Glossary

access token

You need a Mapbox access token to use any of Mapbox's tools, APIs, or SDKs. Mapbox uses access tokens to associate your account with your requests to Mapbox API resources. You can find all your access tokens, create new ones, or delete existing ones on your Access tokens page.

Here's what an access token looks like in a Mapbox API request (specifically, the Geocoding API):

https://api.mapbox.com/geocoding/v5/mapbox.places/Los%20Angeles.json?access_token=YOUR_MAPBOX_ACCESS_TOKEN

Public vs.secret tokens

When you create an access token, you have the choice to give it a set of zero or more scopes. The actions allowed by a token are based on token scopes. They define which Mapbox APIs can be accessed by a token, as well as which methods can be used to access those APIs. Access tokens have either public or secret scopes.

Public scopes and tokens

Public scopes only allow you to retrieve data from Mapbox APIs. These tokens are safer to put in public applications, since they cannot be used to change data in your account. Tokens with public scopes begin with pk.

Once a public token is created, the token can be renamed and public scopes can be added and removed. Secret scopes cannot be added to public tokens.

Secret scopes and tokens

Secret scopes allow creation and modification access to Mapbox APIs. They also allow access to APIs that may contain account-specific information. These tokens should be used only in secure contexts. Tokens with secret scopes begin with sk.

Once you have created a secret token, you can only view it once. If you refresh or navigate away from your Access tokens page, the token itself will disappear, so copy the secret token and store it in a safe place. The token can be renamed and any scopes can be added or removed at any time.

The only way to update a secret token is by using the Tokens API.

Default Public Token

Your account will always have at least one public access token. This token is your Default Public Token. If you refresh this token, it will be deleted and API requests using that token will no longer be authorized. Another public token will become your Default Public Token. When you're logged into your account, this token will automatically be embedded in example code on Mapbox.com.

The Tokens API

You can also use the Mapbox Tokens API to programmatically create, update, and delete access tokens.

Related resources:

Was this page helpful?