mapbox-token-security▌
mapbox/mapbox-agent-skills · updated Apr 8, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
This skill provides security expertise for managing Mapbox access tokens safely and effectively.
Mapbox Token Security Skill
This skill provides security expertise for managing Mapbox access tokens safely and effectively.
Token Types and When to Use Them
Public Tokens (pk.*)
Characteristics:
- Can be safely exposed in client-side code
- Limited to specific public scopes only
- Can have URL restrictions
- Cannot access sensitive APIs
When to use:
- Client-side web applications
- Mobile apps
- Public-facing demos
- Embedded maps on websites
Allowed scopes:
styles:tiles- Display style tiles (raster)styles:read- Read style specificationsfonts:read- Access Mapbox fontsdatasets:read- Read dataset datavision:read- Vision API access
Secret Tokens (sk.*)
Characteristics:
- NEVER expose in client-side code
- Full API access with any scopes
- Server-side use only
- Can create/manage other tokens
When to use:
- Server-side applications
- Backend services
- CI/CD pipelines
- Administrative tasks
- Token management
Common scopes:
styles:write- Create/modify stylesstyles:list- List all stylestokens:read- View token informationtokens:write- Create/modify tokens- User feedback management scopes
Temporary Tokens (tk.*)
Characteristics:
- Short-lived (max 1 hour)
- Created by secret tokens
- Single-purpose use
- Automatically expire
When to use:
- One-time operations
- Temporary delegated access
- Short-lived demos
- Security-conscious workflows
Scope Management Best Practices
Principle of Least Privilege
Always grant the minimum scopes needed:
❌ Bad:
// Overly permissive - don't do this
{
scopes: ['styles:read', 'styles:write', 'styles:list', 'styles:delete', 'tokens:read', 'tokens:write'];
}
✅ Good:
// Only what's needed for displaying a map
{
scopes: ['styles:read', 'fonts:read'];
}
// Add 'styles:tiles' if your map uses raster tile sources
{
scopes: ['styles:read', 'fonts:read', 'styles:tiles'];
}
Scope Combinations by Use Case
Public Map Display (client-side):
{
"scopes": ["styles:read", "fonts:read", "styles:tiles"],
"note": "Public token for map display",
"allowedUrls": ["https://myapp.com/*"]
}
Style Management (server-side):
{
"scopes": ["styles:read", "styles:write", "styles:list"],
"note": "Backend style management - SECRET TOKEN"
}
Token Administration (server-side):
{
"scopes": ["tokens:read", "tokens:write"],
"note": "Token management only - SECRET TOKEN"
}
Read-Only Access:
{
"scopes": ["styles:list", "styles:read", "tokens:read"],
"note": "Auditing/monitoring - SECRET TOKEN"
}
URL Restrictions
Why URL Restrictions Matter
URL restrictions limit where a public token can be used, preventing unauthorized usage if the token is exposed.
Effective URL Patterns
✅ Recommended patterns:
https://myapp.com/* # Production domain
https://*.myapp.com/* # All subdomains
https://staging.myapp.com/* # Staging environment
http://localhost:* # Local development
❌ Avoid these:
* # No restriction (insecure)
http://* # Any HTTP site (insecure)
*.com/* # Too broad
Multiple Environment Strategy
Create separate tokens for each environment:
// Production
{
note: "Production - myapp.com",
scopes: ["styles:read", "fonts:read"],
allowedUrls: ["https://myapp.com/*", "https://www.myapp.com/*"]
}
// Staging
{
note: "Staging - staging.myapp.com",
scopes: ["styles:read", "fonts:read"],
allowedUrls: ["https://staging.myapp.com/*"]
}
// Development
{
note: "Development - localhost",
scopes: ["styles:read", "fonts:read"],
allowedUrls: ["http://localhost:*", "http://127.0.0.1:*"]
}
Token Storage and Handling
Server-Side (Secret Tokens)
✅ DO:
- Store in environment variables
- Use secret management services (AWS Secrets Manager, HashiCorp Vault)
- Encrypt at rest
- Limit access via IAM policies
- Log token usage
❌ DON'T:
- Hardcode in source code
- Commit to version control
- Store in plaintext configuration files
- Share via email or Slack
- Reuse across multiple services
Example: Secure Environment Variable:
# .env (NEVER commit this file)
MAPBOX_SECRET_TOKEN=sk.ey...
# .gitignore (ALWAYS include .env)
.env
.env.local
.env.*.local
Client-Side (Public Tokens)
✅ DO:
- Use public tokens only
- Apply URL restrictions
- Use different tokens per app
- Rotate periodically
- Monitor usage
❌ DON'T:
- Expose secret tokens
- Use tokens without URL restrictions
- Share tokens between unrelated apps
- Use tokens with excessive scopes
Example: Safe Client Usage:
// Public token with URL restrictions - SAFE
const mapboxToken = 'pk.YOUR_MAPBOX_TOKEN_HERE';
// This token is restricted to your domain
// and only has styles:read scope
mapboxgl.accessToken = mapboxToken;
Security Checklist
Token Creation:
- Use public tokens for client-side, secret for server-side
- Apply principle of least privilege for scopes
- Add URL restrictions to public tokens
- Use descriptive names/notes for token identification
- Document intended use and environment
Token Management:
- Store secret tokens in environment variables or secret managers
- Never commit tokens to version control
- Rotate tokens every 90 days (or per policy)
- Remove unused tokens promptly
- Separate tokens by environment (dev/staging/prod)
Monitoring:
- Track token usage patterns
- Set up alerts for unusual activity
- Regular security audits (monthly)
- Review team access quarterly
- Scan repositories for exposed tokens
Incident Response:
- Documented revocation procedure
- Emergency contact list
- Rotation process documented
- Post-incident review template
- Team training on security procedures
Reference Files
For detailed guidance on specific topics, load these references as needed:
references/rotation-monitoring.md— Token rotation strategies (zero-downtime + emergency), monitoring metrics, alerting rules, and monthly/quarterly audit checklists. Load when: implementing rotation, setting up monitoring, or conducting audits.references/incident-response.md— Step-by-step incident response plan and common security mistakes with code examples. Load when: responding to a token compromise, reviewing code for security issues, or training on anti-patterns.
