Token management

Your Tokens page is where you can manage access tokens for your Mapbox account. To access the Tokens page, log into your account and navigate to account.mapbox.com/tokens.

Default public access token

Your default public access token contains all public scopes (read more about public scopes below). Your account will always contain a default public access token. If you delete this token, another one will be automatically generated. You cannot add secret scopes or domain restrictions to your default public access token.

Scopes

Each access token you create will have a set of permissions that allow you to make certain types of requests to Mapbox APIs — these are called scopes. Read more about what each scope is for below.

Public scopes

ScopeDescription
styles:tilesRead style as PNG tiles and static images. This is the scope that is necessary for retrieving a static map from a style with the Static Images API or for retrieving raster tiles from a style with the Static Tiles API.
styles:readRead styles. This is the scope that is necessary to initialize a Mapbox map style in Mapbox GL JS and our mobile Maps SDKs.
fonts:readRead fonts. This is the scope that is necessary to generate fonts that render on your map styles and to retreive font glyphs and ranges using the Mapbox Fonts API.
datasets:readRead datasets. This scope is necessary for retreiving information about datasets using the Datasets API.
vision:readRead Vision SDK services. This scope is necessary for using the Vision SDK for iOS or Android.

Secret scopes

There are two important things to note about secret scopes before adding them to an access token:

  1. If you choose to add any secret scopes to your token, you will have only one chance to view the token.
  2. Do not expose access tokens with secret scopes. If someone else gets access to tokens with secret scopes they may be able to make changes to your account. Keep tokens with secret scopes secret.
ScopeDescription
scopes:listList all available scopes. This scope is necessary to list all potential scopes that you have access to based on your plan level using the Tokens API.
map:readRead tilesets, tilestats, legacy Mapbox Studio Classic styles, and legacy projects.
map:writeCreate and update legacy Mapbox Studio Classic styles, tilesets, and tilestats.
user:readRead user profile information. Use this scope to list details about your account.
user:writeWrite user profile information. Use this scope to update your account information.
uploads:readRead data uploads. This scope is necessary for tracking your upload statuses using the Mapbox Uploads API.
uploads:listList tileset uploads. This scope is necessary for retreiving multiple upload statuses using the Mapbox Uploads API.
uploads:writeCreate tileset uploads. This scope is necessary for creating an upload using the Mapbox Uploads API.
styles:writeCreate and update styles. This scope is necessary for creating a style in your account using the Mapbox Styles API.
styles:listList styles. This scope is necessary for listing styles for a specific account using the Mapbox Styles API. This endpoint returns style metadata instead of returning full styles.
tokens:readRead tokens. This scope is necessary to list all the tokens that belong to an account using the Mapbox Tokens API.
tokens:writeCreate, update, and delete tokens using the Mapbox Tokens API. Every requested scope must be present in the access token used to allow the request. It is not possible to create a token with access to more scopes than the token that created it.
datasets:listList datasets. This scope is necessary to list all the datasets that belong to a particular account using the Datasets API.
datasets:writeCreate and update datasets using the Datasets API.
tilesets:listList tilesets. This scope is necessary to list raster and vector tilesets that belong to a particular account using the Mapbox Tilesets API.
tilesets:readRead tilesets. This scope is necessary to read raster and vector tileset information using the Mapbox Tilesets API.
tilesets:writeCreate, update, and delete tilesets using the Mapbox Tilesets API.
vision:downloadDownload the Vision SDK. This scope is necessary for downloading the Vision SDK. You do not need this a token with this scope to use the Vision SDK. You should use a separate, public token in your application with the public vision:read scope.
atlas:readRead Mapbox Atlas data and software with the Atlas installer. This scope is necessary to set up a working instance of Mapbox Atlas. This scope is only available to users who have access to Atlas.

Domain restrictions

You can make your access tokens more secure by adding URL restrictions. When you add a URL restriction to a token, that token will only work for requests that originate from the URLs you specify. Tokens without restrictions will work for requests originating from any URL.

Requirements and limitations

This feature is compatible with many Mapbox tools with some limitations:

  • Versions of Mapbox GL JS prior to 0.53.1 are incompatible with URL restrictions. Requests originating from earlier versions of Mapbox GL JS will be denied because those requests will not include referer headers. If your Statistics page shows "not set" or "other", you need to upgrade GL JS versions.
  • URL restrictions are not compatible with Mapbox native SDKs.

Add URL restrictions to access tokens

An allowed URL is an absolute or partial web address to which a token grants access. There are several URL components that can be combined to make an allowed URL entry.

The following are examples of valid URL formats:

  • Domain only: mapbox.com
  • Domain with port: mapbox.com:2019
  • Protocol and domain: http://mapbox.com
  • Subdomain: docs.mapbox.com
  • Domain with path: mapbox.com/help/how-mapbox-works/access-tokens
  • Domain with query parameter: mapbox.com/?page=1

For example:

https://all-subdomains.example.com:8000/all/paths?search=foo
  • Protocol is https
  • Subdomain is all-subdomains
  • Domain is example.com
  • Port is 8000
  • Path is /all/paths
  • Search with query string parameters is ?search=foo

Notes on adding allowedUrls restrictions to a token:

  • Of the URL components listed above, only the domain is required. Protocol, subdomain, port, path, and search with query parameters are optional.
  • Paths are case sensitive.
  • If a port is not provided, ports 80 and 443 are allowed by default.
  • If no allowed URLs are provided, the token will work for requests originating from any URL.
  • Unless it is specifically added to a token, localhost will be blocked. To develop locally, create a separate token with more permissive URL restrictions.
  • If your site includes a noreferrer policy, URL restricted tokens will not work.

Example scenarios

Subdomains of any allowed URLs are also allowed:

  • http://example.com also authorizes http://www.example.com
  • http://example.com also authorizes http://www.production.example.com

Subpaths of an allowed path are also allowed. Paths are case-sensitive:

  • http://example.com also authorizes http://example.com/anything/else
  • http://example.com/path also authorizes http://example.com/path/more
  • http://example.com/path does not authorize http://example.com/another/path
  • http://example.com/path does not authorize http://example.com/Path

If a protocol is specified it must be matched:

  • http://example.com does not authorize https://example.com

If no protocol is specified, then any protocol is acceptable:

  • example.com also authorizes http://example.com and https://example.com
Was this page helpful?