mapbox-token-security_skill

This skill helps you securely manage Mapbox access tokens by enforcing scope, URL restrictions, rotation, and proper storage across environments.
  • JavaScript

10

GitHub Stars

2

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill mapbox/mapbox-agent-skills --skill mapbox-token-security

  • AGENTS.md5.8 KB
  • SKILL.md10.6 KB

Overview

This skill provides focused guidance on securing Mapbox access tokens across client and server environments. It explains token types, scope management, URL restrictions, rotation strategies, storage patterns, monitoring, and incident response. Use it to create, audit, or remediate Mapbox token configurations with practical, security-first steps.

How this skill works

The skill identifies the correct token type for each use case (public pk.*, secret sk.*, temporary tk.*) and recommends the minimum required scopes. It inspects and prescribes URL restrictions for public tokens, secure storage and handling for secret tokens, and step-by-step rotation procedures for both scheduled and emergency scenarios. It also outlines monitoring signals, audit checklists, and a short incident response playbook.

When to use it

  • Creating new Mapbox tokens for web, mobile, or backend services
  • Choosing between public (pk.*) and secret (sk.*) tokens
  • Applying URL restrictions or designing per-environment tokens
  • Planning or executing token rotation (scheduled or emergency)
  • Auditing token inventory, scopes, and repository leaks
  • Responding to suspected token compromise or unusual usage

Best practices

  • Follow principle of least privilege: grant only the scopes needed for the task
  • Use public tokens only in client code and always add strict URL restrictions
  • Store secret tokens in environment variables or a secrets manager; never commit them
  • Rotate tokens regularly (e.g., 90 days) and have a zero-downtime rotation process
  • Monitor token usage: request volume, geolocation, spikes, and requests outside allowed URLs
  • Maintain an incident playbook: revoke, replace, deploy, investigate, and update controls

Example use cases

  • Client-side map display: create a pk.* token with styles:read, fonts:read and domain restrictions
  • Backend style management: use an sk.* token with styles:read, styles:write and no client exposure
  • Temporary delegated access: issue a tk.* token via a server-side sk.* token for one-hour sessions
  • CI/CD or admin tasks: store secret tokens in Vault or cloud secret manager and use short-lived credentials
  • Security audit: run monthly checks for unused tokens, scope drift, and tokens in public repos

FAQ

No. Secret tokens (sk.*) have full API access and must never be exposed in client code; use public tokens (pk.*) with restricted scopes for clients.

How quickly should I revoke a compromised token?

Revoke immediately, create a replacement, deploy updates, notify the team, and investigate access logs within 24 hours; follow the emergency rotation steps.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
mapbox-token-security skill by mapbox/mapbox-agent-skills | VeilStrat