On this page:

Why we collect this

MockServer is free, open source, and maintained for the whole community. We collect a little anonymous usage data for one reason: to understand how the dashboard is actually used so we can make it better for everyone.

Knowing which features people genuinely rely on — and which ones they never reach, or struggle to find — lets us spend our limited maintainer time where it does the most good. Concretely, this data helps us:

  • Improve the most useful features — invest effort in the parts of the dashboard people use most, instead of guessing.
  • Maximise usability — spot where users hit errors or abandon a workflow, so we can smooth out the rough edges.
  • Avoid wasted work — retire or rethink features that aren't earning their keep, and prioritise the ones that deliver real value.
  • Benefit every MockServer user — every improvement we make from this feedback ships back to the community in the next open source release.

This is deliberately a good-faith, minimal measurement: it is anonymous, cookieless, carries none of your mock or request data (see below), and exists purely to help us build a more useful tool for the people who depend on it. If you'd still rather not take part, disabling it takes one click and changes nothing about how MockServer works for you — see How to disable.

When it's collected

Analytics is off by default and only ever runs in the official, pre-configured distributions — never in a plain build and never in local development. It is active only when MockServer is run from:

  • the official Docker images (docker-standard, docker-graaljs, docker-clustered),
  • the official Helm chart deployment, or
  • the official binary launcher bundles.

These artefacts are the only ones that ship with an analytics endpoint and key baked in. Everywhere else it stays completely inactive, with no events sent and no consent note shown:

  • the plain downloadable JAR,
  • any embedded / library / dependency use of MockServer,
  • local development, tests, and CI.

Even in the distributions where it is active, it is measured purely from the dashboard UI in your browser — it has nothing to do with the mock or proxy traffic flowing through MockServer — and it still respects every opt-out signal (Do Not Track, Global Privacy Control, the dashboard Opt out button, or the operator master switch). A small, one-line note appears in the dashboard the first time analytics becomes active, so you are always told it is on and can opt out at any time.

What is collected

When an operator enables analytics (by supplying a self-hosted PostHog endpoint and key), the dashboard may send a small set of coarse, anonymous usage events. No free-text values from your mocks, requests, or environment are ever included.

The four event types are:

EventWhen sentProperties carried
app_open Once per page load, after all activation gates pass App version, surface (browser or ide-embedded), colour theme (light / dark / system), artefact distribution label (docker-standard / docker-graaljs / docker-clustered / helm / binary / unknown) — set automatically by the official artefact, never by user input
view_change Each time you switch dashboard tab The tab name (e.g. traffic, composer, chaos)
feature_used When you trigger a specific feature action Feature name from a closed enumeration (e.g. expectation_created, chaos_started, load_run_started) and optionally a mode (quick or advanced)
error_shown When the dashboard displays an error to you A coarse category from a closed enumeration (load_failed, save_failed, connection_failed, validation_failed, unknown) — never an error message or stack trace

What is never collected

The analytics module is structurally incapable of sending the following data. Every public function accepts only values from a closed, whitelisted set — there is no code path that accepts a free-text string and forwards it to the analytics backend.

  • Request URLs, paths, query strings, or hostnames
  • Request or response headers (including Authorization, Cookie, or any other credential)
  • Request or response bodies
  • Expectation JSON, mock configurations, or scenario state
  • Server ports, IP addresses, or file paths
  • Error messages or stack traces
  • Any data from the mocked or proxied traffic passing through MockServer

Cookieless and cross-site identifier free

Analytics is initialised with PostHog's persistence: 'memory' option. This means:

  • No cookies are set.
  • No persistent identifier is written to localStorage or sessionStorage for tracking purposes.
  • Each page load is independent — there is no mechanism to correlate sessions or track an individual across visits.
  • PostHog autocapture and session recording are both disabled.

How to disable

There are three independent ways to disable analytics:

1. Operator: disable for the whole deployment

Set the dashboardAnalyticsEnabled configuration property to false. This is the authoritative master switch — when it is off, the analytics module never loads and the consent note is never shown, regardless of any other setting.

-Dmockserver.dashboardAnalyticsEnabled="false"
MOCKSERVER_DASHBOARD_ANALYTICS_ENABLED=false

Analytics is active only in the official Docker images (docker-standard, docker-graaljs, docker-clustered), Helm chart deployments, and the official binary launcher bundles — these artefacts have dashboardAnalyticsEndpoint and dashboardAnalyticsKey pre-configured. The plain downloadable JAR and any embedded / library / dependency use have both properties empty, so analytics is always inactive there regardless of any other setting.

2. Individual: opt out via the dashboard note

When analytics is active, a small one-line disclosure note appears in the dashboard on first use. Clicking Opt out records your choice in the browser's localStorage under the key mockserver.analytics.optOut, stops any in-flight PostHog capture immediately, and prevents analytics from running on any subsequent page load in that browser.

3. Individual: browser Do Not Track or Global Privacy Control

If your browser has Do Not Track (navigator.doNotTrack === '1') or Global Privacy Control (navigator.globalPrivacyControl === true) enabled, the analytics module detects this automatically during its activation check and becomes a permanent no-op for that page load — no events are sent and no note is shown.