Response Templates

Why use response templates?

A static mock always returns the same body regardless of what the client sent. Response templates let the mock react to the incoming request — echoing a request field back in the response, generating a unique ID, or returning different data depending on a query parameter. This makes a single expectation cover an entire family of requests without enumerating every combination.

For example, a Mustache template can echo the requested user ID straight back in the response body:

{
  "httpRequest":  { "path": "/users/{id}" },
  "httpResponseTemplate": {
    "templateType": "MUSTACHE",
    "template": "{\"id\": \"{{request.pathParameters.id.[0]}}\", \"name\": \"User {{request.pathParameters.id.[0]}}\"}"
  }
}

Templates are evaluated at request time, so the response is always fresh. See the sections below for the full template format reference, available variables, and helper objects.

Response Templates

MockServer supports dynamic response templates that generate responses based on request data, built-in variables, and helper objects. The following template features are supported:

• Template Formats — three template engines, each with different trade-offs:
  • Mustache — simple syntax, conditional logic, JsonPath and XPath extraction
  • Velocity — Apache Velocity engine with conditionals, loops, math, and JSON/XML body parsing
  • JavaScript — full ES2023+ JavaScript via the GraalVM Polyglot engine (requires the graaljs Docker image variant or adding GraalVM Polyglot dependencies to the classpath)
• Templates in JSON Initializer Files — defining templates in JSON expectation files
• Loading Templates From Files — reference a template stored in a separate file with templateFile
• Templating A Response Body File — render a FILE response body as a template with templateType
• Response Template Testing — test templates locally using ResponseTemplateTester
• Request Model Variables — access request fields (method, path, headers, body, etc.) in templates
• Multi-Value And Single Value Maps — access headers, parameters, and cookies by key, entry set, values, or key set
• Dynamic Model Variables — timestamps, UUIDs, random integers, and random bytes
• Template Helper Objects — rich helper objects available in all template formats:
  • JWT Helper — generate signed JWTs and JWKS for testing OAuth2/OIDC flows
  • String Helper — trim, capitalize, URL/Base64 encode/decode, substring, replace
  • JSON Transform Helper — merge, sort, extract fields, add/remove elements, pretty-print
  • Date Helper — date formatting, arithmetic, and epoch conversion
  • Calc Helper — random numbers, rounding, min/max, abs, ceil/floor, number formatting
  • Crypto Helper — MD5, SHA-1, SHA-256, SHA-512 digests and HMAC-SHA-256 signatures, all as lowercase hex
  • Regex Helper — test patterns, capture groups, and replace substrings using Java regex
  • HTML Helper — escape and unescape HTML entities
  • CSV Helper — parse CSV text into rows and format a row back to CSV
  • XPath Helper — evaluate an XPath expression against an XML document (XXE-safe)
  • YAML Helper — convert YAML to JSON and read a field from a YAML document
• Security Considerations — restrict the Java classes templates can reach via velocityDisallowClassLoading and javascriptDisallowedClasses

Template Feature Overview

The table below is a one-look index of every template feature on this page. Click the link in the Section column to jump straight to the reference.

Templates in JSON Initializer Files

When defining response templates in JSON expectation initializer files (loaded via MOCKSERVER_INITIALIZATION_JSON_PATH), newlines within template strings must be represented as \\n because JSON does not support multi-line string values. For example:

{
  "httpRequest": {
    "path": "/some/path"
  },
  "httpResponseTemplate": {
    "templateType": "MUSTACHE",
    "template": "{ 'statusCode': 200, 'body': 'line1\\nline2' }"
  }
}

Complex multi-line templates can become difficult to read and maintain in JSON format. For templates with significant logic or formatting, consider using a class-based ExpectationInitializer instead. A Java class initializer allows you to define templates as normal multi-line strings and provides full IDE support for editing and debugging.

See initializing expectations for details on both JSON and class-based initializers.

Loading Templates From Files

Instead of embedding the template inline, the template can be stored in a separate file and referenced with templateFile (a path resolved from the classpath or the filesystem). This keeps large templates out of the expectation JSON and lets you edit them with proper syntax highlighting. If both template and templateFile are provided, the inline template takes precedence.

{
  "httpRequest": {
    "path": "/some/path"
  },
  "httpResponseTemplate": {
    "templateType": "MUSTACHE",
    "templateFile": "templates/some_response.mustache"
  }
}

The same templateFile option is available on httpForwardTemplate for templated request forwarding.

