• Home
  • Articles
  • Free MuleSoft MCPA-Level-1 Exam 2025 Practice Materials Collection [Q90-Q110]

Free MuleSoft MCPA-Level-1 Exam 2025 Practice Materials Collection [Q90-Q110]

Share

Free MuleSoft MCPA-Level-1 Exam 2025 Practice Materials Collection

MCPA-Level-1 Exam Info and Free Practice Test All-in-One Exam Guide Mar-2025


The MCPA-Level-1 certification exam consists of multiple-choice questions and performance-based questions. MCPA-Level-1 exam covers a wide range of topics, including MuleSoft Anypoint Platform architecture, API design, data transformation, message routing, and error handling. MCPA-Level-1 exam is designed to test the candidate's ability to solve real-world problems using the Anypoint Platform.


MuleSoft MCPA-Level-1 (MuleSoft Certified Platform Architect - Level 1) Exam is a certification exam that validates a candidate's knowledge and skills in designing, building, and managing integration solutions using MuleSoft's Anypoint Platform. MCPA-Level-1 exam tests the candidate's ability to work with various MuleSoft components, such as API Manager, Anypoint Studio, CloudHub, and Anypoint Exchange, and their understanding of MuleSoft's best practices and design patterns. Passing the MCPA-Level-1 exam demonstrates that a candidate possesses the expertise required to develop and manage MuleSoft integration projects efficiently.


The MCPA-Level-1 certification exam is designed to test an individual's ability to design, build, and manage MuleSoft applications using the Anypoint Platform. MCPA-Level-1 exam is intended for experienced developers who have a thorough understanding of MuleSoft architecture and design principles. It is an advanced-level certification that requires a deep understanding of the MuleSoft platform and its capabilities.

 

NEW QUESTION # 90
What is a key performance indicator (KPI) that measures the success of a typical C4E that is immediately apparent in responses from the Anypoint Platform APIs?

  • A. The number of production outage incidents reported in the last 24 hours
  • B. The fraction of API implementations deployed manually relative to those deployed using a CI/CD tool
  • C. The number of API specifications in RAML or OAS format published to Anypoint Exchange
  • D. The number of API implementations that have a publicly accessible HTTP endpoint and are being managed by Anypoint Platform

Answer: C

Explanation:
Correct answer: The number of API specifications in RAML or OAS format published to Anypoint Exchange
*****************************************
>> The success of C4E always depends on their contribution to the number of reusable assets that they have helped to build and publish to Anypoint Exchange.
>> It is NOT due to any factors w.r.t # of outages, Manual vs CI/CD deployments or Publicly accessible HTTP endpoints
>> Anypoint Platform APIs helps us to quickly run and get the number of published RAML/OAS assets to Anypoint Exchange. This clearly depicts how successful a C4E team is based on number of returned assets in the response.


NEW QUESTION # 91
An API client calls one method from an existing API implementation. The API implementation is later updated. What change to the API implementation would require the API client's invocation logic to also be updated?

  • A. When a new required field is added to the method called by the API client
  • B. When the data type of the response is changed for the method called by the API client
  • C. When a new method is added to the resource used by the API client
  • D. When a child method is added to the method called by the API client

Answer: A

Explanation:
Correct answer: When a new required field is added to the method called by the API client
*****************************************
>> Generally, the logic on API clients need to be updated when the API contract breaks.
>> When a new method or a child method is added to an API , the API client does not break as it can still continue to use its existing method. So these two options are out.
>> We are left for two more where "datatype of the response if changed" and "a new required field is added".
>> Changing the datatype of the response does break the API contract. However, the question is insisting on the "invocation" logic and not about the response handling logic. The API client can still invoke the API successfully and receive the response but the response will have a different datatype for some field.
>> Adding a new required field will break the API's invocation contract. When adding a new required field, the API contract breaks the RAML or API spec agreement that the API client/API consumer and API provider has between them. So this requires the API client invocation logic to also be updated.


NEW QUESTION # 92
Which layer in the API-led connectivity focuses on unlocking key systems, legacy systems, data sources etc and exposes the functionality?

