MuleSoft Certified Developer (MCD) - Level 2 Exam Questions 2026

MuleSoft Certified Developer (MCD) - Level 2 Exam Questions 2026 MuleSoft Certified Developer (MCD) - Level 2 Questions 2026 Contains 55+ exam questions to pass the exam in first attempt. SkillCertPro offers real exam questions for practice for all major IT certifications.  For a full set of 57 questions. Go to https://skillcertpro.com/product/mulesoft - certified - developer - mcd - level - 2 - exam - questions/  SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.  It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.  SkillCertPro updates exam questions every 2 weeks.  You will get life time access and life time free updates  SkillCertPro assures 100% pass guarantee in first attempt. Below are the free 10 sample questions. Question 1: Mule API uses Until Successful scope with an external REST - based API invocations to retry failed API calls. Try scope is used inside Until Successful to distingu ish transient HTTP error types from permanent ones – and NOT to retry the latter. Which HTTP error type are considered permanent and as such it should NOT be automatically retried? A. 502 Bad Gateway B. 408 Request Timeout C. 403 Forbidden D. 429 Too Many Requests Answer: C Explanation: 502 Bad Gateway Definition: The 502 (Bad Gateway) status code indicates that the server, while acting as a gateway or proxy, received an invalid response from a downstream server it accessed while attempting to fulfill the request. Common Causes:  Temporary downtime of the downstream server  Network failure  Upstream service issues Re try Behavior: It’s OK to retry the request with the same parameters after some time. Conclusion: HTTP 502 is not permanent → the original answer is incorrect General Comment HTTP response codes in the 5xx range should always be expected to signify a transient failure 408 Request Timeout Definition: The 408 (Request Timeout) status code indicates that the server did not receive a complete request message within the time it was prepar ed to wait. Retry Behavior: Usually temporary. The client may repeat the request. Conclusion: HTTP 408 is not permanent → the original answer is incorrect 429 Too Many Requests Definition: The 429 (Too Many Requests) st atus code indicates the user has sent too many requests in a given amount of time (rate limiting). Retry Behavior: It’s OK to retry the request with the same parameters after some time, as limits may reset. Conclusion: HTTP 429 is not permanent → the origi nal answer is incorrect 403 Forbidden Definition: The 403 (Forbidden) status code indicates that the server understands the request but refuses to authorize it. If authentication credentials were provided, the server c onsiders them insufficient to grant access. Retry Behavior: The client should not automatically repeat the request with the same credentials. Conclusion: HTTP 403 is considered permanent → the original answer is correct References  Error codes (RFC 9110): https://www.rfc - editor.org/rfc/rfc9110.html#name - status - codes  HTTP 429 documentation (MDN): https://developer.mozilla.org/en - US/docs/Web/HTTP/Status/429 Question 2: Mule API is configured with and protected by OAuth 2.0 Access Token Enforcement policy in API Manager. API administrator wants to configure the policy for token generation. Which of the following statements is true? A.Open the policy config panel. Locate “Generate Token(s)“ checkbox and ensure it‘s selected B. It‘s not possible because OAuth 2.0 Access Token Enforcement policy does not generate tokens. It only validates them. C. Token generation feature is available f or the Platinum license ONLY and is enabled by default - no action needed. For other licenses it‘s not available. D. Open the policy config panel. Locate “Access Token validation endpoint url“ parameter and add “&generateToken=true“ to the URL. Answer: B Explanation: The idea o f OAuth 2.0 Access Token Enforcement policy is to restrict access to a protected resource to only those HTTP(S) requests that provide a valid OAuth 2 token. The policy cannot generate tokens. It only validates them. Adding “&generateToken=true“ to validati on endpoint URL is pointless. “Generate Token(s)“ checkbox doesn‘t exists. Platinum license doesn‘t change anything with regard to token generation – it‘s still not available. The only correct answer is “OAuth 2.0 Access Token Enforcement policy does not g enerate tokens. It only validates them“ Reference: https://docs.mulesoft.com/policies/policies - included - oauth - access - token - enforcement Question 3 : A technical design requires two different Mule applications to exchange VM messages (inter - app communication) in clus tered environment. VM connector is expected to distribute load across a cluster. What conditions need to be met to make the communication working? Choose TWO answers. A. Shared VM queues have