Mapbox Token Security
Configure Mapbox public, secret, and temporary tokens correctly so client maps work without leaking sk.* credentials.
Overview
mapbox-token-security is an agent skill most often used in Ship (also Build integrations) that enforces correct Mapbox pk, sk, and tk token handling and exposure rules.
Install
npx skills add https://github.com/mapbox/mapbox-agent-skills --skill mapbox-token-securityWhat is this skill?
- Token quick-reference table: Public pk.*, Secret sk.*, Temporary tk.* with exposure rules
- Critical never/always lists: no hardcoded tokens, no sk.* in browser, no logging tokens
- Environment-variable pattern (e.g. NEXT_PUBLIC_MAPBOX_TOKEN) plus .env in .gitignore
- Token selection decision tree by client vs server deployment context
- 3 token types documented: Public pk.*, Secret sk.*, Temporary tk.*
Adoption & trust: 895 installs on skills.sh; 64 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are unsure which Mapbox token belongs in the browser versus the server, and you might commit or log credentials by habit.
Who is it for?
Solo developers shipping Mapbox in Next.js, SPAs, or mobile wrappers who need a clear token-type checklist.
Skip if: Non-Mapbox stacks or teams that already enforce centralized secret managers with automated rotation and no client-side maps.
When should I use this skill?
Adding or auditing Mapbox tokens in any app—before client map code merges and before production release.
What do I get? / Deliverables
You apply env-based pk tokens with URL restrictions on the client, sk tokens only in server code, and a gitignored secret layout before going live.
- Token type decision for each call site
- Env and .gitignore layout
- Dashboard URL restriction checklist
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Ship security because token exposure failures surface at deploy and production audit time, even though tokens are created during Build. secrets and appsec alignment: pk/sk/tk rules, env vars, .gitignore, URL restrictions, and never client-side secret tokens.
Where it fits
Pick pk.* for Search JS in the browser while reserving sk.* for a server geocoding proxy.
Pre-deploy review ensures no sk.* in bundles and .env files stay out of git.
Rotate a token after a accidental commit and reapply URL restrictions in the Mapbox dashboard.
How it compares
Focused Mapbox token hygiene guide—not a full OWASP pentest skill or generic .env linter.
Common Questions / FAQ
Who is mapbox-token-security for?
Indie builders and small teams using Mapbox GL or Search JS who must separate public and secret tokens across client and server.
When should I use mapbox-token-security?
In Build integrations when you first add Mapbox; again in Ship security before production deploy; and in Operate if you rotate or audit leaked tokens.
Is mapbox-token-security safe to install?
It is documentation-style guidance; still review Security Audits on this Prism page and never paste real sk.* values into agent chats.
Workflow Chain
Then invoke: mapbox search integration
SKILL.md
READMESKILL.md - Mapbox Token Security
# Mapbox Token Security Guide Quick reference for securing Mapbox access tokens. Critical security rules for token management. ## Token Types - Quick Reference | Type | Format | Use | Can Expose? | | ------------- | ------ | ------------------------ | ------------------------------ | | **Public** | `pk.*` | Client-side, mobile apps | ✅ Yes (with URL restrictions) | | **Secret** | `sk.*` | Server-side only | ❌ NEVER expose | | **Temporary** | `tk.*` | One-time operations | ✅ Yes (expires in 1hr) | ## Critical Security Rules ### ❌ Never Do This ```javascript // ❌ NEVER commit tokens const MAPBOX_TOKEN = 'pk.eyJ1...'; // Don't hardcode! // ❌ NEVER use secret tokens client-side <script>mapboxgl.accessToken = 'sk.eyJ1...'; // Exposed to users!</script>; // ❌ NEVER log tokens console.log('Token:', token); // Shows in browser console // ❌ NEVER share tokens in public repos // .env file committed to GitHub ``` ### ✅ Always Do This ```javascript // ✅ Use environment variables const MAPBOX_TOKEN = process.env.NEXT_PUBLIC_MAPBOX_TOKEN; // ✅ Add URL restrictions to public tokens // In Mapbox dashboard: Restrict to your domain(s) // ✅ Use secret tokens only server-side // server.js or API routes only // ✅ Add .env to .gitignore // .gitignore .env .env.local ``` ## Token Selection Decision Tree **Question 1: Where will this token be used?** - Client-side (browser/mobile) → Use **public token** (pk.\*) - Server-side (API/backend) → Use **secret token** (sk.\*) - One-time operation → Use **temporary token** (tk.\*) **Question 2: What operations are needed?** - Display maps only → Public token with `styles:tiles, styles:read` - Upload/modify data → Secret token with write scopes - Administrative tasks → Secret token with admin scopes ## Scope Management ### Public Token Scopes (Most Common) ``` ✅ styles:tiles - Display raster style tiles ✅ styles:read - Read style specifications ✅ fonts:read - Access Mapbox fonts ✅ datasets:read - Read dataset data ``` ### Secret Token Scopes (Server-Side Only) ``` ⚠️ styles:write - Create/modify styles ⚠️ styles:list - List all styles ⚠️ tokens:write - Create/modify tokens ⚠️ uploads:write - Upload data ``` **Principle:** Grant minimum scopes needed. Don't use `styles:write` if only reading. ## URL Restrictions **For all public tokens, always add URL restrictions:** 1. Go to Mapbox Dashboard → Access Tokens 2. Select token → URL Restrictions 3. Add allowed URLs: ``` http://localhost:* # Development https://yourdomain.com/* # Production https://*.yourdomain.com/* # Subdomains ``` **Impact:** Prevents token abuse if exposed. Must do for production. ## Environment Variable Setup ### Web Applications ```bash # .env.local (Next.js, Vite) NEXT_PUBLIC_MAPBOX_TOKEN=pk.your_token_here VITE_MAPBOX_TOKEN=pk.your_token_here # .env (Create React App) REACT_APP_MAPBOX_TOKEN=pk.your_token_here ``` ### Mobile Applications ```javascript // iOS (Config.xcconfig) MAPBOX_TOKEN = pk.your_token_here; // Android (gradle.properties) MAPBOX_TOKEN = pk.your_token_here; ``` **Always add to .gitignore:** ``` .env .env.local .env.*.local ``` ## Token Rotation **When to rotate:** - 🔴 Immediately if token exposed publicly (GitHub, logs, etc.) - 🟡 Every 90 days for secret tokens (best practice) - 🟡 When team member leaves with access - 🟡 After security incident **How to rotate safely:** 1. Create new token with same scopes 2. Update environment variables 3. Deploy new code 4. Verify new token works 5. Delete old token (grace period: 24-48hrs) ## Common Vulnerabilities ### 1. Token in Public Repository **Risk:** Anyone can use your token, rack up charges **Fix:** Immediately rotate token, add to .gitignore, use git history rewrite if needed ### 2. No URL Restrictions **Risk:** Token can be used on any domain **Fix:** Add URL restrictions in dashboar