Skip to main content

What is the difference between a public token and a secret token?

With Mapbox, access tokens are used to associate your account with your requests to Mapbox API resources. These tokens have token scopes that grant access to different actions and define which Mapbox APIs can be accessed by a token, as well as which methods can be used to access those APIs. Access tokens can have either public or secret scopes.

Public Access Tokens:

  • Your account will always contain a default public access token. This token is automatically embedded in example code on when you're logged into your account.
  • Public tokens have read-only access rights to styles.
  • Public tokens should be used in client applications (for example, a web application running in your browser).
  • You cannot add secret scopes or URL restrictions to your default public access token.

Secret Access Tokens:

  • Secret scopes cannot be added to a public token. You must create a new secret token with secret scopes.
  • If you choose to add any secret scopes to a new token, you will have only one chance to view the token. You should copy the token and save it in a secure location.
  • Secret token API requests should never be exposed to the client. If someone else gets access to tokens with secret scopes they may be able to make changes to your account. Make all requests requiring a token with secret scopes on a server.
  • Secret tokens are used for potentially sensitive operations like uploading new data or deleting styles.

For more information, you can refer to the Mapbox Documentation.

Was this page helpful?