mapbox-token-security

par mapbox

Bonnes pratiques de sécurité pour les jetons d'accès Mapbox, incluant la gestion des périmètres, les restrictions d'URL, les stratégies de rotation et la protection des données sensibles. À utiliser lorsque…

npx skills add https://github.com/mapbox/mapbox-agent-skills --skill mapbox-token-security

Mapbox Token Security Skill

This skill provides security expertise for managing Mapbox access tokens safely and effectively.

Token Types and When to Use Them

Public Tokens (pk.*)

Characteristics:

  • Can be safely exposed in client-side code
  • Limited to specific public scopes only
  • Can have URL restrictions
  • Cannot access sensitive APIs

When to use:

  • Client-side web applications
  • Mobile apps
  • Public-facing demos
  • Embedded maps on websites

Allowed scopes:

  • styles:tiles - Display style tiles (raster)
  • styles:read - Read style specifications
  • fonts:read - Access Mapbox fonts
  • datasets:read - Read dataset data
  • vision:read - Vision API access

Secret Tokens (sk.*)

Characteristics:

  • NEVER expose in client-side code
  • Full API access with any scopes
  • Server-side use only
  • Can create/manage other tokens

When to use:

  • Server-side applications
  • Backend services
  • CI/CD pipelines
  • Administrative tasks
  • Token management

Common scopes:

  • styles:write - Create/modify styles
  • styles:list - List all styles
  • tokens:read - View token information
  • tokens:write - Create/modify tokens
  • User feedback management scopes

Temporary Tokens (tk.*)

Characteristics:

  • Short-lived (max 1 hour)
  • Created by secret tokens
  • Single-purpose use
  • Automatically expire

When to use:

  • One-time operations
  • Temporary delegated access
  • Short-lived demos
  • Security-conscious workflows

Scope Management Best Practices

Principle of Least Privilege

Always grant the minimum scopes needed:

Bad:

// Overly permissive - don't do this
{
  scopes: ['styles:read', 'styles:write', 'styles:list', 'styles:delete', 'tokens:read', 'tokens:write'];
}

Good:

// Only what's needed for displaying a map
{
  scopes: ['styles:read', 'fonts:read'];
}
// Add 'styles:tiles' if your map uses raster tile sources
{
  scopes: ['styles:read', 'fonts:read', 'styles:tiles'];
}

Scope Combinations by Use Case

Public Map Display (client-side):

{
  "scopes": ["styles:read", "fonts:read", "styles:tiles"],
  "note": "Public token for map display",
  "allowedUrls": ["https://myapp.com/*"]
}

Style Management (server-side):

{
  "scopes": ["styles:read", "styles:write", "styles:list"],
  "note": "Backend style management - SECRET TOKEN"
}

Token Administration (server-side):

{
  "scopes": ["tokens:read", "tokens:write"],
  "note": "Token management only - SECRET TOKEN"
}

Read-Only Access:

{
  "scopes": ["styles:list", "styles:read", "tokens:read"],
  "note": "Auditing/monitoring - SECRET TOKEN"
}

URL Restrictions

Why URL Restrictions Matter

URL restrictions limit where a public token can be used, preventing unauthorized usage if the token is exposed.

Effective URL Patterns

Recommended patterns:

https://myapp.com/*           # Production domain
https://*.myapp.com/*         # All subdomains
https://staging.myapp.com/*   # Staging environment
http://localhost:*            # Local development

Avoid these:

*                             # No restriction (insecure)
http://*                      # Any HTTP site (insecure)
*.com/*                       # Too broad

Multiple Environment Strategy

Create separate tokens for each environment:

// Production
{
  note: "Production - myapp.com",
  scopes: ["styles:read", "fonts:read"],
  allowedUrls: ["https://myapp.com/*", "https://www.myapp.com/*"]
}

// Staging
{
  note: "Staging - staging.myapp.com",
  scopes: ["styles:read", "fonts:read"],
  allowedUrls: ["https://staging.myapp.com/*"]
}

// Development
{
  note: "Development - localhost",
  scopes: ["styles:read", "fonts:read"],
  allowedUrls: ["http://localhost:*", "http://127.0.0.1:*"]
}

Token Storage and Handling

Server-Side (Secret Tokens)

DO:

  • Store in environment variables
  • Use secret management services (AWS Secrets Manager, HashiCorp Vault)
  • Encrypt at rest
  • Limit access via IAM policies
  • Log token usage

DON'T:

