Settings and account access

The Settings page is where you can manage an account's profile information, billing and authentication methods, and apps connected to the Mapbox account. To access the Settings page, log into the account and navigate to account.mapbox.com/settings. Note that for accounts using SAML Single-sign on authentication, only users with the Root role assigned in their identity provider can access and update settings.

Profile

All users who login to an account with the account's master password assume Root user privileges by default, and can access and update the account's settings. Alternatively, if your account has enabled SAML Single sign-on authentication, there are two user roles that are available: Root and Admin, which are assigned to users in an identity provider (like Okta). For accounts with SSO enabled, only users with the Root role will be able to access and update settings as described below. Learn more about user roles in the SAML SSO documentation.

Add or change an account's organization name

If an organization name is added in the account's Settings, this value is automatically included in the header of the account's invoices. To add or change the organization name, follow these steps:

  1. Log in and navigate to your Account settings page, and click the Profile tab.
  2. Enter the new or updated organization name and click Save changes.

Change an account's email address

An account's registered email address is the primary email address to which we send important billing and account notifications. If you are inheriting an account from a team member, consultant, or client, it might make sense to update the primary email address to be one that multiple members of your organization have access to, like developers@mapbox.com. Similarly, if you are transferring an account to a team, consultant, or client, changing the registered email address on the account from your own to one they have access to ensures important notifications are not missed. To update an account's email address, follow these steps:

  1. Log in and navigate to your Account settings page, and click the Profile tab.
  2. Enter the new email address and click Save changes.

Change an account's username (not possible)

It is not possible to change an account's ID (username). Doing so would break links to maps tied to that account and could cause other unanticipated problems with implementations that depend on that account ID.

Instead, you can add or change the account's organization name or create a new account, transfer your map styles and update your web and mobile applications to reference the new account's tokens and styles. For more information about setting up an account for collaboration or preparing for an ownership transition, see our guide for collaboration.

Once this transition is complete, you can delete the original account without breaking any links to your maps.

Questions about updating the profile information for an account? Please visit the troubleshooting section for recommendations and next steps to contact support.

Password

Change your password

  1. Log in and navigate to your Account settings.
  2. Enter your current password and new password in the appropriate fields.
  3. If you have two-factor authentication enabled, enter your two-factor authentication code.
  4. Click Save new password.

Reset your password

If you're having trouble logging in to an account, try resetting the account's password by providing the email address that's associated with the account. We'll send the registered email on file for that account an email with further instructions to reset the password.

The link that we send in the password reset email is only valid for 24 hours. If you receive an Invalid token error message or have waited more than 24 hours, you'll need to request another password reset email.

Questions about changing or resetting an account's password? Please visit the troubleshooting section for recommendations and next steps to contact support.

Security

Mapbox is critical infrastructure for our customers. We go to significant lengths to protect the security of your account, your data, and your users. Please visit our Security page for more information about how we process payments, store data, and conduct regular audits.

An account's Security Settings page is where you can enable two-factor authentication or SAML Single sign-on for an account.

Two-factor authentication

Two-factor authentication (2FA), also known as multi-factor authentication (MFA) or two-step authentication, provides an optional, but recommended, layer of security for Mapbox accounts. Once enabled, all users will be prompted to enter the account's password as well as a security code generated on registered mobile devices whenever they log in to the account.

Enable two-factor authentication

When logged in to an account, you can enable two-factor authentication from the Security page. The Security page will include a barcode which you'll be prompted to scan with your mobile device, or a code that can by typed into password management services like 1Password.

Scan the generated barcode using an authenticator app on your mobile device. We recommend using Google Authenticator - it's free and available for iOS and Android. For a Windows phone, use the Authenticator app.

Your mobile device will display a 6-digit code. Type this code into the field below the barcode to complete the process.

Save your recovery code in a safe place so you can access the account if you lose your device

Please note that enabling 2FA for an account raises the likelihood that you or other users of the account may have trouble logging into the account in the future. Mapbox verifies ownership of an account by asking users to confirm the credit card number on file for that account. When 2FA is enabled on an account without a credit card, there is no way that the Support team can help users regain access to that account. Exercise care by storing 2FA recovery codes in a safe place and distributing them to new account owners when transferring ownership of an account. Consider enabling SAML SSO for team accounts or accounts with multiple users, since many SSO providers require 2FA for logging into the IdP.

Use a recovery code to access an account without the registered two-factor device

After you've set up two-factor authentication on an account, you will be redirected to a page with a recovery code. A recovery code is a single-use code that lets you sign in without your two-factor device.

Write down this code and keep it in a safe place. Treat your recovery code like a password to your account. If you lose your mobile device, you will need this code to log in to your account.