Templating A Response Body File

A static response can already serve its body from a file using a FILE body (see creating expectations). To make that file dynamic, add a templateType of MUSTACHE or VELOCITY — the file contents are then rendered as a template against the request before being returned as the response body. The status code, headers, and content type still come from the static response, while only the body file is templated:

{
  "httpRequest": {
    "path": "/some/path"
  },
  "httpResponse": {
    "statusCode": 200,
    "body": {
      "type": "FILE",
      "filePath": "responses/order.json",
      "templateType": "MUSTACHE",
      "contentType": "application/json"
    }
  }
}

With the body file responses/order.json containing template placeholders, for example:

{ "method": "", "path": "" }

Body-file templating uses the text-based engines (MUSTACHE and VELOCITY) because they render text directly. JavaScript templates build a full response object rather than a text fragment, so for JavaScript use an httpResponseTemplate (optionally with templateFile) instead.

Response Template Testing

To test response templates locally is it possible to use the org.mockserver.templates.ResponseTemplateTester for fast feedback and iteration

mustache templates can be tested locally as follows:

// inputs
String template = "{\n" +
    "    'statusCode': 200,\n" +
    "    'body': \"{'method': '{{ request.method }}', 'path': '{{ request.path }}', 'headers': '{{ request.headers.host.0 }}'}\"\n" +
    "}";
HttpRequest request = request()
    .withPath("/somePath")
    .withMethod("POST")
    .withHeader(HOST.toString(), "mock-server.com")
    .withBody("some_body");

// execute
HttpResponse httpResponse = ResponseTemplateTester.testMustacheTemplate(template, request);

// result
System.out.println("httpResponse = " + httpResponse);

velocity templates can be tested locally as follows:

// inputs
String template = "{\n" +
    "    'statusCode': 200,\n" +
    "    'body': \"{'method': '$request.method', 'path': '$request.path', 'headers': '$request.headers.host[0]'}\"\n" +
    "}";
HttpRequest request = request()
    .withPath("/somePath")
    .withMethod("POST")
    .withHeader(HOST.toString(), "mock-server.com")
    .withBody("some_body");

// execute
HttpResponse httpResponse = ResponseTemplateTester.testVelocityTemplate(template, request);

// result
System.out.println("httpResponse = " + httpResponse);

javascript templates can be tested locally as follows:

// inputs
String template = "return {\n" +
    "    'statusCode': 200,\n" +
    "    'body': '{\\'method\\': \\'' + request.method + '\\', \\'path\\': \\'' + request.path + '\\', \\'headers\\': \\'' + request.headers.host[0] + '\\'}'\n" +
    "};";
HttpRequest request = request()
    .withPath("/somePath")
    .withMethod("POST")
    .withHeader(HOST.toString(), "mock-server.com")
    .withBody("some_body");

// execute
HttpResponse httpResponse = ResponseTemplateTester.testJavaScriptTemplate(template, request);

// result
System.out.println("httpResponse = " + httpResponse);

Request Model Variables

All templates formats have access to the following request fields

• method

  mustache:

  {{ request.method }}

  velocity:

  $!request.method

  javascript:

  request.method

• path

  mustache:

  {{ request.path }}

  velocity:

  $!request.path

  javascript:

  request.path

• path parameters  (see below for multi-value map access patterns)

  mustache:

  {{ request.pathParameters.<key>.<index> }}

  velocity:

  $!request.pathParameters[<key>][<index>]

  javascript:

  request.pathParameters[<key>][<index>]

• path regex capture groups  (when the expectation matched the request path with a regular expression containing capture groups; pathGroups is 1‑based, so index 0 is the whole match and index 1 is the first capture group, and is empty when the matched path had no capture groups. Path‑parameter {name} captures are exposed via pathParameters instead, so a path mixing {name} templates with regex (...) groups does not populate pathGroups.)

  mustache:

  {{ request.pathGroups.<index> }}

  velocity:

  $!request.pathGroups[<index>]

  javascript:

  request.pathGroups[<index>]

• named path regex capture groups  (Java named groups (?<name>...) in the matched path regex, keyed by name; empty when the matched path had no named groups)

  mustache:

  {{ request.namedPathGroups.<name> }}

  velocity:

  $!request.namedPathGroups.<name>

  javascript:

  request.namedPathGroups.<name>

• query string parameters  (see below for multi-value map access patterns)

  mustache:

  {{ request.queryStringParameters.<key>.<index> }}

  velocity:

  $!request.queryStringParameters[<key>][<index>]

  javascript:

  request.queryStringParameters[<key>][<index>]

• headers  (see below for multi-value map access patterns)

  mustache:

  {{ request.headers.<key>.<index> }}

  velocity:

  $!request.headers[<key>][<index>]

  javascript:

  request.headers[<key>][<index>]

• cookies  (see below for single-value map access patterns)

  mustache:

  {{ request.cookies.<key> }}

  velocity:

