Mapbox access token leaked: rotate the secret, scope the public
Your Mapbox access token may be exposed. Here is the fastest possible recovery — three steps, no theory.
Step 01
Open Mapbox Dashboard → Access tokens → revoke the leaked secret token (sk....) immediately.
Step 02
For public tokens (pk....), add URL restrictions: only your production domains.
Step 03
Audit usage in the Statistics tab for the past week.
Step 01 — Revoke
Kill the leaked credential first
Account → Access tokens → click the leaked token → "Delete". Confirm. For replacements, click "Create a token" → set "URL restrictions" to *.yourdomain.com/* → minimum scopes only.
Open Mapbox access tokensStep 02 — Rotate
Update the new key in the right place
Server-side env vars only — never in client code, never with NEXT_PUBLIC_.
// Public token IS allowed in client JS — but restrict it.
// Set "URL restrictions" in Mapbox dashboard to your production domains.
mapboxgl.accessToken = process.env.NEXT_PUBLIC_MAPBOX_TOKEN!;Step 03 — Scan
Confirm nothing else leaked alongside it
Scan to find every map or geocoding token in your bundle.
How this usually leaks
- 01Secret token used client-side instead of public token.
- 02Public token without URL restrictions abused by other sites embedding your map.
- 03.env committed to source control.
FAQ
Frequently asked questions
- Are public Mapbox tokens (pk....) actually safe?
- Only when scoped via URL restrictions in the Mapbox dashboard. Without them, anyone can copy your token and burn through your free tier on their site.
- Why have both secret and public tokens?
- Public tokens are for browser map rendering. Secret tokens are for backend operations like uploading datasets or managing tilesets. They should never be swapped.
Deeper dive
Long-term fixes for this leak class
See what else leaked in the same deploy
Free scan. 70+ checks. Results in 60 seconds.