When to Use This Skill
Invoke this skill when:
- Creating new tokens
- Deciding between public vs secret tokens
- Setting up token restrictions
- Implementing token rotation
- Investigating security incidents
- Conducting security audits
- Training team on token security
- Reviewing code for token exposure
How to use mapbox-token-security on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add mapbox-token-security
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches mapbox-token-security from GitHub repository mapbox/mapbox-agent-skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate mapbox-token-security. Access the skill through slash commands (e.g., /mapbox-token-security) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
User Story & Requirements Generation
Create detailed user stories, acceptance criteria, and feature specs
Example
Generate user stories for 'password reset feature' with acceptance criteria, edge cases, and test scenarios
Reduce spec writing time by 50%, ensure comprehensive coverage
Competitive Analysis
Research competitors, compare features, identify gaps
Example
Analyze 5 competitor products, create feature comparison matrix, suggest differentiation opportunities
Complete competitive research in 2 hours instead of 2 days
Roadmap Prioritization
Evaluate features using frameworks (RICE, ICE, Kano) and create prioritized backlogs
Example
Score 20 feature ideas using RICE framework, generate prioritized roadmap with rationale
Make data-driven prioritization decisions faster
Stakeholder Communication
Draft PRDs, status updates, and stakeholder presentations
Example
Create executive summary of Q3 roadmap, monthly progress report, feature launch announcement
Save 3-5 hours/week on communication overhead
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client
- ›Access to product documentation and roadmap tools (Jira, Notion, etc.)
- ›Understanding of product management frameworks (RICE, Jobs-to-be-Done, etc.)
- ›Stakeholder contact information and communication channels
Time Estimate
30-60 minutes to see productivity improvements
Installation Steps
- 1.Install product management skill
- 2.Start with user story generation for known feature
- 3.Progress to competitive analysis: research 2-3 competitors
- 4.Use for roadmap prioritization: apply RICE/ICE scoring
- 5.Draft stakeholder communications and refine based on feedback
- 6.Build template library for recurring PM tasks
- 7.Share effective prompts with product team
Common Pitfalls
- ⚠Not validating competitive research—verify facts before sharing
- ⚠Accepting user stories without involving engineering team
- ⚠Over-relying on frameworks without qualitative judgment
- ⚠Not customizing outputs to company culture and communication style
- ⚠Skipping stakeholder validation of generated requirements
Best Practices▌
✓ Do
- +Validate research and competitive analysis with real data
- +Collaborate with engineering when generating technical requirements
- +Customize frameworks and templates to your company context
- +Use skill for first drafts, refine with stakeholder input
- +Document successful prompt patterns for PM tasks
- +Combine AI efficiency with human judgment and intuition
✗ Don't
- −Don't publish competitive analysis without fact-checking
- −Don't finalize user stories without engineering review
- −Don't make prioritization decisions solely on AI scoring
- −Don't skip customer validation of generated requirements
- −Don't ignore company-specific context and culture
💡 Pro Tips
- ★Provide context: company goals, constraints, customer feedback
- ★Ask for alternatives: 'Show 3 ways to prioritize this roadmap'
- ★Request stakeholder-specific formatting: 'Executive summary vs. engineering spec'
- ★Use skill for 70% generation + 30% customization to company needs
When to Use This▌
✓ Use When
Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.
✗ Avoid When
Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.
Learning Path▌
- 1Basic: user stories, feature specs, status updates
- 2Intermediate: competitive analysis, prioritization frameworks, PRDs
- 3Advanced: product strategy, go-to-market planning, OKR setting
- 4Expert: product vision, market positioning, business model innovation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.7★★★★★44 reviews- ★★★★★Arya Okafor· Dec 20, 2024
mapbox-token-security is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Chaitanya Patil· Dec 16, 2024
Keeps context tight: mapbox-token-security is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Xiao Shah· Dec 16, 2024
mapbox-token-security reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Mateo Jain· Dec 12, 2024
We added mapbox-token-security from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Omar Taylor· Dec 4, 2024
I recommend mapbox-token-security for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Dev Menon· Nov 23, 2024
mapbox-token-security reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Carlos Garcia· Nov 15, 2024
We added mapbox-token-security from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Soo Huang· Nov 11, 2024
Solid pick for teams standardizing on skills: mapbox-token-security is focused, and the summary matches what you get after install.
- ★★★★★Piyush G· Nov 7, 2024
mapbox-token-security has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Xiao Desai· Nov 7, 2024
I recommend mapbox-token-security for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
showing 1-10 of 44