Each access token you create will have a set of permissions that allow you to make certain types of requests to Mapbox APIs -- these are called scopes. Some Mapbox APIs only accept requests that include tokens with a particular scope. When creating an access token, you will have the option to add additional public or private scopes to your token. If you choose to add any secret scopes to your token, you will have only one chance to view the token.
When choosing scopes, consider what you plan to do with the token. To protect your account and your data, do not grant more scopes than necessary to each token. For example, if you are creating a token to upload data to Mapbox with the Mapbox Uploads API, you will want to make sure you select the
uploads:read scopes. To display a map in a web or mobile application, you should create a separate access token that does not include the private uploads-related scopes, but does include the public
Our API documentation lists the scopes required for each Mapbox API.
Any public access tokens you include in web page will be visible to anyone who makes an effort to look for it. Access tokens, however, can be deleted and rotated at any time if you suspect misuse. Secret tokens should only be used in places where they will not be visible to your users.
You can create as many access tokens as you want. To rotate, create a new access token, replace it in a project, and then remove the old token. Invalidation for uncached requests will happen immediately. Cached requests can take up to an hour.
Access tokens can be created, deleted, and managed on your Access Tokens page:
- Click Create a token and give your new token a name to help you remember its purpose.
- Specify scopes.
- Click Create token to create the token. You may be prompted to re-enter your password.
- If you have created a secret token, be sure to store it somewhere safe if you need to access it later. You will only have one opportunity to copy it.
Your new token should appear at the top of your list of tokens. You can click on the name of any token to see the scopes it covers and, if the token is public, you can see the token itself.
With the Mapbox Tokens API you can create, read, and update your access tokens. To create additional tokens using this API you will first need to create an initial token with the
tokens:write scope and any scopes you want to add to the created token. To create this initial token visit your Access Tokens page, and click Create a token. Read more about the Tokens API on our API documentation page.