  • A. Experience Layer
  • B. Process Layer
  • C. System Layer

Answer: C

Explanation:
System Layer

The APIs used in an API-led approach to connectivity fall into three categories:
System APIs - these usually access the core systems of record and provide a means of insulating the user from the complexity or any changes to the underlying systems. Once built, many users, can access data without any need to learn the underlying systems and can reuse these APIs in multiple projects.
Process APIs - These APIs interact with and shape data within a single system or across systems (breaking down data silos) and are created here without a dependence on the source systems from which that data originates, as well as the target channels through which that data is delivered.
Experience APIs - Experience APIs are the means by which data can be reconfigured so that it is most easily consumed by its intended audience, all from a common data source, rather than setting up separate point-to- point integrations for each channel. An Experience API is usually created with API-first design principles where the API is designed for the specific user experience in mind.


NEW QUESTION # 93
A company stores financial transaction data in two legacy systems. For each legacy system, a separate, dedicated System API (SAPI) exposes data for that legacy system. A Process API (PAPI) merges the data retrieved from ail of the System APIs into a common format. Several API clients call the PAPI through its public domain name.
The company now wants to expose a subset of financial data to a newly developed mobile application that uses a different Bounded Context Data Model. The company wants to follow MuleSoft's best practices for building out an effective application network.
Following MuleSoft's best practices, how can the company expose financial data needed by the mobile application in a way that minimizes the impact on the currently running API clients, API implementations, and support asset reuse?

  • A. Develop and deploy is new PAPI implementation with data transformation and ... login to support this required endpoints of both mobile and web clients.
    Deploy an API Proxy with an endpoint from API Manager that redirect the existing PAPI endpoints to the new PAPI.
  • B. Add two new Experience APIs (EAPI-i and EAPI-2}.
    Add Mobile PAPI-2 to expose the Intended subset of financial data as requested.
    Both PAPIs access the Legacy Systems via SAPI-1 and SAP]-2.
  • C. Add two new Experience APIs (EAPI-i and EAPI-2}.
    Add Mobile PAPI-2 to expose the Intended subset of financial data as requested.
    Both PAPIs access the Legacy Systems via SAPI-1 and SAP]-2.
  • D. Create a new mobile Experince API (EAPI) chat exposes that subset of PAPI endpoints.
    Add transformtion login to the mobile Experince API implementation to make mobile data compatible with the required PAPIs.

Answer: C

Explanation:
To achieve the goal of exposing financial data to a new mobile application while following MuleSoft's best practices, the company should follow an API-led connectivity approach. This approach ensures minimal disruption to existing clients, maximizes reusability, and respects the separation of concerns across API layers.
Explanation of Solution:
* Experience APIs for Client-Specific Requirements:
* Create two new Experience APIs (EAPI-1 and EAPI-2) for the mobile application, tailored to meet the specific data and format requirements of the mobile application. These APIs encapsulate the client-specific needs and provide a custom interface without impacting other clients.
* Process API Layer for Data Transformation:
* By adding Mobile PAPI-2, we allow the mobile application to access the required subset of data, formatted according to the mobile application's requirements. This approach ensures that data transformation and aggregation are handled in the Process layer, maintaining consistency and reusability across different applications.
* Reuse of System APIs:
* Both the new Mobile PAPI-2 and existing PAPI-1 access data from System APIs (SAPI-1 and SAPI-2), which continue to expose data from each legacy system in a consistent, reusable manner. This avoids duplicating logic and ensures that data access remains centralized and manageable.
* Why Option A is Correct:
* Option A aligns with MuleSoft's best practices by isolating client-specific requirements in the Experience layer, utilizing Process APIs for data orchestration and transformation, and maintaining reusable System APIs for backend access.
* This approach also ensures that the current API clients are not impacted, as new clients (e.g., the mobile app) interact with newly defined Experience APIs without modifying the existing API setup.
Explanation of Incorrect Options:
* Option B: This option seems similar but lacks clarity on the separation of mobile-specific requirements and does not explicitly mention data transformation, which is essential in this scenario.
* Option C: Creating a single mobile Experience API that exposes a subset of PAPI endpoints directly adds unnecessary complexity and may violate the separation of concerns, as transformation logic should not be in the Experience layer.
* Option D: Deploying a new PAPI and using an API Proxy to redirect existing endpoints would add unnecessary complexity, disrupt the current API clients, and increase maintenance efforts.
ReferencesFor additional guidance, refer to MuleSoft documentation on API-led connectivity best practices and best practices for structuring Experience, Process, and System APIs.


