom policies can be built when standard ones do not cover the case.

Contracts and consumer applications

Consumer applications register for access by creating a Contract against an API. The Contract specifies an SLA tier (Basic, Premium, etc., defined by the API owner). On approval, the consumer receives a Client ID and Client Secret to include in API calls. The Contract is the governance record: it links a specific consumer to a specific API at a specific SLA, with rate limits applied accordingly.

SLA tiers

An SLA tier bundles rate limits, throttling behaviour, and approval workflow. A Basic tier might allow 1000 calls per hour with auto-approval; a Premium tier 10000 calls per hour with manual approval by the API owner. Tiers are how the same API serves different consumer classes (internal teams, partners, public developers) without separate deployments.

Where API Manager sits in the network path

API Manager applies policies through a gateway. Two gateway flavours are common: Mule Runtime gateways (the same runtime that hosts MuleSoft applications) and Flex Gateway (a lightweight Envoy-based gateway designed for non-Mule workloads, including direct Salesforce REST API protection). Every consumer call traverses the gateway, which enforces policies before forwarding to the implementation.

Monitoring, analytics, and alerting

API Manager surfaces traffic metrics per API and per consumer: requests per minute, response time percentiles, error rates, rate-limit violations. Anypoint Analytics extends this with dashboards and custom alerts. Production teams typically build a dashboard per API plus an alert when error rate or latency crosses an SLA threshold, so they hear about problems before consumers do.

Versioning and lifecycle

API Manager supports multiple versions of the same API in parallel. v1 and v2 can run side by side with different policy bundles, allowing consumers to migrate at their own pace. Deprecation is a lifecycle status change in API Manager, which surfaces to consumers in the API Catalog and triggers any configured policies (warning headers, hard cutoffs at a date).

Connection to Salesforce-native APIs

Modern MuleSoft installations also use Flex Gateway to protect non-MuleSoft endpoints, including Salesforce REST APIs and partner-managed services. Apex REST endpoints exposed through API Manager get the same rate limiting, auth, and analytics as any MuleSoft API. This is the operational benefit of unifying governance even when the implementation lives in Apex.

Common rollout pitfalls

Three pitfalls dominate. Over-policying (applying ten policies when three would do) creates latency and consumer friction. Auto-approving every consumer contract removes the governance value of contracts. Skipping versioning makes API breaking changes painful. Each pitfall traces to treating API Manager as a one-time setup task instead of an ongoing governance practice.

§ 03

How to put an API behind API Manager

Onboarding an API is a few clicks once Anypoint Platform is set up. The lasting work is policy design, contract approval flow, and monitoring discipline.

Register the API in API Manager
Open API Manager, click Manage API. Choose the underlying implementation URL and link to the API specification in Anypoint Exchange.
Apply policies
Add policies in the right order: Client ID Enforcement first, then Rate Limit-SLA, then any data-shape policies (JSON Schema Validation, JSON Threat Protection). Keep the bundle small enough to read on one screen.
Define SLA tiers
Create tiers that match the consumer classes: Internal (auto-approve, high limit), Partner (manual approve, moderate limit), Public (manual approve, low limit).
Approve consumer contracts
Process incoming contract requests from consumers. Approve, deny, or request more information. Approval issues a Client ID and Client Secret to the consumer application.
Build dashboards and alerts
Use Anypoint Analytics to build per-API dashboards. Configure alerts on rate-limit violations, latency thresholds, and error rate spikes so operations teams hear about problems before consumers escalate.

Gotchas

Policies execute in order. A poorly-ordered bundle can leak unauthenticated requests to back-end-validating policies and waste them.
Auto-approving every consumer contract removes the governance value of contracts. Set the approval bar based on the consumer class.
Latency adds up as policies stack. Test gateway latency before promising tight SLAs; ten policies add several milliseconds in practice.
Versioning matters. Without parallel v1 and v2 deployments, every consumer breaks the day the API changes.

Trust & references

Sources

Cross-checked against the following references.

Anypoint API ManagerMuleSoft Documentation
Anypoint Flex GatewayMuleSoft Documentation

Was this entry helpful?

Help us write better definitions. Quick reactions or detailed edit suggestions.

About the Author

Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.

Test your knowledge

Q1. API Manager is part of which platform?

Q2. Which of the following is NOT typically configured in API Manager?

Q3. What is the primary purpose of API Manager?

Discussion

Loading…

Loading discussion…

Back to Dictionary