Create a new API key

For example mydomain.com will ensure, that only requests coming from mydomain.com will be processed. Use *.mydomain.com to allow requests from subdomains. Put each rule on a separate line. Make sure your applications sends the Origin (or Referer) header, otherwise the requests will be treated as "unknown" and will be rejected if any origin is specified here. You can use ? placeholder to explicitly allow unknown origins (requests with Origin header coming from domain not in this list will still be rejected).


Make your access tokens more secure by adding URL restrictions. When you add a URL restriction to a token, that token will only work for requests that originate from the URLs you specify. Tokens without restrictions will work for requests originating from any URL.

URLs Restrict this token to specific URLs. You can add URLs one at a time or as a comma-separated list. Your URL's format is important. Learn more about how to format your URL on our access token documentation page. This feature is compatible with many Mapbox tools with some limitations. For web applications using Mapbox GL JS, it requires version 0.53.1 and higher. It is not currently compatible with Mapbox native SDKs.