NEW QUESTION # 94
True or False. We should always make sure that the APIs being designed and developed are self-servable even if it needs more man-day effort and resources.

  • A. TRUE
  • B. FALSE

Answer: A

Explanation:
*****************************************
>> As per MuleSoft proposed IT Operating Model, designing APIs and making sure that they are discoverable and self-servable is VERY VERY IMPORTANT and decides the success of an API and its application network.


NEW QUESTION # 95
Refer to the exhibit.

A developer is building a client application to invoke an API deployed to the STAGING environment that is governed by a client ID enforcement policy.
What is required to successfully invoke the API?

  • A. A valid OAuth token obtained from Anypoint Platform and its associated client ID and secret
  • B. The client ID and secret for the Anypoint Platform account owning the API in the STAGING environment
  • C. The client ID and secret for the Anypoint Platform account's STAGING environment
  • D. The client ID and secret obtained from Anypoint Exchange for the API instance in the STAGING environment

Answer: D

Explanation:
The client ID and secret obtained from Anypoint Exchange for the API instance in the STAGING environment
*****************************************
>> We CANNOT use the client ID and secret of Anypoint Platform account or any individual environments for accessing the APIs
>> As the type of policy that is enforced on the API in question is "Client ID Enforcment Policy", OAuth token based access won't work.
Right way to access the API is to use the client ID and secret obtained from Anypoint Exchange for the API instance in a particular environment we want to work on.
References:
Managing API instance Contracts on API Manager
https://docs.mulesoft.com/api-manager/1.x/request-access-to-api-task
https://docs.mulesoft.com/exchange/to-request-access
https://docs.mulesoft.com/api-manager/2.x/policy-mule3-client-id-based-policies


NEW QUESTION # 96
Which scenario is suited for MUnit tests instead of integration tests?

  • A. When no mocking is permissible
  • B. When testing does not require knowledge of implementation details
  • C. For tests that are implemented using SoapUI
  • D. For read-only interactions to any dependencies (such as other web APIs)

Answer: D

Explanation:
MUnit is MuleSoft's testing framework for creating and running automated tests within Anypoint Studio. It is specifically designed for unit testing Mule applications and is best suited when testing doesn't require understanding the inner workings or implementation details of the components being tested.
* Ideal Use Cases for MUnit:
* MUnit is optimal when testing individual flows, functions, or components in isolation. This type of testing focuses on verifying the behavior of each unit without needing to understand the complete system.
* Since unit tests do not require external integrations or dependencies to be live, mocking is commonly used in MUnit to simulate the behavior of external services and APIs.
* Why Option B is Correct:
* Option B aligns with the concept of unit testing, where the emphasis is on testing functionality rather than system integration. Integration tests, on the other hand, would require implementation knowledge and live endpoints, making them unsuitable for MUnit's scope.
* Explanation of Incorrect Options:
* Option A (read-only interactions) and Option C (no mocking) do not suit MUnit's typical testing environment as MUnit is designed with mocking capabilities to simulate dependencies.
* Option D (SoapUI-based tests) suggests an external testing tool, while MUnit is specific to MuleSoft.
ReferencesFor more on MUnit best practices, refer to MuleSoft's MUnit documentation.


NEW QUESTION # 97
An API implementation is deployed on a single worker on CloudHub and invoked by external API clients (outside of CloudHub). How can an alert be set up that is guaranteed to trigger AS SOON AS that API implementation stops responding to API invocations?

