Tokens

An access token provides access to Mapbox resources on behalf of a user. The Mapbox Tokens API provides you with a programmatic way to create, update, delete, and retrieve tokens, as well as list a user's tokens and token scopes.

All user accounts have a default public token. Additional tokens can be created to grant additional, or more limited, privileges.

The actions allowed by a token are based on scopes. A scope is a string that often is a resource type and action separated by a colon. For example, the styles:read scope allows read access to styles. Tokens will have access to different scopes depending on their account level and other features of their account.

To create additional tokens using the Mapbox Tokens API, you need to have an authorizing token that has the tokens:write scope, as well as all the scopes you want to add to the newly created token. To create the authorization token, visit your Account Dashboard, and click Create a token.

Token format

Mapbox uses JSON Web Tokens (JWT) as the token format. Each token is a string delimited by dots into three parts: header, payload, and signature.

  • Header. A literal value of either pk (public token), sk (secret token), or tk (temporary token).
  • Payload. A base64-encoded JSON object containing the identity and authorities of the token. pk and sk tokens contain a reference to metadata that holds the rights granted for the token. tk tokens contain the contents of the metadata directly in the payload.
  • Signature. Signed by Mapbox and used to verify the token has not been tampered with.

Token metadata object

Every token has a metadata object that contains information about the capabilities of the token. The token metadata object contains the following properties:

PropertyTypeDescription
idstringThe token's unique identifier. This is not the access token itself, but rather an identifier for a specific pk, sk, or tk token. You can find a token's ID within the account dashboard by navigating to the token's page, clicking on the token's name, and copying the value at the end of the URL, like: https://account.mapbox.com/access-tokens/<token_id>
usagestringThe type of token. One of: pk (public), sk (secret), or tk (temporary).
clientstringThe client for the token. This is always api.
defaultbooleanIndicates whether the token is a default token.
scopesarrayAn array that contains the scopes granted to the token.
notestringA human-readable description of the token.
createdstringThe date and time the token was created.
modifiedstringThe date and time the token was last modified.
allowedUrlsarrayThe URLs that the token is restricted to.
tokenstringThe token itself.

Example token metadata object

{
  "id": "cijucimbe000brbkt48d0dhcx",
  "usage": "pk",
  "client": "api",
  "default": false,
  "note": "My website",
  "scopes": ["styles:read", "fonts:read"],
  "created": "2018-01-25T19:07:07.621Z",
  "modified": "2018-01-26T00:39:57.941Z",
  "allowedUrls": ["https://docs.mapbox.com"],
  "token": "pk.eyJ1Ijoic2NvdGhpcyIsImEiOiJjaWp1Y2ltYmUwMDBicmJrdDQ4ZDBkaGN4In0.sbihZCZJ56-fsFNKHXF8YQ"
}
Support for allowed URLs

The allowed URLs feature is compatible with many Mapbox tools, with some limitations. For web applications using Mapbox GL JS, it requires version 0.53.1+. It is not compatible with Mapbox native SDKs. Adding a URL restriction to a token makes it unusable by a mobile application. A separate token should be maintained for mobile applications.

See the Adding URL restrictions to access tokens guide to learn more about this feature for web requests.

List tokens

get
/tokens/v2/{username}
tokens:read

List all the tokens that belong to an account. This endpoint supports pagination.

Required parameterTypeDescription
usernamestringThe username of the account for which to list tokens.

You can further refine the results from this endpoint with the following optional parameters:

Optional parameterTypeDescription
defaultbooleanIf this parameter is set to true, the response will only include the account's default token. If this parameter is set to false, the response will include all of the account's tokens except for the default token.
limitintegerThe maximum number of tokens to return.
sortbystringSort the tokens in the response by their created or modified timestamps.
startstringThe token after which to start the listing. The token key is found in the Link header of a response. See the pagination section for details.
usagestringUse this parameter to return either only public tokens (pk) or secret tokens (sk). By default, this endpoint returns both types of token.

Example request: List tokens

$ curl "https://api.mapbox.com/tokens/v2/{username}?access_token=
YOUR_MAPBOX_ACCESS_TOKEN
"

Response: List tokens

The response body will contain all the tokens that belong to the username specified in the query, each containing the properties described in the token metadata object section.

If a listed token's usage property is sk, the token property will not be included in the response.

