To use any of Mapbox's tools, APIs, or SDKs, you'll need a Mapbox access token. Mapbox uses access tokens to associate API requests with your account. You can find your access tokens, create new ones, or delete existing ones on your Access Tokens page or programmatically using the Mapbox Tokens API.
Mapbox uses JSON Web Tokens (JWT) as the token format. Each token is a string delimited by dots into three parts: header, payload, and signature as described in the Tokens API documentation. Every token has a metadata object that contains properties with information about the token, like
id (unique identifier) ,
note (human readable name),
allowedURLs (URLs that token is authorized for), and timestamps for
modified (last modification). For more information on the metadata object’s properties, see our Tokens API documentation
Each access token you create will have a set of permissions that allow the token to make certain types of requests to Mapbox APIs -- these are called scopes. The API documentation lists the scopes required for each Mapbox API. When creating an access token, you will have the option to add public or private scopes to the token.
For a complete list of available scopes and recommendations see the Account documentation.
You can make your access tokens for web maps more secure by adding URL restrictions. When you add a URL restriction to a token, that token will only work for requests that originate from the URLs you specify. Tokens without restrictions will work for requests originating from any URL.
For more information on requirements and details for implementing URL restrictions, see the Account documentation.