Joint session with Vercel: How to build intelligent storefronts (May 15th)

How to securely store Mapbox API token in Leaflet.js plugin config for Sanity?

13 repliesLast updated: Nov 29, 2025
for anyone who uses the Leaflet.js map input plugin with mapbox, how do you store the the mapbox api token securely? If you are like me and check in all your studio config, the leaflet.js plugin creates a 
leaflet-input.json
file for you to interact and configure the plugin with. One of the fields is 'accessToken', and im not sure how to both check in this file, all while giving leaflet access to my token (its just a json file, its not a .js file, so i cant access env vars or import the token from some keystore)
AI Update

Great question! This is a common concern when working with the Leaflet.js map input plugin and Mapbox. The good news is that Mapbox access tokens are actually designed to be checked into your codebase when properly secured.

Instead of treating your Mapbox token like a traditional secret, you should secure it using Mapbox's URL restrictions feature. Here's how it works:

  1. Lock the token to your Studio domain: In your Mapbox account settings, configure URL restrictions for your access token. This means the token will only work when requests come from your specific Sanity Studio domain (e.g., your-studio.sanity.studio).

  2. Use multiple tokens for different environments: Create separate tokens for:

    • Production (locked to your production Studio URL)
    • Development (locked to localhost:3333 or your local dev URL)
    • Staging (if applicable)

  3. Check the config file into your repo: Once the token is URL-restricted, you can safely commit your config/leaflet-input.json file with the accessToken field. The token becomes useless to anyone who doesn't have access to your specific Studio domain.

Additional Security Considerations

According to the Sanity team's guidance, you should:

  • Keep your repository private if possible (though URL restrictions provide the primary security)
  • The URL restrictions make the token effectively useless outside your Studio environment

If you absolutely need to avoid checking in the token, you could use the sanity-secrets plugin, but this adds complexity and isn't the standard approach for Mapbox tokens since they're designed to work with URL restrictions.

The URL restriction approach is actually the intended security model for client-side Mapbox tokens - similar to how you'd secure a Google Maps API key. It's not a workaround, it's the proper solution!

Show original thread
13 replies

Was this answer helpful?

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Related answers

Get more help in the community Discord

Related contributions

Auto-generate alt text for Media Library assets

FeaturedOfficial

Automatically generate accessible, multilingual alt text for images in your Sanity Media Library using Agent Actions and Sanity Functions

Bram Doppen

Bram Doppen

First Published Timestamp Function

FeaturedOfficial

Automatically track when content was first published with a timestamp that sets once and never overwrites, providing reliable publication history for analytics and editorial workflows.

Knut Melvær

Knut Melvær

Automatically tag blog posts

FeaturedOfficial

AI-powered automatic tagging for Sanity blog posts that analyzes content to generate 3 relevant tags, maintaining consistency by reusing existing tags from your content library.

Ken Jones Pizza
Knut Melvær

Ken Jones Pizza and 1 other