If you have already set up two-factor authentication on your account and do not have a recovery code, but can access the account with your 2FA device, go to your Security page to generate and retrieve a new recovery code for the account. Immediately store this code is a safe place, like a 1Password vault for individuals or teams.

To use the recovery code to login to an account, you'll need the account's account ID (username) or email, and the account's password. Follow the steps below to use your recovery code:

  1. Navigate to the Sign in page.
  2. Enter the account ID (username) and password, then click Sign in.
  3. Click the Lost your mobile device? link below the Sign in button. A new field for the recovery code will appear.
  4. Enter your recovery code in the new field and click Sign in.

Using the account's recovery code will temporarily deactivate two-factor authentication. This gives you a chance to configure a new two-factor authentication device, enable SAML SSO authentication for teams, or decide not to reactivate 2FA for the account.

Questions about enabling MFA or accessing an account with a recovery code? Please visit the troubleshooting section for recommendations and next steps to contact support.

Single Sign-on authentication (SSO)

Public beta

SAML Single sign-on (SSO) is in public beta and is subject to potential changes.

Manage your organization's access to Mapbox accounts while adding another level of security with SAML Single sign-on (SSO). SSO enables members of your organization to authenticate into a Mapbox.com account through any trusted, third-party identity provider that supports the SAML2.0 protocol.

SAML SSO capabilities

Supports:

Does not support:

  • OAuth, OpenID Connect, Kerberos, other protocols
  • Service provider (SP) initiated login
  • Identity provider (IdP) initiated single logout
  • Nested sub-account hierarchy of separate, connected accounts
  • Multiple identity providers
  • Domain control or domain lockout

Setting up SAML SSO for your Mapbox account

The setup workflow for each identity provider can be unique, but there are general themes:

  1. Login to the Mapbox account you want to set up with SSO authentication
  2. In your identity provider (IdP), create a new SAML application
  3. Copy and paste the required details in the Configure your identity provider section of the Mapbox SSO setup page into your IdP’s configuration workflow
  4. Add the user roles as a custom attribute in your IdP
  5. Copy and paste the required details from your identity provider in the Setup SAML single sign-on for Mapbox section of the SSO setup page
  6. Click Enable single sign-on to save your integration
  7. Assign users to your application in the IdP
  8. Assign roles to the users
  9. Test that the SAML authentication is working as expected

Configuring your identity provider

Log into your identity provider with the required administrative privileges, then create a custom SAML2.0 application for Mapbox. If you're an Okta user, read their How to configure SAML for Mapbox guide to get started.

See the following external links for IdP specific instructions:

In this new application, enter the following required information from the Mapbox SSO setup page:

  • Single sign-on URL, also could be referred to as the SSO URL, Assertion Consumer Service (ACS) URL, Application ACS URL, Reply URL, Callback URL, or Post-back URL in your IdP
  • Audience Restriction, also could be referred to as Audience URI, SP Entity ID, Identifier, or Application SAML Audience in your IdP
  • The application username must be in email format
  • The SHA256 encryption algorithm is required

Configuring user roles in your identity provider

Through SAML SSO you can assign users roles that provide certain permissions in the Mapbox Account app and Mapbox Studio that are also enforced by all Mapbox APIs. User roles are assigned in the identity provider and transferred to Mapbox in the SAML assertion. The available user roles are:

RolePermissionsTypical users
RootUsers with the Root role can read and write to account settings and can read and write to all resources and APIs.IT Admins, Product Owners, CTOs
AdminUsers with the Admin role can read and write to all resources and APIs. They cannot read or write to account settings.Developers, Designers, Project contributors

Many identity providers use custom attributes and attribute statements for roles. Typically, roles can be assigned to individuals or groups. Consult the documentation for your specific IdP, such as the Okta documentation for Mapbox SAML apps for details.

Completing SAML SSO setup for Mapbox

To complete the initial connection between your identity provider and mapbox.com, enter the following required information in your Mapbox account's SSO setup page:

  • Identity Provider sign-on URL, also could be referred to as SSO URL, SAML endpoint, or SSO sign-in URL in your IdP
  • IssuerID, also could be referred to as Entity ID, Issuer, or Issuer URL in your IdP
  • X.509 Certificate, pasted as text into the field

Be sure to include — BEGIN CERTIFICATE — and — END CERTIFICATE — when pasting your X.509 certificate into the Mapbox form. You may need to open the X.509 certificate in a text editor in order to copy the full body.

Click Enable single sign-on to submit the form. You will be prompted to re-authenticate.

Questions about setting up SAML SSO? Please visit the troubleshooting section for recommendations and next steps to contact support.

Validating the SAML SSO integration

Once you have saved the integration, return to your identity provider to assign the application to yourself for testing. When assigned, try clicking the tile, chiclet, or link for your Mapbox app to login. From the Mapbox account, you can also click the test SAML configuration button in the Security settings to login with SSO.

