Restricting your Mapbox key to your website

When setting up a Mapbox key, it’s possible to restrict your key to only work with your website. This is optional, but can be a good idea – it ensures that no one else can copy your key from your website and use it on their own site.

If you’d like to restrict your key, or if we have indicated that your key is currently set up with a restriction that isn't configured properly, please see the steps below:

Check your existing keys

When you first sign up for Mapbox, a Default public token is automatically created for your account. This token will work with Stockist, but can’t be restricted to a specific website.

If you’d like to create a key that only works with your website, you’ll need to create a separate key in the Mapbox dashboard.

To see what keys you have, open https://account.mapbox.com and sign in with the email address and password that you used to create your Mapbox account.

Once signed in, click Tokens in the left menu:

Your keys will be listed on this page:

You'll always have a Default public token, and may also have one or more other keys listed there. The number listed after URLs in the key details indicates how many websites have been granted access. A 0 or N/A indicates the key is unrestricted, while a number of 1 or greater indicates that the key will only work on certain sites.

If you’ve already created a second key, click on the key name, then skip to Set up URL restrictions below.

If you only see the Default public token, continue to the next section to set up a separate key.

Set up a separate key

On the Access tokens page of the Mapbox dashboard, click Create a token to set up a new key:

Under Token name, enter a memorable name for the key (visitors won't see this name, it's just for your reference):

Under Token scopes, leave the default option selected. All the checkboxes under Public scopes should be ticked, and all the checkboxes under Private scopes should not be ticked:

Set up URL restrictions

In the Token restrictions > URLs section of your key details, you’ll want to ensure your website domain is listed there.

Your configuration should look something like this:

If you’re using Shopify, you would also want to add your myshopify.com domain as well – it would look like this:

Caution: It's important to only list your base domain (e.g. example.com). Adding the full URL to your page (e.g. example.com/pages/map) won't work.

If you’ve added a full page URL, remove it and add just the base domain instead.

Once your domain(s) have been added, click Create token or Save changes:

Finally, copy your new token from the Mapbox dashboard and paste it into Stockist under "Settings > Map provider":

You must paste the restricted token into Stockist in order for it to be used on your website. If you paste the Default public token into Stockist, this unrestricted token will be used on your website and available for visitors to see.

Final thoughts

If you created a new key for the first time, be sure to add the new key to your Stockist account under Settings > Map provider.

If you run into any issues, please let us know and we’re happy to assist.