Example response: List tokens

[
  {
    "client": "api",
    "note": "a public token",
    "usage": "pk",
    "id": "cijucimbe000brbkt48d0dhcx",
    "default": false,
    "scopes": ["styles:read", "fonts:read"],
    "allowedUrls": ["https://docs.mapbox.com", "https://account.mapbox.com"],
    "created": "2016-01-25T19:07:07.621Z",
    "modified":"2016-01-26T00:39:57.941Z",
    "token": "pk.eyJ1Ijoic2NvdGhpcyIsImEiOiJjaWp1Y2ltYmUwMDBicmJrdDQ4ZDBkaGN4In0.sbihZCZJ56-fsFNKHXF8YQ"
  },
  {
    "client": "api",
    "note": "a secret token",
    "usage": "sk",
    "id": "juorumy001cutm5r4fl2y1b",
    "default": false,
    "scopes": ["styles:list"],
    "created": "2016-01-26T00:50:13.701Z",
    "modified": "2016-01-26T00:50:13.701Z"
  }
]

Supported libraries: List tokens

Mapbox wrapper libraries help you integrate Mapbox APIs into your existing application. The following SDK supports this endpoint:

See the SDK documentation for details and examples of how to use the relevant methods to query this endpoint.

Create a token

post
/tokens/v2/{username}
tokens:write

Creates a new token. Every requested scope must be present in the access token used to allow the request. It is not possible to create a token with access to more scopes than the token that created it.

Note that while it is possible to create a token with no scopes, you will not be able to update this token later to include any scopes.

Required parameterTypeDescription
usernamestringThe username of the account for which to list scopes.

The request body must be a JSON object that contains the following properties:

ParameterTypeDescription
notestringCreate a description for the token.
scopesarraySpecify the scopes that the new token will have. The authorizing token needs to have the same scopes as, or more scopes than, the new token you are creating.
allowedUrlsarrayURLs that this token is allowed to work with.

Available token scopes

The scopes included in the token determine whether the token is public or secret. A public token can only contain public scopes, while a secret token can contain both public and secret scopes. For a full list of all public and secret scopes, see the Token management documentation.

Example request: Create a token

# Create a public token with "styles:read" and "fonts:read" scopes and a "https://docs.mapbox.com" allowed URL

$ curl -H "Content-Type: application/json" -X POST -d '{"note": "My top secret project","scopes": ["styles:read", "fonts:read"], "allowedUrls": ["https://docs.mapbox.com"]}' 'https://api.mapbox.com/tokens/v2/{username}?access_token=
YOUR_MAPBOX_ACCESS_TOKEN
'

Response: Create a token

The response body for a successful request will be a new public or secret token.

Example response: Create a token

{
  "client": "api",
  "note": "My top secret project",
  "usage": "pk",
  "id": "cijucimbe000brbkt48d0dhcx",
  "default": false,
  "scopes": ["styles:read", "fonts:read"],
  "created": "2016-01-25T19:07:07.621Z",
  "modified":"2016-01-25T19:07:07.621Z",
  "allowedUrls": ["https://docs.mapbox.com"],
  "token": "pk.eyJ1Ijoic2NvdGhpcyIsImEiOiJjaWp1Y2ltYmUwMDBicmJrdDQ4ZDBkaGN4In0.sbihZCZJ56-fsFNKHXF8YQ"
}

Supported libraries: Create a token

Mapbox wrapper libraries help you integrate Mapbox APIs into your existing application. The following SDK supports this endpoint:

See the SDK documentation for details and examples of how to use the relevant methods to query this endpoint.

Create a temporary token

post
/tokens/v2/{username}
tokens:write

Creates a new temporary token that automatically expires at a set time. You can create a temporary token using a secret token that has the tokens:write scope. You can also create a temporary token using another temporary token as long as the authorizing token has tokens:write scope. Temporary tokens can't be updated or revoked after they are created.

Required parameterTypeDescription
usernamestringThe username of the account for which to create a temporary token.

The request body must be a JSON object that contains the following properties:

Request body propertiesTypeDescription
expiresstringSpecify when the temporary token will expire. Cannot be a time in the past or more than one hour in the future. If the authorizing token is temporary, the expires time for the new temporary token cannot be later than that of the authorizing temporary token.
scopesarraySpecify the scopes that the new temporary token will have. The authorizing token needs to have the same scopes as, or more scopes than, the new temporary token you are creating.

Example request: Create a temporary token

# Request a temporary token with "styles:read" and "font:read" scopes

$ curl -H "Content-Type: application/json" -X POST -d '{"expires": "2021-11-30T23:59:19.375Z","scopes": ["styles:read", "fonts:read"]}' 'https://api.mapbox.com/tokens/v2/{username}?access_token=
YOUR_MAPBOX_ACCESS_TOKEN
'

Example request body: Create a temporary token

{
  "expires": "2016-09-15T19:27:53.000Z",
  "scopes": ["styles:read", "fonts:read"]
}

Response: Create a temporary token

The response body for a successful request will be a new temporary token. Unlike public and secret tokens, a temporary token contains its metadata inside the payload of the token instead of referencing a metadata object that persists on the server.

