Mapbox Token Security Skill
This skill provides security expertise for managing Mapbox access tokens safely and effectively.
Token Types and When to Use Them
Public Tokens (pk.\*)
Characteristics:
- - Can be safely exposed in client-side code
- Limited to specific public scopes only
- Can have URL restrictions
- Cannot access sensitive APIs
When to use:
- - Client-side web applications
- Mobile apps
- Public-facing demos
- Embedded maps on websites
Allowed scopes:
- -
styles:tiles - Display style tiles (raster) - INLINECODE1� - Read style specifications
- INLINECODE2� - Access Mapbox fonts
- INLINECODE3� - Read dataset data
- INLINECODE4� - Vision API access
Secret Tokens (sk.\*)
Characteristics:
- - NEVER expose in client-side code
- Full API access with any scopes
- Server-side use only
- Can create/manage other tokens
When to use:
- - Server-side applications
- Backend services
- CI/CD pipelines
- Administrative tasks
- Token management
Common scopes:
- -
styles:write - Create/modify styles - INLINECODE6� - List all styles
- INLINECODE7� - View token information
- INLINECODE8� - Create/modify tokens
- User feedback management scopes
Temporary Tokens (tk.\*)
Characteristics:
- - Short-lived (max 1 hour)
- Created by secret tokens
- Single-purpose use
- Automatically expire
When to use:
- - One-time operations
- Temporary delegated access
- Short-lived demos
- Security-conscious workflows
Scope Management Best Practices
Principle of Least Privilege
Always grant the minimum scopes needed:
❌ Bad:
CODEBLOCK0
✅ Good:
CODEBLOCK1
Scope Combinations by Use Case
Public Map Display (client-side):
CODEBLOCK2
Style Management (server-side):
CODEBLOCK3
Token Administration (server-side):
CODEBLOCK4
Read-Only Access:
CODEBLOCK5
URL Restrictions
Why URL Restrictions Matter
URL restrictions limit where a public token can be used, preventing unauthorized usage if the token is exposed.
Effective URL Patterns
✅ Recommended patterns:
CODEBLOCK6
❌ Avoid these:
CODEBLOCK7
Multiple Environment Strategy
Create separate tokens for each environment:
CODEBLOCK8
Token Storage and Handling
Server-Side (Secret Tokens)
✅ DO:
- - Store in environment variables
- Use secret management services (AWS Secrets Manager, HashiCorp Vault)
- Encrypt at rest
- Limit access via IAM policies
- Log token usage
❌ DON'T:
- - Hardcode in source code
- Commit to version control
- Store in plaintext configuration files
- Share via email or Slack
- Reuse across multiple services
Example: Secure Environment Variable:
CODEBLOCK9
Client-Side (Public Tokens)
✅ DO:
- - Use public tokens only
- Apply URL restrictions
- Use different tokens per app
- Rotate periodically
- Monitor usage
❌ DON'T:
- - Expose secret tokens
- Use tokens without URL restrictions
- Share tokens between unrelated apps
- Use tokens with excessive scopes
Example: Safe Client Usage:
CODEBLOCK10
Security Checklist
Token Creation:
- - [ ] Use public tokens for client-side, secret for server-side
- [ ] Apply principle of least privilege for scopes
- [ ] Add URL restrictions to public tokens
- [ ] Use descriptive names/notes for token identification
- [ ] Document intended use and environment
Token Management:
- - [ ] Store secret tokens in environment variables or secret managers
- [ ] Never commit tokens to version control
- [ ] Rotate tokens every 90 days (or per policy)
- [ ] Remove unused tokens promptly
- [ ] Separate tokens by environment (dev/staging/prod)
Monitoring:
- - [ ] Track token usage patterns
- [ ] Set up alerts for unusual activity
- [ ] Regular security audits (monthly)
- [ ] Review team access quarterly
- [ ] Scan repositories for exposed tokens
Incident Response:
- - [ ] Documented revocation procedure
- [ ] Emergency contact list
- [ ] Rotation process documented
- [ ] Post-incident review template
- [ ] Team training on security procedures
Reference Files
For detailed guidance on specific topics, load these references as needed:
- -
references/rotation-monitoring.md — Token rotation strategies (zero-downtime + emergency), monitoring metrics, alerting rules, and monthly/quarterly audit checklists. Load when: implementing rotation, setting up monitoring, or conducting audits. references/incident-response.md — Step-by-step incident response plan and common security mistakes with code examples. Load when: responding to a token compromise, reviewing code for security issues, or training on anti-patterns.