  • A. Create an alert for when the API receives no requests within a specified time period
  • B. Implement a heartbeat/health check within the API and invoke it from outside the Anypoint Platform and alert when the heartbeat does not respond
  • C. Handle API invocation exceptions within the calling API client and raise an alert from that API client when the API Is unavailable
  • D. Configure a "worker not responding" alert in Anypoint Runtime Manager

Answer: D

Explanation:
Correct answer: Configure a "Worker not responding" alert in Anypoint Runtime Manager.
*****************************************
>> All the options eventually helps to generate the alert required when the application stops responding.
>> However, handling exceptions within calling API and then raising alert from API client is inappropriate and silly. There could be many API clients invoking the API implementation and it is not ideal to have this setup consistently in all of them. Not a realistic way to do.
>> Implementing a health check/ heartbeat with in the API and calling from outside to detmine the health sounds OK but needs extra setup for it and same time there are very good chances of generating false alarms when there are any intermittent network issues between external tool calling the health check API on API implementation. The API implementation itself may not have any issues but due to some other factors some false alarms may go out.
>> Creating an alert in API Manager when the API receives no requests within a specified time period would actually generate realistic alerts but even here some false alarms may go out when there are genuinely no requests from API clients.
The best and right way to achieve this requirement is to setup an alert on Runtime Manager with a condition "Worker not responding". This would generate an alert AS SOON AS the workers become unresponsive.


NEW QUESTION # 98
What is the most performant out-of-the-box solution in Anypoint Platform to track transaction state in an asynchronously executing long-running process implemented as a Mule application deployed to multiple CloudHub workers?

  • A. Redis distributed cache
  • B. java.util.WeakHashMap
  • C. File-based storage
  • D. Persistent Object Store

Answer: D

Explanation:
Persistent Object Store
*****************************************
>> Redis distributed cache is performant but NOT out-of-the-box solution in Anypoint Platform
>> File-storage is neither performant nor out-of-the-box solution in Anypoint Platform
>> java.util.WeakHashMap needs a completely custom implementation of cache from scratch using Java code and is limited to the JVM where it is running. Which means the state in the cache is not worker aware when running on multiple workers. This type of cache is local to the worker. So, this is neither out-of-the-box nor worker-aware among multiple workers on cloudhub. https://www.baeldung.com/java-weakhashmap
>> Persistent Object Store is an out-of-the-box solution provided by Anypoint Platform which is performant as well as worker aware among multiple workers running on CloudHub. https://docs.mulesoft.com/object-store/ So, Persistent Object Store is the right answer.


NEW QUESTION # 99
What API policy would LEAST likely be applied to a Process API?

  • A. JSON threat protection
  • B. Client ID enforcement
  • C. Custom circuit breaker
  • D. Rate limiting

Answer: C

Explanation:
Explanation/Reference: https://docs.mulesoft.com/api-manager/2.x/policy-mule3-provided-policies


NEW QUESTION # 100
A company requires Mule applications deployed to CloudHub to be isolated between non-production and production environments. This is so Mule applications deployed to non-production environments can only access backend systems running in their customer-hosted non-production environment, and so Mule applications deployed to production environments can only access backend systems running in their customer-hosted production environment. How does MuleSoft recommend modifying Mule applications, configuring environments, or changing infrastructure to support this type of per-environment isolation between Mule applications and backend systems?

  • A. Create non-production and production environments in different Anypoint Platform business groups
  • B. Create separate Anypoint VPCs for non-production and production environments, then configure connections to the backend systems in the corresponding customer-hosted environments
  • C. Modify properties of Mule applications deployed to the production Anypoint Platform environments to prevent access from non-production Mule applications
  • D. Configure firewall rules in the infrastructure inside each customer-hosted environment so that only IP addresses from the corresponding Anypoint Platform environments are allowed to communicate with corresponding backend systems

Answer: B

Explanation:
Correct answer: Create separate Anypoint VPCs for non-production and production environments, then configure connections to the backend systems in the corresponding customer-hosted environments.
*****************************************
>> Creating different Business Groups does NOT make any difference w.r.t accessing the non-prod and prod customer-hosted environments. Still they will be accessing from both Business Groups unless process network restrictions are put in place.
>> We need to modify or couple the Mule Application Implementations with the environment. In fact, we should never implements application coupled with environments by binding them in the properties. Only basic things like endpoint URL etc should be bundled in properties but not environment level access restrictions.
>> IP addresses on CloudHub are dynamic until unless a special static addresses are assigned. So it is not possible to setup firewall rules in customer-hosted infrastrcture. More over, even if static IP addresses are assigned, there could be 100s of applications running on cloudhub and setting up rules for all of them would be a hectic task, non-maintainable and definitely got a good practice.
>> The best practice recommended by Mulesoft (In fact any cloud provider), is to have your Anypoint VPCs seperated for Prod and Non-Prod and perform the VPC peering or VPN tunneling for these Anypoint VPCs to respective Prod and Non-Prod customer-hosted environment networks.
Reference:


NEW QUESTION # 101
A company has started to create an application network and is now planning to implement a Center for Enablement (C4E) organizational model. What key factor would lead the company to decide upon a federated rather than a centralized C4E?

  • A. When various teams responsible for creating APIs are new to integration and hence need extensive training
  • B. When there are a large number of existing common assets shared by development teams
  • C. When the majority of the applications in the application network are cloud based
  • D. When development is already organized into several independent initiatives or groups

Answer: D

Explanation:
Correct answer: When development is already organized into several independent initiatives or groups
*****************************************
>> It would require lot of process effort in an organization to have a single C4E team coordinating with multiple already organized development teams which are into several independent initiatives. A single C4E works well with different teams having at least a common initiative. So, in this scenario, federated C4E works well instead of centralized C4E.


NEW QUESTION # 102
A Platform Architect inherits a legacy monolithic SOAP-based web service that performs a number of tasks, including showing all policies belonging to a client. The service connects to two back-end systems - a life- insurance administration system and a general-insurance administration system - and then queries for insurance policy information within each system, aggregates the results, and presents a SOAP-based response to a user interface (UI).
The architect wants to break up the monolithic web service to follow API-led conventions.
Which part of the service should be put into the process layer?

  • A. Combining the insurance policy information from the administration systems
  • B. Querying the data from the administration systems
  • C. Authenticating and maintaining connections to each of the back-end administration systems
  • D. Presenting the SOAP-based response to the UI

Answer: A

Explanation:
In the API-led connectivity approach, each layer (System, Process, and Experience) has a distinct purpose:
* System APIs: These APIs connect directly to backend systems to expose and unlock data in a standardized way.
* Process APIs: These are responsible for orchestrating and processing data across different systems, combining information where needed.
* Experience APIs: These are designed for specific user interfaces or applications, often transforming data formats to fit the needs of each consumer application.
Why Option A is Correct:
* Process APIs are designed to combine data from multiple systems, which aligns with the function of aggregating policy information from both the life and general insurance systems. This aggregation logic would ideally reside in the Process layer, separating data retrieval from data orchestration.
* Moving this functionality to the Process layer enables reusability and modularity, as other Experience APIs or services could also leverage the combined policy data if needed.
Explanation of Incorrect Options:
* Option B (Presenting the SOAP-based response) would be managed by the Experience layer, as this layer adapts data formats for specific interfaces.
* Option C (Authenticating and maintaining backend connections) would typically be handled within the System layer, where backend integration and security handling occurs.
* Option D (Querying data) is the function of System APIs, which access the backend systems directly and expose the raw data without additional processing.
ReferencesFor further details on API-led architecture and the roles of each layer, refer to MuleSoft's documentation on API-led connectivity and API layers.


NEW QUESTION # 103
How are an API implementation, API client, and API consumer combined to invoke and process an API?

  • A. The API consumer creates an API implementation, which receives API invocations from an API such that they are processed for an API client
  • B. The ApI consumer creates an API client, which sends API invocations to an API such that they are processed by an API implementation
  • C. The API client creates an API consumer, which receives API invocations from an API such that they are processed for an API implementation
  • D. The ApI client creates an API consumer, which sends API invocations to an API such that they are processed by an API implementation

Answer: B

Explanation:
Correct answer: The API consumer creates an API client, which sends API invocations to an API such that they are processed by an API implementation
*****************************************
Terminology:
>> API Client - It is a piece of code or program the is written to invoke an API
>> API Consumer - An owner/entity who owns the API Client. API Consumers write API clients.
>> API - The provider of the API functionality. Typically an API Instance on API Manager where they are managed and operated.
>> API Implementation - The actual piece of code written by API provider where the functionality of the API is implemented. Typically, these are Mule Applications running on Runtime Manager.