  $!request.cookies[<key>]

  javascript:

  request.cookies[<key>]

• body

  request.body returns the raw request body as a string. To access individual fields within a JSON body, use JsonPath (Mustache), $json.parse() (Velocity), or JSON.parse() (JavaScript) as shown in the examples below.

  mustache:

  {{ request.body }}

  velocity:

  $!request.body

  javascript:

  request.body

• secure

  mustache:

  {{ request.secure }}

  velocity:

  $!request.secure

  javascript:

  request.secure

• client certificate chain

  During TLS connections MockServer requests clients to optionally present certificates i.e. optional mTLS.
  If the client presents certificates this field is populated with a list of the clients certificates.
  Each item in the list contains the following fields:

  • issuerDistinguishedName as a string
  • subjectDistinguishedName as a string
  • serialNumber as a string
  • signatureAlgorithmName as a string
  • certificate as a java.security.cert.X509Certificate

  mustache:

  {{ request.clientCertificateChain }}

  velocity:

  $!request.clientCertificateChain

  javascript:

  request.clientCertificateChain

• remote address

  The address of the TCP connection to MockServer; typically the client's address, unless there is a NAT device or load balancer between the client and MockServer.

  mustache:

  {{ request.remoteAddress }}

  velocity:

  $!request.remoteAddress

  javascript:

  request.remoteAddress

• keep alive

  True is the client requested HTTP keep alive.

  mustache:

  {{ request.keepAlive }}

  velocity:

  $!request.keepAlive

  javascript:

  request.keepAlive

Request Multi-Value And Single Value Maps

The request variable contains the follow multi-value maps fields:

• request.headers
• request.pathParameters
• request.queryStringParameters

The request variable contains the follow single-value maps fields:

• request.cookies

These multi-value or single-value maps can be accessed in the following ways:

• values by key

  mustache:

  {{ request.headers.<key>.<index> }} {{ request.queryStringParameters.<key>.<index> }} {{ request.headers.<key>.<index> }}

  velocity:

  $!request.pathParameters[<key>][<index>] $!request.queryStringParameters[<key>][<index>] $!request.headers[<key>][<index>]

  javascript:

  request.pathParameters[<key>][<index>] request.queryStringParameters[<key>][<index>] request.headers[<key>][<index>]

• entries as set

  each entry has a key and a value field
  for multi-value maps the value is a list
  for single-value maps the value is a string

  mustache:

  {{ request.pathParameters.entrySet }} {{ request.queryStringParameters.entrySet }} {{ request.headers.entrySet }}

  velocity:

  $!request.pathParameters.entrySet $!request.queryStringParameters.entrySet $!request.headers.entrySet

  javascript:

  not available

• values as list

  mustache:

  {{ request.pathParameters.values }} {{ request.queryStringParameters.values }} {{ request.headers.values }}

  velocity:

  $!request.pathParameters.values $!request.queryStringParameters.values $!request.headers.values

  javascript:

  for (pathParameterKey in request.pathParameters) { var values = request.pathParameters[pathParameterKey]; } for (queryStringParameterKey in request.queryStringParameters) { var values = request.queryStringParameters[queryStringParameterKey]; } for (headerKey in request.headers) { var values = request.headers[headerKey]; }

• keys as set

  mustache:

  {{ request.pathParameters.keySet }} {{ request.queryStringParameters.keySet }} {{ request.headers.keySet }}

  velocity:

  $!request.pathParameters.keySet $!request.queryStringParameters.keySet $!request.headers.keySet

  javascript:

  for (pathParameterKey in request.pathParameters) { // ... } for (queryStringParameterKey in request.queryStringParameters) { // ... } for (headerKey in request.headers) { // ... }

Dynamic Model Variables

All templates formats also have access to the following built-in dynamic variables. They return unique values each time they are used.

Tip: for deterministic testing, you can freeze or control the server clock so that date/time variables (now_iso_8601, now_epoch, now_rfc_1123) and the dates helper return predictable values.