Example response: Create a temporary token

{
  "token": "tk.eyJ1IjoibWFwYm94IiwiZXhwIjoxNDczOTY3NjczLCJpYXQiOjE0NzM5Njc2NDMsInNjb3BlcyI6WyJzdHlsZXM6cmVhZCIsImZvbnRzOnJlYWQiXSwiY2xpZW50IjoiYXBpIn0.ZepsWvpjTMlpePE4IQBs0g"
}

Supported libraries: Create a temporary token

Mapbox wrapper libraries help you integrate Mapbox APIs into your existing application. The following SDK supports this endpoint:

See the SDK documentation for details and examples of how to use the relevant methods to query this endpoint.

Update a token

patch
/tokens/v2/{username}/{token_id}
tokens:write

Update the note, the scopes, the allowedUrls, or all three in a token's metadata. When updating scopes for an existing token, the token sent along with the request must also have the scopes you're requesting. It is not possible to create a token with access to more scopes than the token that updated it.

Required parameterTypeDescription
token_idstringThe ID of the token that you want to update. This is not the access token itself, but rather the unique identifier for a specific token.

The request body must be a JSON object that contains one or both of the following properties:

Request body propertiesTypeDescription
notestringUpdate the token's description.
scopesarrayUpdate the token's scopes. The authorizing token needs to have the same scopes as, or more scopes than, the token you are updating. A public token may only be updated to include other public scopes. A secret token may be updated to contain public and secret scopes.
allowedUrlsarrayUpdate the restricted token's allowed URLs.

Example request: Update a token

# Update a token to have "fonts:read" scope and a "https://docs.mapbox.com" allowed URL

$ curl -H 'Content-Type: application/json' -X PATCH -d '{"scopes": ["styles:read", "fonts:read"], "allowedUrls": ["https://docs.mapbox.com"]}' 'https://api.mapbox.com/tokens/v2/{username}/{token_id}?access_token=
YOUR_MAPBOX_ACCESS_TOKEN
'

Response: Update a token

The response body for a successful request will be a new temporary token.

Example response: Update a token

{
  "client": "api",
  "note": "My top secret project",
  "usage": "pk",
  "id": "cijucimbe000brbkt48d0dhcx",
  "default": false,
  "scopes": ["styles:tiles", "styles:read", "fonts:read"],
  "allowedUrls": ["https://docs.mapbox.com"],
  "created": "2016-01-25T19:07:07.621Z",
  "modified":"2016-01-25T19:07:07.621Z",
  "token": "pk.eyJ1Ijoic2NvdGhpcyIsImEiOiJjaWp1Y2ltYmUwMDBicmJrdDQ4ZDBkaGN4In0.sbihZCZJ56-fsFNKHXF8YQ"
}

Supported libraries: Update a token

Mapbox wrapper libraries help you integrate Mapbox APIs into your existing application. The following SDK supports this endpoint:

See the SDK documentation for details and examples of how to use the relevant methods to query this endpoint.

Delete a token

delete
/tokens/v2/{username}/{token_id}
tokens:write

Delete an access token. This will revoke its authorization and remove its access to Mapbox APIs. Applications using the revoked token will need to get a new access token before they can access Mapbox APIs.

Note that cached resources may continue to be accessible for a little while after a token is deleted. No new or updated resources will be accessible with the deleted token.

Required parameterTypeDescription
token_idstringThe ID of the token that you want to delete. This is not the access token itself, but rather the unique identifier for a specific token.

Example request: Delete a token

$ curl -X DELETE "https://api.mapbox.com/tokens/v2/{username}/{token_id}?access_token=
YOUR_MAPBOX_ACCESS_TOKEN
"

Response: Delete a token

HTTP 204 No Content

Supported libraries: Delete a token

Mapbox wrapper libraries help you integrate Mapbox APIs into your existing application. The following SDK supports this endpoint:

See the SDK documentation for details and examples of how to use the relevant methods to query this endpoint.

Retrieve a token

get
/tokens/v2?access_token={access_token}

Retrieve an access token and check whether it is valid. If the token is invalid, an explanation is returned as the code property in the response body.

Required parameterTypeDescription
access_tokenstringThe access token to retrieve.