Enforcing SAML SSO authentication

Enabling SSO for an account does not invalidate password authentication. Any users logging in with the password (and optional 2FA) will assume the Root user role. The account's master password is still a valid authentication method to make sure your transition period is seamless and Root users have direct access to the account if your identity provider has an outage.

To encourage your users to login to Mapbox through your identity provider, we recommend the following:

  • Assign yourself the Root user role in your IdP so you will have access to settings
  • Assign most others the Admin user role so they will not have access to settings
  • Change the email for the account to an email address that the Root user(s) can access
  • Change the password for the account
  • Save the new password in a safe location with limited access (identity provider, shared password manager, or IT vault)
  • If 2FA is enabled for the account, either turn it off or save the recovery codes with the new password

These changes should effectively push all the Admin users to authentication with Single sign-on, as they'll no longer have the password.

Deleting SAML SSO integration

You have the option to delete your SAML SSO integration. This is something you would need to do only in a rare situation -- generally, only if your organization has setup Single sign-on with a test account. An IdP can only be associated with one Mapbox account, so if you've associated your IdP with a test account, you will need to delete that integration to setup SSO for your organization's main account.

Questions about validating, enforcing, or deleting a SAML SSO integration? Please visit the troubleshooting section for recommendations and next steps to contact support.

Delete your account

You can delete an account by scrolling to the bottom of the Account settings and clicking the Delete account button:

There will be a modal that requires additional confirmation that you do intend to fully delete the account. When you delete an account, the change is effective immediately and all maps and data are removed. This means that:

  • All projects and data associated with the account will no longer be available.
  • No one will be able to login to that account to access Mapbox applications.
  • Access tokens tied to that account will be immediately terminated, and map implementations using them will no longer be able to effectively access Mapbox services.

Deleting an account is a permanent action that cannot be undone. We will not be able to recover your account if you change your mind, and the same account ID (username) cannot be re-used to create another account. We will not automatically prorate for any unused services or subscriptions.

Privacy

GDPR compliance

Mapbox Services are fully compliant with GDPR. For more information, read our DPA and subprocessors pages.

Mapbox is also Privacy Shield certified and can be found on privacyshield.org.

Troubleshooting

Are you having trouble updating account settings, enabling SAML SSO, or logging into your account? Start here for some common troubleshooting tips for regaining account access or updating account settings. If you still cannot access your account after reviewing this documentation, include the details listed below in a support request. Our accounts support team is standing by to help.

I am locked out of a Mapbox account and need to regain access. What steps can I try?

If you need to gain access to a Mapbox.com account, please read the account lockout troubleshooting guide which covers common scenarios and provides recommendations. Still have questions? Please submit a support request to get in touch with our team.

I'm not receiving the password reset email. What can I try next?

First, check your spam folder to make sure our email hasn't been routed there. Not seeing it there, either? Sometimes password reset emails are undeliverable - maybe emails from Mapbox to your email address have bounced in the past or there have been other problems preventing the email from being delivered (especially for inactive email addresses).

If you are not receiving the password reset email, let us know by submitting the support form. We can take steps to reactivate your email address so that you can receive the password reset emails.

I do not have my two-factor (2FA) authentication recovery code. What are my options?

If you do not have a 2FA recovery code for an account with 2FA enabled, the account must have a payment method on file in order for the Mapbox team to verify ownership of the account and remove two-factor authentication. Contact our support team to get started.

If an account does not have a credit card on your account, we will not be able to verify account ownership. In this case, the only next step will be to create a new Mapbox account and add access tokens from your new account into your map implementations.

I'm having trouble setting up and/or configuring SAML Single Sign-on (SSO). Can you help?

If you're having issues setting up SSO after following the steps in our documentation, submit a support request to get in touch with our team. As we troubleshoot with you and help you successfully set up SSO, the more information about error codes and screenshots from your identity provider that you can include with your support request, the better!

If I cannot resolve my issue, what information should I include in my support request?

We're happy to help with your questions - please contact our support team with this form. In order to help our team provide the most prompt resolution, please include as much of the following information with your request:

For account access issues:

  • Account ID (username)
  • Account's registered email address
  • Access token (if applicable)

For failed login issues with supported browsers:

  • Web browser(s) and versions
  • Any enabled web browser extensions you're using
  • Any enabled experimental flags (chrome://flags/) if using Google Chrome
  • Computer operating system and versions
  • Whether you have tested this issue while in incognito mode (if applicable)
  • Whether you have tested this issue with no browser extensions (if applicable)

If you do not know your browser information, you can use a tool like mybrowser.fyi to find the correct details.

With the information you provide, we'll try to diagnose the issue and provide tips that help you produce the desired behavior. Thanks in advance for providing as much information as you can!

Was this page helpful?