• date & time in ISO-8601 i.e. 2011-12-03T10:15:30Z

  mustache:

  {{ now_iso_8601 }}

  velocity:

  $!now_iso_8601

  javascript:

  now_iso_8601

• unix epoch, the number of seconds that have elapsed since January 1, 1970

  mustache:

  {{ now_epoch }}

  velocity:

  $!now_epoch

  javascript:

  now_epoch

• date & time in RFC 1123 i.e. Tue, 3 Jun 2008 11:05:30 GMT

  mustache:

  {{ now_rfc_1123 }}

  velocity:

  $!now_rfc_1123

  javascript:

  now_rfc_1123

• uuid as string

  mustache:

  {{ uuid }}

  velocity:

  $!uuid

  javascript:

  uuid

• random integer between 0 and 9 inclusive

  mustache:

  {{ rand_int_10 }}

  velocity:

  $!rand_int_10

  javascript:

  rand_int_10

• random integer between 0 and 99 inclusive

  mustache:

  {{ rand_int_100 }}

  velocity:

  $!rand_int_100

  javascript:

  rand_int_100

• random data 16 bytes long

  mustache:

  {{ rand_bytes_16 }}

  velocity:

  $!rand_bytes_16

  javascript:

  rand_bytes_16

• random data 32 bytes long

  mustache:

  {{ rand_bytes_32 }}

  velocity:

  $!rand_bytes_32

  javascript:

  rand_bytes_32

• random data 64 bytes long

  mustache:

  {{ rand_bytes_64 }}

  velocity:

  $!rand_bytes_64

  javascript:

  rand_bytes_64

• random data 128 bytes long

  mustache:

  {{ rand_bytes_128 }}

  velocity:

  $!rand_bytes_128

  javascript:

  rand_bytes_128

Template Helper Objects

In addition to the simple dynamic variables above, all template formats have access to helper objects that provide rich functionality for string manipulation, JSON processing, date/time arithmetic, math operations, JWT generation, and realistic fake data generation. These helpers are accessed as objects with methods.

JWT Helper (jwt)

Generates signed JSON Web Tokens (JWTs) and JSON Web Key Sets (JWKS) for testing OAuth2/OIDC flows. Tokens are signed with RS256 (RSA with SHA-256) using an auto-generated key pair.

Usage examples:

• Mustache: {{ jwt }} (generates a default JWT) or {{ jwt.jwks }}
• Velocity: $jwt.generate() or $jwt.jwks()
• JavaScript: jwt.generate() or jwt.jwks()

String Helper (strings)

Provides string manipulation functions useful for transforming request data in response templates.

Usage examples:

• Velocity: $strings.uppercase($!request.method)
• JavaScript: strings.base64Encode(request.body)

JSON Transform Helper (jsonTransform)

Provides JSON manipulation functions for merging, sorting, and extracting data from JSON strings. Named jsonTransform to avoid collision with Velocity's built-in $json (JsonTool).

Usage examples:

• Velocity: $jsonTransform.field($!request.body, "username")
• JavaScript: jsonTransform.merge(request.body, '{"status":"processed"}')

Date Helper (dates)

Provides date/time arithmetic and formatting functions. All times are UTC-based.

Usage examples:

• Velocity: $dates.plusHours(1) (token expiry 1 hour from now)
• JavaScript: dates.format("yyyy-MM-dd")
• Mustache: {{ dates }} (outputs current ISO-8601 timestamp via toString)

Calc Helper (calc)

Provides mathematical functions for generating random numbers, rounding, and formatting. Named calc to avoid collision with Velocity's built-in $math (MathTool).

Usage examples:

• Velocity: $calc.randomInt(1, 1000)
• JavaScript: calc.round(calc.randomDouble(0.0, 100.0), 2)

Faker Helper (faker)

Generates realistic fake data for names, addresses, emails, phone numbers, and 250+ other categories using DataFaker. A single shared Faker instance is exposed as faker in all template engines. The instance is thread-safe and produces random values on each invocation.

Usage examples:

• Velocity: $faker.name().firstName() or $faker.internet().emailAddress()
• Mustache: {{ faker.name.firstName }} or {{ faker.internet.emailAddress }}
• JavaScript: faker.name().firstName() or faker.internet().emailAddress()

The full list of available providers (name, address, internet, company, finance, medical, etc.) is documented in the DataFaker providers reference.

Crypto Helper (crypto)

Computes cryptographic digests and HMAC signatures. All methods return lowercase hex strings. Use this to generate request signatures, verify webhook payloads, or add content-hashing headers in templated responses.

Usage examples:

• Velocity: $crypto.sha256($!request.body) (hash the request body into a response field)
• Mustache: {{ crypto.sha256 }} is not directly callable with arguments in Mustache — use Velocity or JavaScript when you need to pass a value to a crypto method
• JavaScript: crypto.hmacSha256("my-secret", request.body)

Regex Helper (regex)

Applies Java regular expressions to strings inside a template. Use this to extract captured groups from request data or rewrite parts of a value before including it in the response.

Usage examples:

• Velocity: $regex.group($!request.path, "/orders/([^/]+)", 1) (extract the order ID from the path)
• JavaScript: regex.replaceAll(request.headers["Authorization"][0], "^Bearer ", "") (strip the Bearer prefix from a token)
• Mustache: regex helper methods require arguments and cannot be invoked from Mustache — use Velocity or JavaScript instead

HTML Helper (html)

Escapes and unescapes HTML entities (HTML 4.0). Use this to safely embed request data in an HTML response body, or to recover the original text from an escaped value.