to be TRANSIENT B. Shared VM queues have to be PERSISTENT C. Ea ch application can define its own VM queues but the queue names MUST be the same D. Both applications have to be in the same domain Answer: B and D Explanation: Sharing VM Queues Across Mule Applications (Mule 4) Both Applications Must Be in the Same Domain Explanation: To share VM configuration, both applications must belong to the same domain project The shared VM configuration must be defined in the domain’s mule - domain - config.xml Reference Topics:  Shared Reso urces Configuration  VM Connector – Send Messages Across Different Apps (Mule 4) Conclusion: ✅ This answer is correct Each Application Defines Its Own VM Queue (Same Name) Explanation: This is incorrect Simply using the same queue name in different application configs is not enough Correct Approach:  Define one shared VM configuration in the domain project ( mule - domain - config.xml )  Associate both applications with the same domain Conclusion: ❌ This answer is incorrect Shared VM Queues Must Be PERSISTENT Explanation: To exchange messages between Mule runtimes in a clustered environment , VM queues must be persistent Persistence is backed by an in - memory grid When a new message is sent t o the VM queue:  The cluster selects which node receives it  This enables load balancing across nodes Conclusion: ✅ This answer is correct Shared VM Queues Must Be TRANSIENT Explanation: Transient queues are not designed for clustered environments and cannot be used to reliably exchange messages across runtimes. Conclusion: ❌ This answer is incorrect References  VM Connector – Publish Across Apps: https://docs.mulesoft.com/vm - connector/2.0/vm - publish - across - apps  Define Shared Resources: https://docs.mulesoft.com/mule - runtime/4.4/shared - resources#define - shared - resources  HA Clusters – Queues: https://docs.mulesoft.com/mule - runtime/4.4/mule - high - availability - ha - clusters#queues Question 4 : Order Experience API can notify its clients about order cancellations by performing a HTTP POST request to callback endpoint exposed by the API client. API client has to be notified about an order cancellation ri ght after it happens. POST body is as follows (example): 123456 CLIENT_CANCEL How is such a callback endpoint called? A. Event streaming B. Webhook C. Polling D. Back - pressure Answer: B Explanation: Integration Patterns – Definitions & Correct Answer Webhook Definition: A webhook is a unique URL exposed by the API client to receive information from an API provider (server) without polling The server automatically calls this URL (usually with a payload) when a specified event occurs (e.g ., order cancellation). Polling Definition: Polling involves periodically making requests to a system to check for new events or data. If new data is found or an event occurs, the response contains the new data in its payload. Event Streaming Definition: Event streaming means a constant flow of data , where each message contains information about an event or a change of state. Back Pressure Definition: Back pressure is a technique MuleSoft uses to handle high load when the Mule runtime doesn’t have enough resources to process incoming events. Reference: https://docs.mulesoft.com/mule - runtime/4.2/execution - engine#backpressure Fi nal Conclusion The scenario described above clearly uses webhooks ✅ Correct answer: Webhook ❌ Incorrect answers: Back Pressure, Event Streaming, Polling Question 5 : An operation in XML SDK module can consist of: A. Parameters, Body, Ou tput, Exceptions B. Parameters, Body, Output, Errors C. Input, Body, Output, Errors D. Properties, Body, Output, Errors Answer: B Explanation: XML SDK Module – Operation Structure An XML SDK module’s operation consists of the following sections: 1. Parameters Declaration of types to be entered when the operation is called. Parameters can have attributes such as:  name  defaultValue  type  role  etc. 2. Body Similar to a Mule flow. Contains a chain of components to be executed. 3. Output Declaration of the module’s output type. This defines the payload type after the body’s processing is finished. 4. Errors Explicitly declares which errors the module can raise. Notes  The list of operation sections ends here.  Properties are global configuration elements and apply to the entire module — not to a single operation.  Exceptions and Input are fictitious in this context. Final Answer ✅ Correct answer: Parameters, Body, Output, Errors ❌ Incorrect answers: The other 3 options are incorrect. Reference  XML SDK Basics: https://docs.mulesoft.com/mule - sdk/1.1/xml - sdk#xml - sdk - basics  For a full set of 57 questions. Go to https://skillcertpro.com/product/mulesoft - certified - developer - mcd - level - 2 - exam - questions/  SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.  It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.  