- Home
- Skills
- Mapbox
- Mapbox Agent Skills
- Mapbox Token Security
mapbox-token-security_skill
- JavaScript
10
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill mapbox/mapbox-agent-skills --skill mapbox-token-security- AGENTS.md5.8 KB
- SKILL.md10.6 KB
Overview
This skill provides focused guidance on securing Mapbox access tokens across client and server environments. It explains token types, scope management, URL restrictions, rotation strategies, storage patterns, monitoring, and incident response. Use it to create, audit, or remediate Mapbox token configurations with practical, security-first steps.
How this skill works
The skill identifies the correct token type for each use case (public pk.*, secret sk.*, temporary tk.*) and recommends the minimum required scopes. It inspects and prescribes URL restrictions for public tokens, secure storage and handling for secret tokens, and step-by-step rotation procedures for both scheduled and emergency scenarios. It also outlines monitoring signals, audit checklists, and a short incident response playbook.
When to use it
- Creating new Mapbox tokens for web, mobile, or backend services
- Choosing between public (pk.*) and secret (sk.*) tokens
- Applying URL restrictions or designing per-environment tokens
- Planning or executing token rotation (scheduled or emergency)
- Auditing token inventory, scopes, and repository leaks
- Responding to suspected token compromise or unusual usage
Best practices
- Follow principle of least privilege: grant only the scopes needed for the task
- Use public tokens only in client code and always add strict URL restrictions
- Store secret tokens in environment variables or a secrets manager; never commit them
- Rotate tokens regularly (e.g., 90 days) and have a zero-downtime rotation process
- Monitor token usage: request volume, geolocation, spikes, and requests outside allowed URLs
- Maintain an incident playbook: revoke, replace, deploy, investigate, and update controls
Example use cases
- Client-side map display: create a pk.* token with styles:read, fonts:read and domain restrictions
- Backend style management: use an sk.* token with styles:read, styles:write and no client exposure
- Temporary delegated access: issue a tk.* token via a server-side sk.* token for one-hour sessions
- CI/CD or admin tasks: store secret tokens in Vault or cloud secret manager and use short-lived credentials
- Security audit: run monthly checks for unused tokens, scope drift, and tokens in public repos
FAQ
No. Secret tokens (sk.*) have full API access and must never be exposed in client code; use public tokens (pk.*) with restricted scopes for clients.
How quickly should I revoke a compromised token?
Revoke immediately, create a replacement, deploy updates, notify the team, and investigate access logs within 24 hours; follow the emergency rotation steps.