Usage examples:

• Velocity: $html.escape($!request.body) (safely embed the request body in HTML)
• JavaScript: html.unescape(request.queryStringParameters["q"][0])

CSV Helper (csv)

Parses CSV text into rows (each row a list of fields) and formats a list of fields back into a CSV line. Quoting and quote-doubling follow RFC 4180: fields containing a comma, double-quote, or newline are wrapped in double quotes and embedded quotes are doubled.

Usage examples:

• JavaScript: csv.parse(request.body)[0][1] (read the second field of the first CSV row)
• JavaScript: csv.row(["id","name","total"]) (build a CSV header line for a response)

XPath Helper (xpath)

Evaluates an XPath expression against an XML document and returns the string result. The XML parser disables DOCTYPE declarations and external entity resolution, so it is safe against XXE; an unparseable document or invalid expression yields "".

Usage examples:

• Velocity: $xpath.evaluate($!request.body, "/order/id") (extract an element from an XML request body)
• JavaScript: xpath.evaluate(request.body, "/order/@status") (read an attribute value)

YAML Helper (yaml)

Converts a YAML document to JSON and reads a top-level field out of a YAML document. Scalar fields are returned verbatim; object/array fields are returned as JSON.

Usage examples:

• Velocity: $yaml.toJson($!request.body) (turn a YAML request body into a JSON response)
• JavaScript: yaml.parse(request.body, "version")

Mustache Response Templates

The following shows a basic example for a mustache format response template

new ClientAndServer(1080)
    .when(request().withPath("/some/path"))
    .respond(
        template(
            HttpTemplate.TemplateType.MUSTACHE,
            "{\n" +
                "     'statusCode': 200,\n" +
                "     'cookies': {\n" +
                "          'session': '{{ request.headers.Session-Id.0 }}'\n" +
                "     },\n" +
                "     'headers': {\n" +
                "          'Client-User-Agent': [ '{{ request.headers.User-Agent.0 }}' ]\n" +
                "     },\n" +
                "     'body': '{{ request.body }}'\n" +
                "}"
        )
    );

Mustache Syntax

Variables

In mustache a variable is referenced using double braces, for example, {{ request.method }} will print the method field of the request variable.

{{ name }} will try to find the name key in the current model context; which can be changed, using sections, as described below.

If no matching field is found an empty string will be returned.

The following basic template example demonstrates using multiple variables:

{
  'statusCode': 200,
  'body': {
    'method': '{{ request.method }}',
    'path': '{{ request.path }}',
    'headers': '{{ request.headers.host.0 }}'
  }
}

Sections

Sections have the following uses:

• to change the model context
• as an if-else-statement
• to loop over arrays or iterables

A section begins with a tag starting with a pound and ends with a matching tag starting with a slash.

For example {{#request.cookies}} starts a request.cookies section and {{/request.cookies}} closes the section.

How a section behaves depends on the section's model variable as follows

• boolean values enable or disable the section like an if-statement; with unresolvable variables, null variables or empty strings all being treated as false
• arrays, iterators, and iterable variables cause the section to loop over each item; with empty collections never executing the section
• other objects result in a single execution of the section using the section's model variable as the context

The following example template demonstrates using a section to iterate the entrySet in the header map:

{
  'statusCode': 200,
  'body': "{'headers': '{{#request.headers.entrySet}}{{ key }}={{ value.0 }} {{/request.headers.entrySet}}'}"
}

And produces the following example output:

{
  "statusCode" : 200,
  "body" : "{'headers': 'host=mock-server.com content-type=plain/text '}"
}

Inverted Sections

An inverted section begins with a tag starting with a caret and ends with a matching tag starting with a slash.

For example {{^-first}} starts a -first section and {{/-first}} closes the section. This section therefore applies for all items in a list except the first item.

Inverted sections render once based on the inverse value of the key, they will be rendered if the key doesn't exist, is false, is an empty string, or is an empty list.

The following example template demonstrates using a section to iterate the entrySet in the header map using an inverted section and the special variable -first to add commas before all headers except the first:

{
  'statusCode': 200,
  'body': "{'headers': [{{#request.headers.entrySet}}{{^-first}}, {{/-first}}'{{ key }}={{ value.0 }}'{{/request.headers.entrySet}}]}"
}

And produces the following example output:

{
  "statusCode" : 200,
  "body" : "{'headers': ['host=mock-server.com', 'content-type=plain/text']}"
}

Special Variables

this

this refers to the context object itself such as the current item when iterating over a collection

-first and -last

You can use the special variables -first and -last when using collections.