SkillCertPro updates exam questions every 2 weeks.  You will get life time access and life time free updates  SkillCertPro assures 100% pass guarantee in first attempt. Question 6 : What is possible when using Object Store v2 REST API? Choose THREE valid answ ers A. Remove object store B. Store a Key - Value of any size C. One app deployed to CloudHub can access the object store of another CloudHub app D. Retrieve statistics on object store usage Answer: A, C and D Explanation: Object Store v2 – Capabilities & Limitations Remove Object Store Description: Object Store v2 REST API allows both key – value removal and entire store removal Example REST call: DELETE https://{{HOST}}/api/v1/organizations/{organizationId}/environments/{environm entId}/stores/{storeId} Reference: See the Exchange portal (link in the Refere nces section below). Conclusion: ✅ This answer is correct Retrieve Statistics on Object Store Usage Description: Object Store v2 Stats API enables retrieval of comprehensive statistics on Object Store usage. These stat istics can be useful for billing purposes Reference: See the Object Store v2 REST APIs section (link in the References below). Conclusion: ✅ This answer is correct Access Another CloudHub App’s Object Store Description : It is possible to configure Object Store access from one CloudHub app to another CloudHub app via REST API. Best Practice Note: For app - to - app communication, MuleSoft recommends using Anypoint MQ instead of Object Store v2, which was not designed for this purpose. Conclusion: Although not recommended, this option is possible to configure → ✅ The answer is correct Store a Key – Value of Any Size Description: Object Store v2 REST API allows storing key – value pairs, but not of any size Each value has a hard limit of 10 MB , which applies to both:  Object Store Connector  REST API Conclusion: ❌ This answer is incorrect Referenc es  Object Store v2 APIs: https://docs.mulesoft.com/object - store/osv2 - apis  CloudHub app access to another app’s Object Store: https://docs.mulesoft.com/object - store/osv2 - faq#can - an - app - deployed - to - cloudhub - access - the - object - store - of - another - cloudhub - app  Object Store size limits: https://docs.mulesoft.com/object - store/osv2 - faq#what - are - the - limits - on - an - object - store  Exchange portal (Object Store v2): https://anypoint.mulesoft.com/exchange/portals/anypoint - platform/f1e97bc6 - 315a - 4490 - 82a7 - 23abe036327a.anypoi nt - platform/object - store - v2/ Question 7 : Which options are TRUE with regard to Object Stores? Choose TWO answers A. Object Store can be configured to support transactions (all - or - nothing) B. Mule Runtime 4x supports both Object Store V1 and V2 - depending on configuration C. By default all Mule apps can access Object Store which is persistent and can be used without spe cifying an objectStore attribute D. Both GLOBAL Object Store and PRIVATE Object Store are supported Answer: C and D Explanation: Mule Object Store – Key Concepts & Validations Global and Private Object Stores Are Supported An Object Store can be defined once as part of the global configuration and shared across multiple components. Such a global Object Store can be referenced using the objectStore parameter. Example (conceptual):  Glo bal Object Store → reusable by multiple components  Private Object Store → created locally for a single component Private Object Store Notes: A private Object Store does not have a referable name, so it cannot be manipulated by other components Conclusion: ✅ This answer is correct Object Store Supports Transactions (All - or - Nothing) Explanation: Object Store does not support transactional access This is one of its known limitations. Conclusion: ❌ This answer is incorrec t Default Persistent Object Store Is Available to All Mule Apps Explanation: By default, each Mule app has an Object Store predefined. It is:  Persistent  Available without any explicit configuration  Usable by operations such as store , retrieve , etc., without specifying the objectStore attribute Local Persistence Location: /.mule/<app - name>/objectstore/ Conclusion: ✅ This answer is correct Mule Runtime 4.x Supports Both Object Store V1 and V2 Explanation: Object Store V1 is deprecated and should not be used for new projects. Mule Runtime 4.x does not support Object Store V1 — only Object Store V2 is supported. Conclusion: ❌ This answer is incorrect References  Object Store Connector: https://docs.mulesoft.com/object - store - connector/1.2/  Defining a New Object Store: https://docs.mulesoft.com/object - store - connector/1.2/object - store - to - define - a - new - os  Types of Object Stores Explained: https://help.mulesoft.com/s/article/The - Different - Types - of - Object - Stores - Explained Question 8 : Mule Soft - based API connects to a downstream system via HTTPS using self - signed certificate. Support