Availability by Gateway

Policy Availability

Policy	Flex Gateway	Mule Gateway	Summary
A2A Agent Card	✓		Rewrites the Agent card URL to match the server instance public URL
A2A PII Detector	✓		Detects personally identifiable information (PII) in requests sent to the agent
A2A Prompt Decorator	✓		Decorates prompts with context information
A2A Schema Validation	✓		Validates Agent requests to ensure they conform to the A2A specification
AWS Lambda	✓		Allows access based on the basic authorization mechanism, with user-password defined on LDAP
Basic Authentication: LDAP	✓	✓	Allows access based on the basic authorization mechanism, with user-password defined on LDAP
Basic Authentication: Simple	✓	✓	Allows access based on the basic authorization mechanism, with a single user-password
Client ID Enforcement	✓	✓	Allows access only to authorized client applications
Circuit Breaker	✓		Prevents an upstream from receiving too many requests or connections
Credential Injection Basic Authentication	✓		Injects a basic authorization header into outgoing requests
Credential Injection OAuth 2.0	✓		Injects an OAuth 2.0 authorization header into outgoing requests
Cross-Origin Resource Sharing (CORS)	✓	✓	Enables access to resources residing in external domains
Detokenization		✓	Returns a tokenized value to its original value
External Authorization	✓		Authenticates requests by using an external gRPC or HTTP authorization service
External Processing	✓		Sends the incoming HTTP requests or outgoing HTTP responses to an external gRPC service for additional processing
Header Injection	✓	✓	Adds headers to a request or a response
Header Removal	✓	✓	Removes headers from a request or a response
Health Check	✓		Monitors API upstream health at specific intervals
HTTP Caching	✓	✓	Caches HTTP responses from an API implementation
IP Allowlist	✓	✓	Allows a list or range of specified IP addresses to request access
IP Blocklist	✓	✓	Blocks a single IP address or a range of IP addresses from accessing an API endpoint
JSON Threat Protection	✓	✓	Protects against malicious JSON in API requests
JWT Validation	✓	✓	Validates a JWT
MCP Attribute-Based Access Control	✓		Controls access to tools, resources, and prompts based on user information such as Tiers, IP, Headers, or Claims
MCP Schema Validation	✓		Validates MCP requests to ensure they conform to the MCP specification
MCP Support	✓		Adds MCP support to a Flex Gateway MCP server instance. This policy is required for your MCP server instance to function properly.
Message Logging	✓	✓	Logs custom messages using information from incoming requests, responses from the backend, or information from other policies applied to the same API endpoint
OAuth 2.0 Access Token Enforcement Using Mule OAuth Provider		✓	Allows access only to authorized client applications
OAuth 2.0 Token Introspection	✓		Allows access only to authorized client applications
OpenAM OAuth 2.0 Token Enforcement		✓	Allows access only to authorized client applications
OpenID Connect OAuth 2.0 Access Token Enforcement	✓	✓	Allows access only to authorized client applications
PingFederate OAuth 2.0 Token Enforcement		✓	Allows access only to authorized client applications
Rate Limiting	✓	✓	Monitors access to an API by defining the maximum number of requests processed within a period of time
Rate Limiting: SLA-based	✓	✓	Monitors access to an API by defining the maximum number of requests processed within a timespan, based on SLAs
Response Timeout	✓		Sets the maximum duration Flex Gateway waits for a response from an upstream service
Schema Validation	✓		Validates incoming traffic against a supplied OAS3 schema
SSE Logging	✓		Logs every SSE event while streaming
Stream Idle Timeout	✓		Sets the maximum duration a stream can remain idle without receiving a request or response
Spike Control	✓	✓	Regulates API traffic
Traffic Management for Multiple Upstream Services	✓		Manages API instance traffic to multiple upstream services from a single consumer endpoint
Traffic Management for Multiple Upstream Services (Weighted)	✓		Manages API instance traffic to multiple upstream services from a single consumer endpoint, using weighted percentages
Transport Layer Security (TLS) - Inbound	✓		Enables authentication between a client and the API proxy
Transport Layer Security (TLS) - Outbound	✓		Enables two-way authentication between the API proxy and an upstream service
Tokenization		✓	Transforms sensitive data into a nonsensitive equivalent, named token
Upstream Idle Timeout	✓		Sets the maximum duration a stream between Flex Gateway and an upstream service can remain idle
XML Threat Protection		✓	Protects against malicious XML in API requests

Policy

Flex Gateway

Mule Gateway

Summary

A2A Agent Card

✓

Rewrites the Agent card URL to match the server instance public URL

A2A PII Detector

✓

Detects personally identifiable information (PII) in requests sent to the agent

A2A Prompt Decorator

✓

Decorates prompts with context information

A2A Schema Validation

✓

Validates Agent requests to ensure they conform to the A2A specification

AWS Lambda

✓

Allows access based on the basic authorization mechanism, with user-password defined on LDAP

Basic Authentication: LDAP

✓

Allows access based on the basic authorization mechanism, with user-password defined on LDAP

Basic Authentication: Simple

✓

Allows access based on the basic authorization mechanism, with a single user-password

Client ID Enforcement

✓

Allows access only to authorized client applications

Circuit Breaker

✓

Prevents an upstream from receiving too many requests or connections

Credential Injection Basic Authentication

✓

Injects a basic authorization header into outgoing requests

Credential Injection OAuth 2.0

✓

Injects an OAuth 2.0 authorization header into outgoing requests

Cross-Origin Resource Sharing (CORS)

✓

Enables access to resources residing in external domains

Detokenization

✓

Returns a tokenized value to its original value

External Authorization

✓

Authenticates requests by using an external gRPC or HTTP authorization service

External Processing

✓

Sends the incoming HTTP requests or outgoing HTTP responses to an external gRPC service for additional processing

Header Injection

✓

Adds headers to a request or a response

Header Removal

✓

Removes headers from a request or a response

Health Check

✓

Monitors API upstream health at specific intervals

HTTP Caching

✓

Caches HTTP responses from an API implementation

IP Allowlist

✓

Allows a list or range of specified IP addresses to request access

IP Blocklist

✓

Blocks a single IP address or a range of IP addresses from accessing an API endpoint

JSON Threat Protection

✓

Protects against malicious JSON in API requests

JWT Validation

✓

Validates a JWT

MCP Attribute-Based Access Control

✓

Controls access to tools, resources, and prompts based on user information such as Tiers, IP, Headers, or Claims

MCP Schema Validation

✓

Validates MCP requests to ensure they conform to the MCP specification

MCP Support

✓

Adds MCP support to a Flex Gateway MCP server instance. This policy is required for your MCP server instance to function properly.

Message Logging

✓

Logs custom messages using information from incoming requests, responses from the backend, or information from other policies applied to the same API endpoint

OAuth 2.0 Access Token Enforcement Using Mule OAuth Provider

✓

Allows access only to authorized client applications

OAuth 2.0 Token Introspection

✓

Allows access only to authorized client applications

OpenAM OAuth 2.0 Token Enforcement

✓

Allows access only to authorized client applications

OpenID Connect OAuth 2.0 Access Token Enforcement

✓

Allows access only to authorized client applications