-first resolves to true when inside a section on the first iteration, it resolves to false at all other times. It resolves to false for sections with a singleton value rather a collection.

-last resolves to true when inside a section on the last iteration, it resolves to false at all other times.

-index

The -index special variable resolves to 1 for the first iteration, 2 for the second so on. It resolves to 0 at all other times including sections with a singleton value rather a collection.

The following example template demonstrates using this and -first to list header values

{
    'statusCode': 200,
    'body': "{'headers': [{{#request.headers.values}}{{^-first}}, {{/-first}}'{{ this.0 }}'{{/request.headers.values}}]}"
}

And produces the following example output:

{
  "statusCode" : 200,
  "body" : "{'headers': ['mock-server.com', 'plain/text']}"
}

The following example template demonstrates using this, -first and -index to list header keys

{
    'statusCode': 200,
    'body': "{'headers': [{{#request.headers.keySet}}{{^-first}}, {{/-first}}'{{ -index }}:{{ this }}'{{/request.headers.keySet}}]}"
}

And produces the following example output:

{
  "statusCode" : 200,
  "body" : "{'headers': ['1:host', '2:content-type']}"
}

JsonPath

It is possible to use JsonPath expressions to extract values from request bodies containing JSON with a {{#jsonPath}} section, follow by a {{#jsonPathResult}} section

For details of the full JsonPath syntax please see github.com/json-path

The following example template demonstrates using {{#jsonPath}} follow by {{#jsonPathResult}} to extract a list and single value from a request body:

{
    'statusCode': 200,
    'body': "{'titles': {{#jsonPath}}$.store.book{{/jsonPath}}[{{#jsonPathResult}}{{^-first}}, {{/-first}}'{{title}}'{{/jsonPathResult}}], 'bikeColor': '{{#jsonPath}}$.store.bicycle.color{{/jsonPath}}{{jsonPathResult}}'}"
}

In this example the first JsonPath expression $.store.book returns a list of objects which is iterated over in the section {{#jsonPathResult}}.

The second JsonPath expression $.store.bicycle.color returns a single value which is returned using the variable tag {{jsonPathResult}}.

Given the following request:

{
  "path" : "/somePath",
  "body" : {
    "store" : {
      "book" : [ {
        "category" : "reference",
        "author" : "Nigel Rees",
        "title" : "Sayings of the Century",
        "price" : 18.95
      }, {
        "category" : "fiction",
        "author" : "Herman Melville",
        "title" : "Moby Dick",
        "isbn" : "0-553-21311-3",
        "price" : 8.99
      } ],
      "bicycle" : {
        "color" : "red",
        "price" : 19.95
      }
    },
    "expensive" : 10
  }
}

The example produces:

{
  "statusCode" : 200,
  "body" : "{'titles': ['Sayings of the Century', 'Moby Dick'], 'bikeColor': 'red'}"
}

XPath

It is possible to use XPath expressions to extract values from request bodies containing XML with a {{#xPath}} section.

The {{#xPath}} section only supports outputting the result of the XPath expression as a string, if an XML fragment is matched the string content of all the elements is printed.

For a quick summary the XPath syntax please see w3schools, for details of the full XPath syntax please see www.w3.org

The following example template demonstrates using {{#xPath}} to multiple items from a request body:

{
    'statusCode': 200,
    'body': "{'titles': ['{{#xPath}}/store/book/title{{/xPath}}', '{{#xPath}}//book[2]/title{{/xPath}}'], 'bikeColor': '{{#xPath}}//bicycle/color{{/xPath}}'}"
}

Given a request with the following xml body:

<?xml version="1.0" encoding="UTF-8" ?>
<store>
  <book>
    <category>reference</category>
    <author>Nigel Rees</author>
    <title>Sayings of the Century</title>
    <price>18.95</price>
  </book>
  <book>
    <category>fiction</category>
    <author>Herman Melville</author>
    <title>Moby Dick</title>
    <isbn>0-553-21311-3</isbn>
    <price>8.99</price>
  </book>
  <bicycle>
    <color>red</color>
    <price>19.95</price>
  </bicycle>
  <expensive>10</expensive>
</store>

The example produces:

{
  "statusCode" : 200,
  "body" : "{'titles': ['Sayings of the Century', 'Moby Dick'], 'bikeColor': 'red'}"
}

Velocity Response Templates

The following shows a basic example for a Velocity format response template

new ClientAndServer(1080)
    .when(request().withPath("/some/path"))
    .respond(
        template(
            HttpTemplate.TemplateType.VELOCITY,
            "{\n" +
                "     'statusCode': 200,\n" +
                "     'cookies': { \n" +
                "          'session': '$!request.headers['Session-Id'][0]'\n" +
                "     },\n" +
                "     'headers': {\n" +
                "          'Client-User-Agent': [ '$!request.headers['User-Agent'][0]' ]\n" +
                "     },\n" +
                "     'body': '$!request.body'\n" +
                "}"
        )
    );

Velocity Syntax

For full Velocity syntax see: Velocity User Guide the following section provide a basic summary and examples of Velocity syntax.

