The three-layer pattern
MuleSoft's API-led connectivity is deceptively simple:
Experience APIs ── purpose-built for one channel (mobile, portal, agent)
▲
Process APIs ── orchestrate business capability (Customer 360, Order)
▲
System APIs ── unlock a system of record (Salesforce, SAP, Workday)
Each layer has different SLAs, security, and ownership. Break the layering and you rebuild point-to-point spaghetti with a Mule logo on it.
A concrete example: order status
System API — SAP.orders v1
/orders/{id}:
get:
responses:
200: application/json # raw SAP payload, no business logic
Process API — customer-order-experience v1
/customers/{customerId}/orders/{orderId}:
get:
# joins SAP order + Salesforce case + Shopify tracking
responses:
200: !include order-summary.raml
Experience API — mobile.customer-app v1
/me/orders/{orderId}:
get:
# trims payload for mobile, returns 3 fields the UI actually renders
DataWeave 2.0 in practice
The moment you stop fighting DataWeave and let it do the transform, throughput doubles.
%dw 2.0
output application/json
---
{
orderId: payload.VBAK.VBELN,
status: payload.VBAK.GBSTK as String {class: "OrderStatus"},
lines: payload.VBAP map ((l) -> {
sku: l.MATNR,
quantity: l.KWMENG as Number,
price: l.NETWR as Number
})
}
Runtime choices in 2026
- CloudHub 2.0 — Kubernetes-based, per-app replicas, better cold-start
- Runtime Fabric on EKS/AKS — bring-your-own cluster, VPC-peered
- Anypoint Flex Gateway — Envoy-based, sits in front of any HTTP service, gives you Anypoint policies without rewriting the service
Pick Flex Gateway when 80% of your traffic is already non-Mule — it wraps existing REST APIs with OAuth, rate limits, and analytics in front of Node/Go/Java services.
Salesforce ↔ MuleSoft: the connector that matters
Composite API + Bulk API 2.0 through the Salesforce Connector will handle most write loads. For change data:
Salesforce CDC channel → Anypoint MQ → Consumer flow
(event-driven, no polling)
CDC replaces most Outbound Message + Apex Trigger patterns.
Non-negotiables
- Every API has a RAML/OAS spec published to Exchange before code
- Auto-discovery enabled — the runtime registers to API Manager on deploy
- Client ID Enforcement policy on every non-public API, per client app
- Cache scope with a TTL on any lookup-heavy System API call
- Contract tests in CI:
pactormunitper API, blocks merge
Common mistakes
- Business logic in System APIs
- One giant Process API instead of three domain-scoped ones
- No versioning strategy → breaking changes everywhere
- Ignoring
x-correlation-idpropagation → debugging is impossible