NEW QUESTION # 104
A large company wants to implement IT infrastructure in its own data center, based on the corporate IT policy requirements that data and metadata reside locally.
Which combination of Mule control plane and Mule runtime plane(s) meets the requirements?

  • A. The MuleSoft-hosted control plane and customer-hosted Mule runtimes for the runtime plane
  • B. Anypoint Platform Private Cloud Edition for the control plane and the MuleSoft-hosted runtime plane
  • C. The MuleSoft-hosted control plane and Anypoint Runtime Fabric for the runtime plane
  • D. Anypoint Platform Private Cloud Edition for the control plane and customer-hosted Mule runtimes for the runtime plane

Answer: D

Explanation:
* Understanding Control and Runtime Planes:
* Control Plane: The control plane is responsible for managing, monitoring, and deploying Mule applications. In a Private Cloud Edition (PCE), this control plane is deployed on-premises within the customer's infrastructure, meeting data residency and security requirements.
* Runtime Plane: The runtime plane consists of Mule runtimes that execute Mule applications. By hosting these runtimes within the customer's infrastructure, data and metadata can remain local, which complies with corporate policies regarding data residency.
* Evaluating the Options:
* Option A: Using Anypoint Platform Private Cloud Edition for the control plane and the MuleSoft-hosted runtime plane would not meet the requirement, as the runtime plane is hosted by MuleSoft and would not keep data local.
* Option B: The MuleSoft-hosted control plane with Anypoint Runtime Fabric for the runtime plane would still mean that metadata is managed in MuleSoft's cloud, which does not comply with the requirement to keep data and metadata on-premises.
* Option C: A MuleSoft-hosted control plane and customer-hosted Mule runtimes also mean that metadata resides in the cloud, not on-premises, failing the residency requirement.
* Option D (Correct Answer): Anypoint Platform Private Cloud Edition (PCE) for the control plane and customer-hosted Mule runtimes fulfill both requirements, as both the control plane and runtime plane would be hosted within the customer's data center.
* Conclusion:
* Option D is the correct answer, as it ensures that both the control plane and runtime plane are hosted on-premises, allowing data and metadata to reside locally per the corporate IT policy.
Refer to MuleSoft's documentation on Private Cloud Edition deployment and on-premise runtime configurations for further details.


NEW QUESTION # 105
Refer to the exhibit.

A developer is building a client application to invoke an API deployed to the STAGING environment that is governed by a client ID enforcement policy.
What is required to successfully invoke the API?

  • A. The client ID and secret obtained from Anypoint Exchange for the API instance in the STAGING environment
  • B. The client ID and secret for the Anypoint Platform account owning the API in the STAGING environment
  • C. The client ID and secret for the Anypoint Platform account's STAGING environment
  • D. A valid OAuth token obtained from Anypoint Platform and its associated client ID and secret

Answer: D

Explanation:
Explanation
https://docs.mulesoft.com/api-manager/2.x/policy-mule3-client-id-based-policies


NEW QUESTION # 106
An organization wants to create a Center for Enablement (C4E). The IT director schedules a series of meetings with IT senior managers.
What should be on the agenda of the first meeting?

  • A. Define C4E objectives, mission statement, guiding principles, a
  • B. Explore API monetization options based on identified use cases through MuleSoft
  • C. Specify operating model for the MuleSoft Integrations division
  • D. A walk through of common-services best practices for logging, auditing, exception handling, caching, security via policy, and rate limiting/throttling via policy

Answer: A

Explanation:
In the initial meeting for establishing a Center for Enablement (C4E), it's essential to lay the foundational vision, objectives, and guiding principles for the team. Here's why this is crucial:
* Clear Vision and Mission:
* Defining the mission statement and objectives at the start ensures alignment within the organization and clarifies the C4E's role in supporting API-led development and integration practices.
* Guiding Principles:
* Establishing guiding principles will help the C4E maintain consistent practices and strategies across projects. This serves as a framework for decisions and fosters shared understanding among IT leaders and stakeholders.
* Explanation of Correct Answer (A):
* By prioritizing the C4E's objectives and mission, the organization builds a solid foundation, paving the way for subsequent meetings focused on technical standards, processes, and operating models.
* Explanation of Incorrect Options:
* Option B (API monetization) and Option C (common services best practices) are specific topics better suited for later discussions.
* Option D (specifying the operating model) is an important step but typically follows the establishment of the C4E's objectives and vision.
ReferencesFor more on C4E objectives and foundational setup, refer to MuleSoft's documentation on establishing a C4E and the roles and mission statements recommended for such initiatives.