Variables

In velocity a variable is referenced using a dollar, for example, $request.method will print the method field of the request variable.

$name will try to find the name variable in the current model.

If no matching variable is found for the variable expression the expression is printed, unless a quiet expression notation is used as follows $!name

The following basic template example demonstrates using multiple variables:

{
  'statusCode': 200,
  'body': {
    'method': '$!request.method',
    'path': '$!request.path',
    'headers': '$!request.headers.host.0'
  }
}

Methods can also be called on variables, for example, $request.getMethod() will call the getMethod() method of the request variable.

New variables can be defined using a #set directive, for example, #set ($message="Hello World") will create a new variables call message.

Conditionals

Conditional expressions are possible using #if, #elseif and #else directives, as follows:

#if($request.method == 'POST' && $request.path == '/somePath')
    {
        'statusCode': 200,
        'body': "{'name': 'value'}"
    }
#else
    {
        'statusCode': 406,
        'body': "$!request.body"
    }
#end

Loops

Loops are possible using the #foreach directives, as follows:

{
    'statusCode': 200,
    'body': "{'headers': [#foreach( $value in $request.headers.values() )'$value[0]'#if( $foreach.hasNext ), #end#end]}"
}

The example produces:

{
  "statusCode" : 200,
  "body" : "{'headers': ['mock-server.com', 'plain/text']}"
}

Mathematical

In addition to the dynamic model variables it is possible to perform basic mathematical operations, as follows:

#set($percent = $number / 100)
#set($remainder = $dividend % $divisor)

A range operator is also supported which can be useful in conjunction with #set and #foreach

#set($array = [0..10])
#foreach($item in $arr)
    $item
#end

For additional mathematical functionality it is also possible to use the MathTool or NumberTool in velocity response templates.

#set($power = $math.pow($number, 2))
#set($max = $math.max($number, 10))

Json Bodies

The JsonTool can be used to help parse JSON bodies, as follows:

#set($jsonBody = $json.parse($!request.body))

{
    'statusCode': 200,
    'body': "{'titles': [#foreach( $book in $jsonBody.store.book )'$book.title'#if( $foreach.hasNext ), #end#end], 'bikeColor': '$jsonBody.store.bicycle.color'}"
}

Given the following request:

{
  "path" : "/somePath",
  "body" : {
    "type" : "JSON",
    "json" : {
      "store" : {
        "book" : [ {
          "category" : "reference",
          "author" : "Nigel Rees",
          "title" : "Sayings of the Century",
          "price" : 18.95
        }, {
          "category" : "fiction",
          "author" : "Herman Melville",
          "title" : "Moby Dick",
          "isbn" : "0-553-21311-3",
          "price" : 8.99
        } ],
        "bicycle" : {
          "color" : "red",
          "price" : 19.95
        }
      },
      "expensive" : 10
    }
  }
}

The example produces:

{
  "statusCode" : 200,
  "body" : "{'titles': ['Sayings of the Century', 'Moby Dick'], 'bikeColor': 'red'}"
}

XML Bodies

The XmlTool can be used to help parse XML bodies, execute XPath and XML traversal.

The following example shows how to use XmlTool for XPath:

#set($xmlBody = $xml.parse($!request.body))

{
    'statusCode': 200,
    'body': "{'key': '$xml.find('/element/key/text()')', 'value': '$xml.find('/element/value/text()')'}"
}

Given the following request:

{
  "path" : "/somePath",
  "body" : "<element><key>some_key</key><value>some_value</value></element>"
}

The example produces:

{
  "statusCode" : 200,
  "body" : "{'key': 'some_key', 'value': 'some_value'}"
}

JsonPath and XPath helpers

As a quicker alternative to $xml.parse() / $json.parse(), Velocity templates can extract a single value directly from the request body using the same JsonPath and XPath support as Mustache templates, via the $jsonPath and $xPath helpers:

{
    'statusCode': 200,
    'body': "{'title': '$jsonPath.find('$.store.book[0].title')', 'key': '$xPath.find('/element/key')'}"
}

$jsonPath.find(...) evaluates a JsonPath expression against a JSON request body and $xPath.find(...) evaluates an XPath expression against an XML request body. A missing path or invalid expression resolves to an empty value (the error is logged, not thrown), exactly as in Mustache templates.