When to Use This Skill
Invoke this skill when:
- - Creating new tokens
- Deciding between public vs secret tokens
- Setting up token restrictions
- Implementing token rotation
- Investigating security incidents
- Conducting security audits
- Training team on token security
- Reviewing code for token exposure
Mapbox 令牌安全技能
本技能提供安全管理 Mapbox 访问令牌的安全专业知识。
令牌类型及使用场景
公开令牌 (pk.\*)
特性:
- - 可在客户端代码中安全暴露
- 仅限特定的公开作用域
- 可设置 URL 限制
- 无法访问敏感 API
使用场景:
- - 客户端 Web 应用程序
- 移动应用
- 面向公众的演示
- 网站上的嵌入式地图
允许的作用域:
- - styles:tiles - 显示样式瓦片(栅格)
- styles:read - 读取样式规范
- fonts:read - 访问 Mapbox 字体
- datasets:read - 读取数据集数据
- vision:read - 视觉 API 访问
秘密令牌 (sk.\*)
特性:
- - 切勿在客户端代码中暴露
- 具有任意作用域的完整 API 访问权限
- 仅限服务端使用
- 可创建/管理其他令牌
使用场景:
- - 服务端应用程序
- 后端服务
- CI/CD 流水线
- 管理任务
- 令牌管理
常见作用域:
- - styles:write - 创建/修改样式
- styles:list - 列出所有样式
- tokens:read - 查看令牌信息
- tokens:write - 创建/修改令牌
- 用户反馈管理作用域
临时令牌 (tk.\*)
特性:
- - 短生命周期(最长 1 小时)
- 由秘密令牌创建
- 单一用途
- 自动过期
使用场景:
- - 一次性操作
- 临时委托访问
- 短期演示
- 注重安全的工作流程
作用域管理最佳实践
最小权限原则
始终授予所需的最小作用域:
❌ 错误示例:
javascript
// 权限过于宽泛 - 请勿这样做
{
scopes: [styles:read, styles:write, styles:list, styles:delete, tokens:read, tokens:write];
}
✅ 正确示例:
javascript
// 仅包含显示地图所需的作用域
{
scopes: [styles:read, fonts:read];
}
// 如果地图使用栅格瓦片源,添加 styles:tiles
{
scopes: [styles:read, fonts:read, styles:tiles];
}
按用例组合作用域
公开地图显示(客户端):
json
{
scopes: [styles:read, fonts:read, styles:tiles],
note: 用于地图显示的公开令牌,
allowedUrls: [https://myapp.com/*]
}
样式管理(服务端):
json
{
scopes: [styles:read, styles:write, styles:list],
note: 后端样式管理 - 秘密令牌
}
令牌管理(服务端):
json
{
scopes: [tokens:read, tokens:write],
note: 仅限令牌管理 - 秘密令牌
}
只读访问:
json
{
scopes: [styles:list, styles:read, tokens:read],
note: 审计/监控 - 秘密令牌
}
URL 限制
URL 限制的重要性
URL 限制限定了公开令牌的使用范围,防止令牌暴露后被未授权使用。
有效的 URL 模式
✅ 推荐模式:
https://myapp.com/* # 生产域名
https://.myapp.com/ # 所有子域名
https://staging.myapp.com/* # 预发布环境
