MuleSoft · Rate Limits

Mulesoft Rate Limits

MuleSoft's Anypoint Platform does not impose a single global call-per-second cap. Throttling is applied by the customer at the API Manager / Flex Gateway layer using the Rate-Limiting and Rate-Limiting SLA policies — the customer defines numbers per API and per client application contract. Platform-side consumption is sized by the subscribed Mule Flow / Mule Message capacity (vCores), not by HTTP rate.

Mulesoft Rate Limits is the machine-readable rate-limit profile for MuleSoft on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 3 rate-limit definitions, measuring requests_per_window and vCore_capacity.

The profile also includes 5 backoff/retry policies defined and response codes documented for invalidCredentials and quotaExceeded.

Tagged areas include Rate Limiting, API Management, Integration Platform, and Anypoint Platform.

3 Limits Quota: 429
Rate LimitingAPI ManagementIntegration PlatformAnypoint Platform

Limits

Customer-defined per API (Rate-Limiting policy) api
requests_per_window
customer-defined per API
Defined as max requests per time window in API Manager; applied by Flex Gateway / Mule runtime.
Customer-defined per client app (Rate-Limiting SLA policy) client_application
requests_per_window
customer-defined per SLA tier
SLA-tier limits are bound to a contract between a registered client application and the API.
Platform capacity (Mule Flow / Mule Message) subscription
vCore_capacity
per subscribed package
Platform-side throughput is governed by the subscribed Integration Starter / Advanced / API Management package capacity rather than by an HTTP rate ceiling.

Policies

Customer-owned throttling
MuleSoft's role is to enforce policies the API owner configures — there is no MuleSoft-supplied default RPS for customer APIs. Choose Rate-Limiting (single-threshold) or Rate-Limiting SLA (per-client-app contract).
Distributed quotas
When 'Distributed' is enabled on Flex Gateway, quotas are shared across replicas via shared storage; if storage is unreachable, the 'Block on unknown quota' option determines whether requests are blocked or allowed.
Replica scope
A Rate-Limiting SLA policy is scoped to Flex Gateway replicas, not the gateway as a whole. Local Mode does not support the policy.
Header exposure
When 'Expose Headers' is enabled, X-Ratelimit-Limit, X-Ratelimit-Remaining, and X-Ratelimit-Reset (in milliseconds) are returned to the client.
Credential failures
401 is returned when the client_id (and optional client_secret) DataWeave expression cannot resolve a valid registered client application.

Sources