NEW QUESTION # 107
An organization has several APIs that accept JSON data over HTTP POST. The APIs are all publicly available and are associated with several mobile applications and web applications.
The organization does NOT want to use any authentication or compliance policies for these APIs, but at the same time, is worried that some bad actor could send payloads that could somehow compromise the applications or servers running the API implementations.
What out-of-the-box Anypoint Platform policy can address exposure to this threat?

  • A. Shut out bad actors by using HTTPS mutual authentication for all API invocations
  • B. Apply a Header injection and removal policy that detects the malicious data before it is used
  • C. Apply a JSON threat protection policy to all APIs to detect potential threat vectors
  • D. Apply an IP blacklist policy to all APIs; the blacklist will Include all bad actors

Answer: C

Explanation:
Correct answer: Apply a JSON threat protection policy to all APIs to detect potential threat vectors
*****************************************
>> Usually, if the APIs are designed and developed for specific consumers (known consumers/customers) then we would IP Whitelist the same to ensure that traffic only comes from them.
>> However, as this scenario states that the APIs are publicly available and being used by so many mobile and web applications, it is NOT possible to identify and blacklist all possible bad actors.
>> So, JSON threat protection policy is the best chance to prevent any bad JSON payloads from such bad actors.


NEW QUESTION # 108
What is a key requirement when using an external Identity Provider for Client Management in Anypoint Platform?

  • A. The application network must include System APIs that interact with the Identity Provider
  • B. Single sign-on is required to sign in to Anypoint Platform
  • C. To invoke OAuth 2.0-protected APIs managed by Anypoint Platform, API clients must submit access tokens issued by that same Identity Provider
  • D. APIs managed by Anypoint Platform must be protected by SAML 2.0 policies

Answer: C

Explanation:
https://www.folkstalk.com/2019/11/mulesoft-integration-and-platform.html Explanation:
To invoke OAuth 2.0-protected APIs managed by Anypoint Platform, API clients must submit access tokens issued by that same Identity Provider
*****************************************
>> It is NOT necessary that single sign-on is required to sign in to Anypoint Platform because we are using an external Identity Provider for Client Management
>> It is NOT necessary that all APIs managed by Anypoint Platform must be protected by SAML 2.0 policies because we are using an external Identity Provider for Client Management
>> Not TRUE that the application network must include System APIs that interact with the Identity Provider because we are using an external Identity Provider for Client Management Only TRUE statement in the given options is - "To invoke OAuth 2.0-protected APIs managed by Anypoint Platform, API clients must submit access tokens issued by that same Identity Provider" References:
https://docs.mulesoft.com/api-manager/2.x/external-oauth-2.0-token-validation-policy
https://blogs.mulesoft.com/dev/api-dev/api-security-ways-to-authenticate-and-authorize/


NEW QUESTION # 109
What is a key requirement when using an external Identity Provider for Client Management in Anypoint Platform?

  • A. The application network must include System APIs that interact with the Identity Provider
  • B. Single sign-on is required to sign in to Anypoint Platform
  • C. To invoke OAuth 2.0-protected APIs managed by Anypoint Platform, API clients must submit access tokens issued by that same Identity Provider
  • D. APIs managed by Anypoint Platform must be protected by SAML 2.0 policies

Answer: C

Explanation:
Explanation/Reference: https://www.folkstalk.com/2019/11/mulesoft-integration-and-platform.html


NEW QUESTION # 110
......

Pass MuleSoft MCPA-Level-1 Actual Free Exam Q&As Updated Dump: https://dumps4download.actualvce.com/MuleSoft/MCPA-Level-1-valid-vce-dumps.html

Related Articles

more
MuleSoft MCPA-Level-1 Certification Practice Exam