Restricting your Mapbox key to your website

When setting up a Mapbox key, it’s possible to restrict your key to only work with your website. This is optional, but can be a good idea – it ensures that no one else can copy your key from your website and use it on their own site.

If you’d like to restrict your key, or if we have indicated that your key is currently set up with a restriction that isn't configured properly, please see the steps below:

Check your existing keys

When you first sign up for Mapbox, a Default public token is automatically created for your account. This token will work with Stockist, but can’t be restricted to a specific website.

If you’d like to create a key that only works with your website, you’ll need to create a separate key in the Mapbox dashboard.

To see what keys you have, open https://account.mapbox.com and sign in with the email address and password that you used to create your Mapbox account.
Once signed in, click Tokens in the left menu:

Your keys will be listed on this page:

You'll always have a Default public token, and may also have one or more other keys listed there. The number listed after URLs in the key details indicates how many websites have been granted access. A 0 or N/A indicates the key is unrestricted, while a number of 1 or greater indicates that the key will only work on certain sites.

If you’ve already created a second key, click on the key name, then skip to Set up URL restrictions below.
If you only see the Default public token, continue to the next section to set up a separate key.

Set up a separate key

On the Access tokens page of the Mapbox dashboard, click Create a token to set up a new key:

Under Token name, enter a memorable name for the key (visitors won't see this name, it's just for your reference):

Under Token scopes, leave the default option selected. All the checkboxes under Public scopes should be ticked, and all the checkboxes under Private scopes should not be ticked:

Set up URL restrictions 

In the Token restrictions > URLs section of your key details, you’ll want to ensure your website domain is listed there.
Your configuration should look something like this (for a Shopify site, for example):

Even though the field says URL, only enter your site's domain name alone. In particular:

  1. Don't include http:// or a suffix like /pages/stores
  2. Don't include wildcards like *
  3. Enter each website in lowercase letters only

Platform-specific URLs

Certain hosting platforms also need additional entries in the list:

For Shopify sites, you'll want to add:

  • Your live domain(s), e.g. example.com
  • Your myshopify.com domain, e.g. example.myshopify.com
  • shopifypreview.com

For Wix sites, you'll want to add:

  • Your live domain, e.g. example.com
  • filesusr.com

For GoDaddy sites, you'll want to add:

  • Your live domain, e.g. example.com
  • about:srcdoc

Once your domain(s) have been added, click Create token or Save changes:

Finally, copy your new token from the Mapbox dashboard and paste it into Stockist under "Settings > Map provider":

Please be sure to paste the restricted token into Stockist. The Default public token isn't secured, and other people could copy it from your Stockist map to use on their own site.

Final thoughts

If you created a new key for the first time, be sure to add the new key to your Stockist account under Settings > Map provider
If you run into any issues, please let us know and we’re happy to assist.