team has been notified that the self - signed certificate of MuleSoft - based API will be no longer accepted by the downstream system. Only CA - signed certificates w ill be accepted. The team is asked to take appropriate action to ensure business continuity. What actions should be performed? A. Locate keystore file used in TLS configuration. Send the keystore to CA for signing. Once the keystore is sent back - update TLS configuration B. Ensure that “Insecure“ option is selected for the keystore. It will force the downstream system to accept the self - signed certificate C. Export certificate to CSR file. Send the file to CA for signing. Import singed certificate to keys tore. D. Convert keystore file to PKCS12 as this format is always considered as trusted. Answer: C Explanation: TLS / Keystore Configuration – Correct vs Incorrect Approaches Ensure that “Insecure” Option Is Selected Explanation: This is incorrect The “Insecure” option applies to truststores , not keystores If enabled, the client accepts all server certificates (in cluding self - signed ones) without validation , which is insecure and not what you want for proper TLS configuration. Conclusion: ❌ This answer is incorrect Convert Keystore File to PKCS12 So It’s Always Trusted Explanati on: Converting a keystore from one format to another does not solve trust issues If the certificate is not CA - signed , it still won’t be accepted by the downstream system. Example conversion command (for reference): keytool - importkeystore \ - srckeystore KEYSTORE.jks \ - destkeystore KEYSTORE.p12 \ - srcstoretype JKS \ - deststoretype PKCS12 \ - deststorepass PASSWORD_PKCS12 Conclusion: ❌ This answer is incorrect Send the Keystore to a CA for Signing Explanation: This is incorrect and unsafe Keystore files contain private keys , which must never leave the server Conclusion: ❌ This answer is incorrect Export Certificate to CSR, Send to CA, Import Signed Certificate Back Explanation: This is the standard and correct procedure for obtaining a CA - signed certificate: 1. Export a CSR (Certificate Signing Request) from the keystore 2. Send the CSR to the Certification Authority (CA) 3. Receive the signed certificate 4. Import the signed certificate back into the keystore Conclusion: ✅ This answer is correct Reference  TLS Keystore Generation (Mule 4.4): https://docs.mulesoft.com/mule - runtime/4.4/tls - configuration#k eystore - generation Question 9 : What are poss ible ways to change the Correlation ID of a Mule event? Choose TWO correct answers: A. Custom API policy with HTTP Policy Transform Extension B. Tracing Module C. Header Injection Policy D. Correlation ID Generator Answer: B and D Explanation: Ways to Modify the Mule Event Correlation ID Tracing Module – “With CorrelationID” Scope Explanation: The “With CorrelationID” scope of the Tracing module enables modifying the c orrelation ID of the Mule event during the execution of that scope. Conclusion: ✅ This answer is correct Correlation ID Generator Explanation: MuleSoft generates a new correlation ID (a random uuid() by default) when a new Mule event is created. You can override this behavior and provide your own correlation ID value by configuring a Correlation ID Generator To do this:  Add the Correlation ID Generator component to your application  Set the correlationIdGeneratorExpression accordingly Conclusion: ✅ This answer is correct Header Injection Policy Explanation: This policy allows adding new HTTP headers, but it does not change the Mule event’s correlation ID You can set a new X - CORRELATION - ID header to any value you want, but you will still see standard UUIDs as the Mule event correlation ID. Why? Because the Mule event is generated before the Header Injection Policy is applied. Conclusion: ❌ This answer is i ncorrect Custom API Policy with HTTP Policy Transform Extension Explanation: Using a custom policy with the HTTP Policy Transform Extension, you can add:  HTTP request headers  HTTP response headers However, this only affects HTTP headers , not the Mule event correlation ID itself. This is the same limitation as the Header Injection Policy. Conclusion: ❌ This answer is incorrect References  Modify the Correlation ID Generator: https://docs.mulesoft.com/mule - runtime/4.4/correlation - id#modify - the - correlation - id - generator  Tracing Module – With CorrelationID: https://docs.mulesoft.com/tracing - module/1.0/tracing - module - with - correlationid  Custom HTTP Transform Policies: https://docs.mulesoft.com/gateway/1.1/policies - custom - http - transform  Correlation ID Enforcement Policy (GitHub): https://git hub.com/mulesoft - catalyst/correlation - id - enforcement - policy  Header Injection Policy Not Setting Mule Correlation ID: https://help.mulesoft.com/s/article/Header - Injection - policy - not - setting - Mule - corellationId - when - setting - x - correlation - id