http://localhost:* # 本地开发
❌ 避免以下模式:
http://* # 任何 HTTP 站点(不安全)
.com/ # 范围过广
多环境策略
为每个环境创建独立的令牌:
javascript
// 生产环境
{
note: 生产环境 - myapp.com,
scopes: [styles:read, fonts:read],
allowedUrls: [https://myapp.com/, https://www.myapp.com/]
}
// 预发布环境
{
note: 预发布环境 - staging.myapp.com,
scopes: [styles:read, fonts:read],
allowedUrls: [https://staging.myapp.com/*]
}
// 开发环境
{
note: 开发环境 - localhost,
scopes: [styles:read, fonts:read],
allowedUrls: [http://localhost:, http://127.0.0.1:]
}
令牌存储与处理
服务端(秘密令牌)
✅ 应做事项:
- - 存储在环境变量中
- 使用密钥管理服务(AWS Secrets Manager、HashiCorp Vault)
- 静态加密
- 通过 IAM 策略限制访问
- 记录令牌使用情况
❌ 禁止事项:
- - 在源代码中硬编码
- 提交到版本控制
- 以明文形式存储在配置文件中
- 通过电子邮件或 Slack 分享
- 在多个服务间重复使用
示例:安全的环境变量:
bash
.env(切勿提交此文件)
MAPBOX
SECRETTOKEN=sk.ey...
.gitignore(始终包含 .env)
.env
.env.local
.env.*.local
客户端(公开令牌)
✅ 应做事项:
- - 仅使用公开令牌
- 应用 URL 限制
- 每个应用使用不同的令牌
- 定期轮换
- 监控使用情况
❌ 禁止事项:
- - 暴露秘密令牌
- 使用无 URL 限制的令牌
- 在无关应用间共享令牌
- 使用作用域过大的令牌
示例:安全的客户端使用:
javascript
// 具有 URL 限制的公开令牌 - 安全
const mapboxToken = pk.YOURMAPBOXTOKEN_HERE;
// 此令牌仅限于您的域名
// 且仅具有 styles:read 作用域
mapboxgl.accessToken = mapboxToken;
安全检查清单
令牌创建:
- - [ ] 客户端使用公开令牌,服务端使用秘密令牌
- [ ] 对作用域应用最小权限原则
- [ ] 为公开令牌添加 URL 限制
- [ ] 使用描述性名称/备注标识令牌
- [ ] 记录预期用途和环境
令牌管理:
- - [ ] 将秘密令牌存储在环境变量或密钥管理器中
- [ ] 切勿将令牌提交到版本控制
- [ ] 每 90 天轮换令牌(或按策略执行)
- [ ] 及时删除未使用的令牌
- [ ] 按环境分离令牌(开发/预发布/生产)
监控:
- - [ ] 跟踪令牌使用模式
- [ ] 设置异常活动告警
- [ ] 定期安全审计(每月)
- [ ] 每季度审查团队访问权限
- [ ] 扫描代码仓库中暴露的令牌
事件响应:
- - [ ] 记录撤销流程
- [ ] 紧急联系人列表
- [ ] 记录轮换流程
- [ ] 事后审查模板
- [ ] 团队安全流程培训
参考文件
如需特定主题的详细指导,请根据需要加载以下参考文件:
- - references/rotation-monitoring.md — 令牌轮换策略(零停机 + 紧急情况)、监控指标、告警规则以及月度/季度审计清单。在实施轮换、设置监控或进行审计时加载。
- references/incident-response.md — 分步事件响应计划及常见安全错误(含代码示例)。在响应令牌泄露、审查代码安全问题或培训反模式时加载。
何时使用本技能
在以下情况下调用本技能:
- - 创建新令牌时
- 决定使用公开令牌还是秘密令牌时
- 设置令牌限制时
- 实施令牌轮换时
- 调查安全事件时
- 进行安全审计时
- 培训团队令牌安全知识时
- 审查代码中令牌暴露情况时
