WSO2 Plugin
The Treblle WSO2 SDK integrates with WSO2’s API Handler chain (AbstractHandler) to intercept API requests and responses inside the gateway. By running after the APIAuthenticationHandler and APIMgtUsageHandler, it has access to enriched context including tenant domain, application info, subscriber data, and API publisher. It operates asynchronously to ensure zero impact on API performance.
Supported Versions
WSO2 API Manager Version
Maven Profile | APIM Version | Synapse Version
WSO2 API Manager 4.0.x
Profile: wso2am-4.0 | APIM: 9.0.0 | Synapse: 4.0.0-wso2v100
WSO2 API Manager 4.1.x
Profile: wso2am-4.1 | APIM: 9.1.0 | Synapse: 4.0.0-wso2v102
WSO2 API Manager 4.2.x
Profile: wso2am-4.2 | APIM: 9.2.0 | Synapse: 4.0.0-wso2v103
WSO2 API Manager 4.3.x (Default)
Profile: wso2am-4.3 | APIM: 9.29.120 | Synapse: 4.0.0-wso2v105
WSO2 API Manager 4.4.x
Profile: wso2am-4.4 | APIM: 9.31.0 | Synapse: 4.0.0-wso2v106
WSO2 API Manager 4.6.x
Profile: wso2am-4.6 | APIM: 9.32.147 | Synapse: 4.0.0-wso2v262
Note
The extension uses Maven profiles to support multiple WSO2 versions with a single codebase. By default, it builds for WSO2 APIM 4.3.x.
Overview
How It Works
- Request Capture — Intercepts incoming API requests, capturing headers, body, IP, method, path, and enriched properties (tenant, application, user, publisher)
- Response Capture — Captures response data including status code, headers, body, and load time
- Async Processing — Adds captured data to a bounded in-memory queue (non-blocking)
- Worker Threads — Background threads dequeue events and send them to Treblle
- Data Masking — Automatically masks sensitive fields before transmission
Key Features
- Non-blocking: Never blocks or slows down API requests, even on failures
- Thread-safe: Uses concurrent queues and atomic operations
- Load-balanced: Distributes traffic across multiple Treblle endpoints
- Sensitive data masking: Automatically redacts passwords, tokens, credit cards, etc.
- Multi-tenant support: Filter by tenant domains
- Enriched context: Captures application name, user ID, API publisher, and tenant domain
- Configurable: Queue size, worker threads, custom endpoints, and masking rules
Prerequisites
Before you begin, ensure you have:
- WSO2 API Manager: Version 4.0.x or higher
- Java: Version 8 or higher
- Maven: Version 3.x (for building from source)
- Treblle Account: With SDK token and API key (Get started )
Build from Source
Building for Default Version (WSO2 APIM 4.3.x)
mvn clean installThe JAR artifact will be created in the target/ directory as treblle-wso2-3.0.0.jar.
Building for Specific WSO2 Versions
# For WSO2 APIM 4.0.x
mvn clean install -P wso2am-4.0
# For WSO2 APIM 4.1.x
mvn clean install -P wso2am-4.1
# For WSO2 APIM 4.2.x
mvn clean install -P wso2am-4.2
# For WSO2 APIM 4.3.x (default)
mvn clean install -P wso2am-4.3
# For WSO2 APIM 4.4.x
mvn clean install -P wso2am-4.4
# For WSO2 APIM 4.6.x
mvn clean install -P wso2am-4.6All profiles produce the same JAR name: treblle-wso2-3.0.0.jar.
Build All Versions at Once
mvn clean install -P wso2am-4.0,wso2am-4.1,wso2am-4.2,wso2am-4.3,wso2am-4.4,wso2am-4.6Caution
Ensure you deploy the correct JAR artifact that matches your WSO2 API Manager version.
Installation
Step 1: Deploy the JAR
Copy the built JAR to your API Manager gateway:
cp target/treblle-wso2-3.0.0.jar <APIM_HOME>/repository/components/lib/Replace <APIM_HOME> with your WSO2 API Manager installation directory (e.g., /opt/wso2am-4.3.0).
Step 2: Configure the Handler
Add the Treblle handler to <APIM_HOME>/repository/resources/api_templates/velocity_template.xml.
