Secure access tokens for your web applications
By: Erin Quinn
Deploy Mapbox GL JS applications with confidence by adding URL restrictions to your access tokens, enabling an extra layer of security and helping to prevent unauthorized use.
When you add URL restrictions to your access token, only requests originating from specified URLs will be authorized. These restrictions can help prevent third parties from unauthorized use of your access tokens, so you can be confident that you’re only being billed for what you use.
Getting started with restrictions
Add URL restrictions to an existing access token in less than 5 minutes by navigating to your Access Tokens page and clicking on a token’s name:
If you only have a Default Public Token listed, click the Create a token button to generate a new token that is eligible for restrictions.
Then enter the absolute or partial web addresses that you want this token to be authorized for in the URLs text box —the documentation outlines valid URL restriction patterns:
Best practices for restrictions and token management
While you’re creating new tokens to test URL restrictions on a subset of your web traffic, take a moment to compare your token management policy with our recommendations below.
- Upgrade GL JS versions: Using the latest version of Mapbox GL JS will ensure that you receive the most accurate referring URLs in the header of your requests, across a wide set of browsers. If you are seeing “Not set” or “Other” domains on your Statistics page, this is an indication that legitimate web traffic could be blocked because high accuracy referrers are not being sent to Mapbox. Prior to testing URL restrictions, upgrade GL JS versions and consult the release notes for breaking changes.
- Create separate tokens for each environment: Creating separate tokens based on your environments allows you to create more tightly scoped URL restrictions depending on that token’s use case. For example: unless it is specifically added to a token’s allowed list, localhost will be blocked. To develop locally, create a separate token with more permissive URL restrictions.
- Deploy distinct tokens for each web application: Deploying unique tokens in each of your applications allows you to isolate statistics by tokens on account.mapbox.com/statistics for more granular usage tracking.
These best practices will help you test URL restricted tokens in an isolated context, so check out the documentation and reach out to support with questions or feedback. Note: URL restrictions are only compatible with browser-based requests, so they should only be added to access tokens used in GL JS applications — not in Android, iOS or Navigation SDKs.
URL restrictions for access tokens was originally published in Points of interest on Medium, where people are continuing the conversation by highlighting and responding to this story.