Velocity Tools

The following velocity tools are available for velocity response templates:

• CollectionTool
• ComparisonDateTool
• DisplayTool
• EscapeTool
• MathTool
• NumberTool
• JsonTool
• XmlTool

JavaScript Response Templates

The following shows a basic example for a JavaScript format response template

new ClientAndServer(1080)
    .when(request().withPath("/some/path"))
    .respond(
        template(
            HttpTemplate.TemplateType.JAVASCRIPT,
            "return {\n" +
                "     'statusCode': 200,\n" +
                "     'cookies': {\n" +
                "          'session' : request.headers['session-id'][0]\n" +
                "     },\n" +
                "     'headers': {\n" +
                "          'Client-User-Agent': request.headers['User-Agent']\n" +
                "     },\n" +
                "     'body': request.body\n" +
                "};"
        )
    );

JavaScript Syntax

All javascript response templates should return the response as an object as shown in the example above.

JavaScript Engine Support

MockServer uses the GraalVM Polyglot JavaScript engine for JavaScript templates. The engine is not bundled with the standard Docker image or the standalone JAR. To use JavaScript templates, either run the graaljs Docker image variant (e.g. mockserver/mockserver:7.2.0-graaljs) or add org.graalvm.polyglot:polyglot and org.graalvm.polyglot:js to your classpath (see below). It supports ES2023+ syntax, including template literals, async/await, destructuring, optional chaining, and the full modern JavaScript language.

If you are embedding MockServer as a library and need JavaScript templating, add org.graalvm.polyglot:polyglot and org.graalvm.polyglot:js (both at version 25.0.3 or later) to your classpath. Nashorn (org.openjdk.nashorn:nashorn-core) is no longer supported; the JSR-223 bridge was dropped in GraalJS 25.x and Nashorn was removed from MockServer.

Variables

In javascript a variable is referenced directly, for example, request.method will return the method field of the request variable.

The following basic template example demonstrates using multiple variables:

return {
    'statusCode': 200,
    'body': '{\'method\': \'' + request.method + '\', \'path\': \'' + request.path + '\', \'header\': \'' + request.headers.host[0] + '\'}'
};

JsonPath and XPath helpers

As an alternative to JSON.parse(request.body), JavaScript templates can extract a single value directly from the request body using the same JsonPath and XPath support as Mustache templates, via the jsonPath(...) and xPath(...) functions:

return {
    'statusCode': 200,
    'body': '{\'title\': \'' + jsonPath('$.store.book[0].title') + '\', \'key\': \'' + xPath('/element/key') + '\'}'
};

jsonPath(...) evaluates a JsonPath expression against a JSON request body and xPath(...) evaluates an XPath expression against an XML request body. A missing path or invalid expression returns an empty value (the error is logged, not thrown), exactly as in Mustache templates.

Conditionals

Conditional expressions are possible, as follows:

if (request.method === 'POST' && request.path === '/somePath') {
    return {
        'statusCode': 200,
        'body': JSON.stringify({name: 'value'})
    };
} else {
    return {
        'statusCode': 406,
        'body': request.body
    };
}

Loops

Looping is possible, as follows:

var headers = '';
for (header in request.headers) {
  headers += '\'' + request.headers[header] + '\', ';
}
return {
    'statusCode': 200,
    'body': '{\'headers\': [' + headers.slice(0, -2) + ']}'
};

The example produces:

{
  "statusCode" : 200,
  "body" : "{'headers': ['mock-server.com', 'plain/text']}"
}

Security Considerations

Response templates execute code — a Velocity or JavaScript template can reach into the Java runtime and, unless restricted, call classes such as java.lang.Runtime, java.lang.ProcessBuilder, or java.lang.System. Treat template content as trusted code. If untrusted users can submit expectations (for example because the control plane is exposed), lock down what templates are allowed to do.

• Velocity — set velocityDisallowClassLoading to true to block class loading from within Velocity templates, preventing access to arbitrary Java classes.
• JavaScript — set javascriptDisallowedClasses to a comma-separated list of fully-qualified class names that JavaScript templates may not use. At a minimum, deny java.lang.Runtime, java.lang.ProcessBuilder, java.lang.System, java.lang.Class, and java.lang.ClassLoader so templates cannot spawn processes, read or alter system state, or load further classes by reflection.

See the configuration properties page for the full list of equivalent system-property, environment-variable, and Java API forms of these settings. To stop untrusted callers from registering templated expectations in the first place, also enable control plane authorisation.