  • Hardcode in source code
  • Commit to version control
  • Store in plaintext configuration files
  • Share via email or Slack
  • Reuse across multiple services

Example: Secure Environment Variable:

# .env (NEVER commit this file)
MAPBOX_SECRET_TOKEN=sk.ey...

# .gitignore (ALWAYS include .env)
.env
.env.local
.env.*.local

Client-Side (Public Tokens)

DO:

  • Use public tokens only
  • Apply URL restrictions
  • Use different tokens per app
  • Rotate periodically
  • Monitor usage

DON'T:

  • Expose secret tokens
  • Use tokens without URL restrictions
  • Share tokens between unrelated apps
  • Use tokens with excessive scopes

Example: Safe Client Usage:

// Public token with URL restrictions - SAFE
const mapboxToken = 'pk.YOUR_MAPBOX_TOKEN_HERE';

// This token is restricted to your domain
// and only has styles:read scope
mapboxgl.accessToken = mapboxToken;

Security Checklist

Token Creation:

  • Use public tokens for client-side, secret for server-side
  • Apply principle of least privilege for scopes
  • Add URL restrictions to public tokens
  • Use descriptive names/notes for token identification
  • Document intended use and environment

Token Management:

  • Store secret tokens in environment variables or secret managers
  • Never commit tokens to version control
  • Rotate tokens every 90 days (or per policy)
  • Remove unused tokens promptly
  • Separate tokens by environment (dev/staging/prod)

Monitoring:

  • Track token usage patterns
  • Set up alerts for unusual activity
  • Regular security audits (monthly)
  • Review team access quarterly
  • Scan repositories for exposed tokens

Incident Response:

  • Documented revocation procedure
  • Emergency contact list
  • Rotation process documented
  • Post-incident review template
  • Team training on security procedures

Reference Files

For detailed guidance on specific topics, load these references as needed:

  • references/rotation-monitoring.md — Token rotation strategies (zero-downtime + emergency), monitoring metrics, alerting rules, and monthly/quarterly audit checklists. Load when: implementing rotation, setting up monitoring, or conducting audits.
  • references/incident-response.md — Step-by-step incident response plan and common security mistakes with code examples. Load when: responding to a token compromise, reviewing code for security issues, or training on anti-patterns.

When to Use This Skill

Invoke this skill when:

  • Creating new tokens
  • Deciding between public vs secret tokens
  • Setting up token restrictions
  • Implementing token rotation
  • Investigating security incidents
  • Conducting security audits
  • Training team on token security
  • Reviewing code for token exposure

Plus de skills de mapbox

mapbox-android-patterns
mapbox
Modèles d'intégration officiels pour le SDK Mapbox Maps sur Android. Couvre l'installation, l'ajout de marqueurs, la localisation de l'utilisateur, les données personnalisées, les styles, le contrôle de la caméra, et…
official
mapbox-cartography
mapbox
Conseils d’expert sur les principes de conception cartographique, la théorie des couleurs, la hiérarchie visuelle, la typographie et les bonnes pratiques cartographiques pour créer des cartes efficaces et esthétiques…
official
mapbox-data-visualization-patterns
mapbox
Modèles de visualisation de données sur cartes, incluant les cartes choroplèthes, les cartes de chaleur, les visualisations 3D, le style basé sur les données et les données animées. Couvre les types de couches,…
official
mapbox-geospatial-operations
mapbox
Conseils d'expert pour choisir l'outil géospatial adapté en fonction du type de problème, des exigences de précision et des besoins de performance.
official
mapbox-google-maps-migration
mapbox
Guide de migration pour les développeurs passant de Google Maps Platform à Mapbox GL JS, couvrant les équivalents d'API, les traductions de motifs et les différences clés
official
mapbox-ios-patterns
mapbox
Modèles d'intégration officiels pour le SDK Mapbox Maps sur iOS. Couvre l'installation, l'ajout de marqueurs, la localisation de l'utilisateur, les données personnalisées, les styles, le contrôle de la caméra, et…
official
mapbox-location-grounding
mapbox
Composer les outils Mapbox MCP pour produire des réponses localisées, fondées et citées à partir de données en direct plutôt que de données d'entraînement.
official
mapbox-maplibre-migration
mapbox
Guide pour migrer de MapLibre GL JS vers Mapbox GL JS, couvrant la compatibilité des API, la configuration des tokens, la configuration des styles et les avantages de la version officielle de Mapbox…
official