Find the handlers section with the SchemaValidator and add the Treblle handler after it:
## check and set enable schema validation
#if($enableSchemaValidation)
<handler class="org.wso2.carbon.apimgt.gateway.handlers.security.SchemaValidator"/>
#end
## Treblle API Observability Handler Injection
#if( $apiObj.additionalProperties.get("treblle_enabled") == "true" )
<handler class="com.treblle.wso2publisher.handlers.APILogHandler">
#set($treblleMaskKw = $apiObj.additionalProperties.get("treblle_mask_keywords"))
#if( $treblleMaskKw && "$treblleMaskKw" != "" )
<property name="treblleMaskKeywords" value="$util.escapeXml($treblleMaskKw)"/>
#end
#set($treblleDisableBody = $apiObj.additionalProperties.get("treblle_disable_response_body"))
#if( $treblleDisableBody && "$treblleDisableBody" != "" )
<property name="treblleDisableResponseBody" value="$util.escapeXml($treblleDisableBody)"/>
#end
</handler>
#end
</handlers>Note
The treblle_enabled condition means the handler is only injected for APIs that have the treblle_enabled custom property set to true in the WSO2 Publisher portal. This gives you per-API opt-in control rather than enabling Treblle globally for all APIs.
Step 3: Configure Logging
Add the following to <APIM_HOME>/repository/conf/log4j2.properties:
Note
This enables Treblle extension logs in the default wso2carbon.log. You can create a custom appender for separate log files if needed.
# Add treblle_publisher to the loggers list (find the existing loggers line and append)
loggers = treblle_publisher, AUDIT_LOG, ...
# Add these lines at the end of the file
logger.treblle_publisher.name = com.treblle.wso2publisher
logger.treblle_publisher.level = INFO
logger.treblle_publisher.appenderRef.CARBON_LOGFILE.ref = CARBON_LOGFILEStep 4: Set Environment Variables
Before starting the WSO2 API Manager, configure the required environment variables.
Caution
Set these environment variables before starting WSO2. Changes require a restart to take effect.
For macOS/Linux:
export TREBLLE_SDK_TOKEN=your-sdk-token
export TREBLLE_API_KEY=your-api-key
export TREBLLE_GATEWAY_URL="https://your-gateway.com" # Optional
export TREBLLE_QUEUE_SIZE=20000 # Optional
export TREBLLE_WORKER_THREADS=1 # Optional
export ADDITIONAL_MASK_KEYWORDS=customToken,apiSecret # Optional
export TREBLLE_ENABLED_TENANT_DOMAINS=carbon.super # OptionalFor Windows:
set TREBLLE_SDK_TOKEN=your-sdk-token
set TREBLLE_API_KEY=your-api-key
set TREBLLE_GATEWAY_URL=https://your-gateway.com
set TREBLLE_QUEUE_SIZE=20000
set TREBLLE_WORKER_THREADS=1
set ADDITIONAL_MASK_KEYWORDS=customToken,apiSecret
set TREBLLE_ENABLED_TENANT_DOMAINS=carbon.superStep 5: Start WSO2 API Manager
cd <APIM_HOME>/bin
./api-manager.sh # or api-manager.bat on WindowsCheck the logs to verify the extension loaded successfully:
tail -f <APIM_HOME>/repository/logs/wso2carbon.log | grep -i treblleConfiguration Reference
Environment Variable
Configuration Details
TREBLLE_SDK_TOKEN
Your Treblle SDK token (REQUIRED) - Authentication token for Treblle service
TREBLLE_API_KEY
Your Treblle API key (REQUIRED) - Project identifier
TREBLLE_GATEWAY_URL
Custom Treblle endpoint URL (Optional) - Default: Auto load-balanced endpoints
TREBLLE_QUEUE_SIZE
Maximum in-memory queue size for events (Optional) - Default: 20000
TREBLLE_WORKER_THREADS
Number of background worker threads (Optional) - Default: 1
ADDITIONAL_MASK_KEYWORDS
Additional fields to mask (comma-separated, Optional) - Example: Authorization,X-API-Key,token
TREBLLE_ENABLED_TENANT_DOMAINS
Tenant domains to monitor (comma-separated, Optional) - Default: All domains
Default Masked Keywords
The following keywords are automatically masked in headers and request/response bodies:
password,pwd,secret,password_confirmationcc,card_number,ccvssn,credit_score
Use ADDITIONAL_MASK_KEYWORDS to add more sensitive fields (e.g., Authorization,X-API-Key,token).
Per-API Masking Keywords
In addition to global masking, you can define masking keywords on a per-API basis through WSO2 API custom properties. This allows each API to have its own set of sensitive fields masked, on top of the global defaults.