Example request: Retrieve a token

$ curl "https://api.mapbox.com/tokens/v2?access_token=YOUR_MAPBOX_ACCESS_TOKEN"

Response: Retrieve a token

The body of the token is parsed and included as the token property in object form. The returned object contains the following properties:

PropertyTypeDescription
codestringIndicates whether the token is valid. If the token is invalid, describes the reason. One of:
CodeDescription
TokenValidThe token is valid and active.
TokenMalformedThe token cannot be parsed.
TokenInvalidThe signature for the token does not validate.
TokenExpiredThe token was temporary and has expired.
TokenRevokedThe token's authorization has been deleted.
tokenobjectThe token object. Contains the following properties:
token.usagestringThe token type. One of pk, sk, or tk.
token.userstringThe user to whom the token belongs.
token.authorizationstringThe token's unique identifier.
token.expiresstringtk tokens only. The expiration time of the token.
token.createdstringtk tokens only. The creation time of the token.
token.scopesarraytk tokens only. The token's assigned scopes.
token.clientstringtk tokens only. Always "api".

Example response: Retrieve a token

For a public token:

{
  "code": "TokenValid",
  "token": {
    "usage": "pk",
    "user": "mapbox",
    "authorization": "cijucimbe000brbkt48d0dhcx"
  }
}

For a temporary token:

{
  "code": "TokenExpired",
  "token": {
    "usage": "tk",
    "user": "mapbox",
    "expires": "2016-09-15T19:27:53.000Z",
    "created": "2016-09-15T19:27:23.000Z",
    "scopes": ["styles:read", "fonts:read"],
    "client": "api"
  }
}

Supported libraries: Retrieve a token

Mapbox wrapper libraries help you integrate Mapbox APIs into your existing application. The following SDK supports this endpoint:

See the SDK documentation for details and examples of how to use the relevant methods to query this endpoint.

List scopes

get
/scopes/v1/{username}?access_token={access_token}
scopes:list

List scopes for a user. All potential scopes a user has access to are listed.

Public tokens may only contain scopes with the public property set to true. Secret tokens may contain any scope.

Required parameterTypeDescription
usernamestringThe username of the account for which to list scopes.

Example request: List scopes

$ curl "https://api.mapbox.com/scopes/v1/{username}?access_token=
YOUR_MAPBOX_ACCESS_TOKEN
"

Response: List scopes

The response body will contain an object for each scope the user has access to, each with the following properties:

PropertyTypeDescription
idstringThe identifier of the scope.
descriptionstringA description of permissions granted by the scope.
publicbooleantrue if the scope is available for public tokens.

Example response (truncated): List scopes

[
  {
    "id": "scopes:list",
    "description": "List all available scopes."
  },
  {
    "id": "styles:read",
    "public": true,
    "description": "Read styles."
  }
]

Supported libraries: List scopes

Mapbox wrapper libraries help you integrate Mapbox APIs into your existing application. The following SDK supports this endpoint:

See the SDK documentation for details and examples of how to use the relevant methods to query this endpoint.

Tokens API errors

Response body code or messageHTTP status codeDescription
TokenInvalid, TokenMalformed200Check the access token used in the query when retrieving a token.
TokenExpired200The temporary token has expired and needs to be regenerated when retrieving a token.
TokenRevoked200The token has been revoked and needs to be regenerated when retrieving a token.
Unauthorized401The token used in the query was not valid, or no token was used in the query. If a temporary token was used, it may be expired.
Not found404The access token used in the query needs the tokens:read (to list) or tokens:write scope (to create, update, or delete). This error may also indicate that a token is not associated with a user account.
No such user404Check the username used in the query.
access token is required422No access token was used in the query.
usage must be pk or sk422The usage parameter must be one of pk (public token) or sk (secret token).
expires is in the past422You can't create a temporary token with an expires parameter that occurs in the past.
expires is more than one hour in the future422When creating a temporary token, the expiration must be no more than one hour in the future.
expires may not be greater than the expiration of the authorizing token422When creating a temporary token using another temporary token, the expiration of the created token cannot be greater than that of the creating token.
scopes are invalid422You cannot create a new token with scopes that exceed those of the token you are using to create it.
resources are invalid422When creating or updating a token, the resources in the body are malformed, empty, or require higher permissions that those of the creating token.
Internal Server Error500This error can occur if the start value is not valid.

Tokens API restrictions and limits

  • Requests must be over HTTPS. HTTP is not supported.
  • The Tokens API is limited to 100 requests per minute per account. If you require a higher rate limit, contact us.
  • Each token is limited to 100 allowed URLs.
  • Temporary tokens cannot have allowed URLs, but public tokens and secret tokens can.