API Gateway Runtime 2.2.1 Release Notes

API Gateway Runtime 2.2.1 includes bug fixes and the following enhancements:

  • Two new block definitions on the policies are defined: After and Before exception blocks.

    Similar to the functionality of HTTP after and before blocks, these blocks enhance the catch exception strategy of a flow without the need to modify it.

  • Increased security by upgrading Gatekeeper to v2.0.

    The enhancements include cluster support with improved performance, zero security gaps while the feature is in active mode, and small improvements in runtime startup when the feature is in active mode. Several corner cases have been fixed.

  • Several security risks are addressed, including XXe vulnerability.

  • Throttling algorithm improvements backported from v3.8.3. Old algorithm can be used instead of the new one by specifying the following system properties: throttling.compatibility_enabled

  • Performance improvements.


Software Version

Mule ESB Runtime




Anypoint Studio


Anypoint Runtime Manager



  • AGW-1041: Implement Gatekeeper synchronizing nodes through Hazelcast

  • AGW-1106: Add before-exception and after-exception injection points

  • AGW-958: Throttling/RateLimit - Migrate new algorithm to 2.2.x and 2.1.x

  • AGW-779: Enable order granularity at before and after level

Fixed in This Release

  • AGW-411: When GW is started in offline mode, when online again, it never communicates with portal again.

  • AGW-754: When on cluster, if quota manager is initialized n times, allocated quota is also reset n times.

  • AGW-755: Spring injected property is null when policy is applied.

  • AGW-759: Extended CORS :: wrong validation of headers.

  • AGW-806: When on cluster, QuotaManager should be always located on primary node.

  • AGW-813: When using Basic Auth policy with JDK7 and TLSv1 disabled, user authentication fails.

  • AGW-817: ThreatProtectionPolicies break app with DataWeave

  • AGW-835: Remove client secret from logs.

  • AGW-836: External Token Policy fails in OpenAM when scopes are configured.

  • AGW-866: Client ID enforcement policy returns 500 with multiple Client ID

  • AGW-869: Failed policies are not updated until runtime is restarted.

  • AGW-880: All policies are parsed for every deployed application.

  • AGW-881: Log detailed policy application time per app and policy polling time.

  • AGW-883: Support Mule parallel app deployment.

  • AGW-886: Moving client credentials logic to initialize breaks fast deploy.

  • AGW-904: Stop autodiscovery from updating API values.

  • AGW-911: Issue with 'api-platform-gw:api' and 'apikit:config'.

  • AGW-913: When applying Throttling SLA in Cluster only the polling node has access to the contracts DB.

  • AGW-919: Configure XML parsers to disable external entities.

  • AGW-924: Clients database is deleted after mule is shutdown

  • AGW-934: Existing policies are not re-applied after stopping and starting the API.

  • AGW-936: Small insecurity window when deploying app with Gatekeeper enabled.

  • AGW-941: RejectedExecutionException when throttling on cluster after application restart.

  • AGW-942: Backport Get Policies per API feature.

  • AGW-944: No quota manager is defined when throttling on cluster.

  • AGW-1014: When trying to track an API and return code is not 200, policies of that API are deleted.

Was this article helpful?

💙 Thanks for your feedback!