How to configure:
- Open the WSO2 Publisher portal
- Navigate to your API and go to Properties
- Add a custom property:
- Name:
treblle_mask_keywords - Value: Comma-separated field names (e.g.,
ssn,dob,account_number)
- Name:
- Save and re-deploy the API
Note
Per-API keywords are merged with (not replacing) the global defaults. They are cached by API UUID for performance and are never included in the JSON payload sent to Treblle.
Disabling Response Body Capture Per API
You can prevent the response body from being sent to Treblle on a per-API basis. This is useful for large responses, PII concerns, or compliance requirements.
How to configure:
- Open the WSO2 Publisher portal
- Navigate to your API and go to Properties
- Add a custom property:
- Name:
treblle_disable_response_body - Value:
true
- Name:
- Save and re-deploy the API
Note
When enabled, the response body is replaced with an empty JSON object ({}) and the response size is set to 0 before sending to Treblle. The response body field is always present in the payload (never omitted).
Per-API Configuration Cache
Both treblle_mask_keywords and treblle_disable_response_body are resolved once per API and cached in memory to avoid re-parsing MessageContext properties on every request.
Property
Value
Cache key
API UUID
TTL
5 minutes (write-based expiry)
Max entries
1000 APIs
Tip
After you update a custom property on an API in the WSO2 Publisher portal and redeploy, the change will take effect within 5 minutes as the old cache entry expires. No gateway restart is required. If an API UUID is not available in the MessageContext, caching is skipped and the properties are resolved fresh on every request.
Custom Endpoint Configuration
Load Balancing (Default Behavior):
If TREBLLE_GATEWAY_URL is NOT set, the extension automatically load-balances across Treblle’s endpoints:
https://rocknrolla.treblle.comhttps://punisher.treblle.comhttps://sicario.treblle.com
Custom Endpoint:
If TREBLLE_GATEWAY_URL is set, all data is sent to your specified endpoint:
export TREBLLE_GATEWAY_URL="https://custom-treblle.your-domain.com"Use cases for custom endpoints:
- On-premise Treblle installations
- Custom routing or proxy configurations
- Regional endpoints for compliance
- Development/testing environments
Tip
For production deployments, we recommend using the default load-balanced endpoints unless you have a specific need for a custom endpoint.
Troubleshooting
Extension Not Loading
Check logs in <APIM_HOME>/repository/logs/wso2carbon.log:
grep -i treblle wso2carbon.logVerify JAR location:
ls -la <APIM_HOME>/repository/components/lib/treblle-wso2-3.0.0.jarVerify velocity_template.xml configuration:
grep -i "treblle" <APIM_HOME>/repository/resources/api_templates/velocity_template.xmlEnsure the #if( $apiObj.additionalProperties.get("treblle_enabled") ... ) block and the handler entry are present in the handlers section after the SchemaValidator.
No Data in Treblle Dashboard
-
Verify environment variables are set:
echo $TREBLLE_SDK_TOKEN echo $TREBLLE_API_KEY -
Check for errors in logs:
grep -i "treblle.*error" wso2carbon.log -
Verify the API has
treblle_enabledset totruein its custom properties in the WSO2 Publisher portal, and that the API has been redeployed after setting the property. -
Verify tenant domain filtering (if using
TREBLLE_ENABLED_TENANT_DOMAINS):- Ensure your API’s tenant domain is in the allowed list
- Default tenant is usually
carbon.super
-
Check content type — Only
application/jsonrequests/responses are captured
Queue Full Errors
If you see “Event queue is full” errors in logs:
-
Increase queue size:
export TREBLLE_QUEUE_SIZE=50000 -
Add more worker threads:
export TREBLLE_WORKER_THREADS=2 -
Check network connectivity to Treblle endpoints:
curl -I https://rocknrolla.treblle.com curl -I https://punisher.treblle.com curl -I https://sicario.treblle.com
Memory Issues
If experiencing memory pressure:
- Reduce
TREBLLE_QUEUE_SIZE(default 20,000) - Reduce
TREBLLE_WORKER_THREADS(default 1) - Use
TREBLLE_ENABLED_TENANT_DOMAINSto filter which APIs are monitored
Getting Help
If you continue to experience issues:
-
Enable debug logging in
log4j2.properties:logger.treblle_publisher.level = DEBUG -
Verify credentials are correct in the Treblle dashboard
-
Test with a simple endpoint first before complex APIs
-
Check Treblle documentation for the latest updates
-
Contact support at support@treblle.com
Tip
That’s it! Your WSO2 API Manager is now integrated with Treblle. APIs with the treblle_enabled custom property set to true will be automatically captured and sent to your Treblle dashboard.