New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Salesforce Certified MuleSoft Platform Architect (Mule-Arch-201) Exam - Topic 4 Question 24 Discussion

Actual exam question for Salesforce's Salesforce Certified MuleSoft Platform Architect (Mule-Arch-201) exam
Question #: 24
Topic #: 4
[All Salesforce Certified MuleSoft Platform Architect (Mule-Arch-201) Questions]

An API is protected with a Client ID Enforcement policy and uses the default configuration. Access is requested for the client application to the API, and an approved

contract now exists between the client application and the API

How can a consumer of this API avoid a 401 error "Unauthorized or invalid client application credentials"?

Show Suggested Answer Hide Answer
Suggested Answer: C

When using the Client ID Enforcement policy with default settings, MuleSoft expects the client_id and client_secret to be provided in the URI parameters of each request. This policy is typically used to control and monitor access by validating that each request has valid credentials. Here's how to avoid a 401 Unauthorized error:

URI Parameters Requirement:

The default configuration for the Client ID Enforcement policy requires the client_id and client_secret to be included in each request's URI parameters. This is a straightforward way to authenticate API requests without additional configurations.

Why Option C is Correct:

Providing client_id and client_secret in the URI parameters meets the policy's requirements for each request, ensuring authorized access and avoiding the 401 error.

of Incorrect Options:

Option A (sending a token in the header) would be applicable for token-based authentication (like OAuth 2.0), not Client ID Enforcement.

Option B (request body) and Option D (header) are not valid locations for client_id and client_secret under the default configuration of Client ID Enforcement, which expects them in the URI.

Reference For more details, consult MuleSoft's documentation on Client ID Enforcement policies and expected request configurations


by Ranee at Jan 25, 2025, 04:55 AM

Limited Time Offer

25%

Off

Get Premium Salesforce Certified MuleSoft Platform Architect (Mule-Arch-201) Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Jerry
3 months ago
Agreed, A is the standard practice for API authentication.
upvoted 0 times
...
Lorriane
3 months ago
Isn't it risky to send client_secret in the request body?
upvoted 0 times
...
Ulysses
3 months ago
Wait, are we sure C is a bad idea? URI parameters can expose credentials!
upvoted 0 times
...
Laila
4 months ago
I think D is better, headers are more secure for sensitive info.
upvoted 0 times
...
Cristy
4 months ago
A is definitely the way to go, always send the token in the header!
upvoted 0 times
...
Charlesetta
4 months ago
I vaguely recall that sending credentials as URI parameters can expose them in logs, so I think that’s not a good idea. I’d lean towards option D instead.
upvoted 0 times
...
Gwen
4 months ago
I’m a bit confused about whether sending client_id and client_secret in the body is secure enough. I feel like headers are generally preferred for sensitive data.
upvoted 0 times
...
Marnie
4 months ago
I think we discussed something similar in class where we had to send credentials in the header. I feel like option A might be the right choice.
upvoted 0 times
...
Lonna
5 months ago
I remember that sending the token in the header is a common practice, but I'm not sure if that's the only way to avoid the 401 error.
upvoted 0 times
...
Mammie
5 months ago
The question states that the API is using the default configuration for the Client ID Enforcement policy, so the best way to avoid the 401 error is to send the obtained token as a header in every call. This is the most secure and recommended approach.
upvoted 0 times
...
Brigette
5 months ago
I'm not entirely sure about this one. Should I be sending the client_id and client_secret in the header or the request body? I want to make sure I understand the right approach before submitting my answer.
upvoted 0 times
...
Galen
5 months ago
Based on the question, the API is using a Client ID Enforcement policy, so the correct answer is to send the obtained token as a header in every call. This is the standard way to authenticate with an API protected by this type of policy.
upvoted 0 times
...
Rocco
5 months ago
Hmm, I'm a bit confused. Do I need to send the client_id and client_secret in the request body or as URI parameters? I'm not sure which one is the right approach.
upvoted 0 times
...
Niesha
5 months ago
The key here is to send the obtained token as a header in every call. That's the correct way to authenticate with the API and avoid the 401 error.
upvoted 0 times
...
Micah
1 year ago
Wait, we're not supposed to send the client secret as a URI parameter? But that's how I've been doing it all this time! No wonder my API has been getting 'hacked' daily.
upvoted 0 times
Joanne
11 months ago
B) Send the obtained: client_id and client_secret in the request body
upvoted 0 times
...
Dewitt
12 months ago
A) Send the obtained token as a header in every call
upvoted 0 times
...
...
Sunshine
1 year ago
Ah, the age-old dilemma of client credentials vs. token-based authentication. I'd say A is the way to go, unless you want your API to be hacked faster than a celebrity's Twitter account.
upvoted 0 times
Gabriele
12 months ago
User 2: Agreed, it's the most secure way to avoid unauthorized access.
upvoted 0 times
...
Jamal
12 months ago
User 1: I think sending the obtained token as a header is the best option.
upvoted 0 times
...
...
Elfrieda
1 year ago
B and C seem like they're just giving away the client secret, which is a big no-no. A is the way to go, no doubt.
upvoted 0 times
Vicky
11 months ago
User2: Got it, thanks for the clarification
upvoted 0 times
...
Gwenn
11 months ago
User3: User1 is right, A is the way to go to avoid exposing client_secret
upvoted 0 times
...
Junita
12 months ago
User2: B) Send the obtained: client_id and client_secret in the request body
upvoted 0 times
...
Ardella
12 months ago
User1: A) Send the obtained token as a header in every call
upvoted 0 times
...
...
Lasandra
1 year ago
Hmm, I'm torn between A and D. I guess I'll go with A, it sounds like the more straightforward option.
upvoted 0 times
Lamonica
11 months ago
Antonio: Definitely, it's important to ensure the client application credentials are valid.
upvoted 0 times
...
Dean
12 months ago
User 3: I agree, it's the most straightforward option to avoid a 401 error.
upvoted 0 times
...
Antonio
1 year ago
User 2: Yeah, sending the token as a header in every call seems like the best choice.
upvoted 0 times
...
Jospeh
1 year ago
User 1: I think option A is the way to go.
upvoted 0 times
...
...
Tiffiny
1 year ago
I'm not sure, but I think sending client_id and client_secret in the header makes sense for security reasons.
upvoted 0 times
...
Sherita
1 year ago
I think the answer is A. Sending the obtained token as a header in every call is the correct way to avoid a 401 error.
upvoted 0 times
German
1 year ago
User2: Yes, you're right. That's the way to go to prevent unauthorized access.
upvoted 0 times
...
Kimbery
1 year ago
User1: I think the answer is A. Sending the obtained token as a header in every call is the correct way to avoid a 401 error.
upvoted 0 times
...
...
Maybelle
1 year ago
I disagree, I believe the correct answer is D) Send the obtained client_id and client_secret in the header of every API Request call.
upvoted 0 times
...
Matthew
1 year ago
I think the answer is A) Send the obtained token as a header in every call.
upvoted 0 times
...

Save Cancel