✨Discover storytelling in the AI age with Pixar's Matthew Luhn at Sanity Connect, May 8th—register now

How to securely store the Mapbox API token with the Leaflet.js map input plugin.

13 replies
Last updated: Sep 6, 2021
for anyone who uses the Leaflet.js map input plugin with mapbox, how do you store the the mapbox api token securely? If you are like me and check in all your studio config, the leaflet.js plugin creates a
leaflet-input.json
file for you to interact and configure the plugin with. One of the fields is 'accessToken', and im not sure how to both check in this file, all while giving leaflet access to my token (its just a json file, its not a .js file, so i cant access env vars or import the token from some keystore)
Sep 6, 2021, 7:23 AM
Sanity team recommended using something like this: https://www.npmjs.com/package/sanity-secrets
Sep 6, 2021, 7:53 AM
thanks, this is great. Any idea where you store the provided example config? It seems this provides a means to input your secrets from studio? And where would i add this component if so, deskStructure.js?
Sep 6, 2021, 1:16 PM
It looks like
accessToken
lives in the JSON file and you use URL restrictions on the Mapbox side to secure it—similar to Simeon’s suggestion for Google Maps .
Sep 6, 2021, 3:17 PM
interesting, i didnt know about this! So its a unique access token than i can checkin without fear of others using it that only i can use, makes sense
Sep 6, 2021, 4:52 PM
Yes, that’s the way I understand it.
Sep 6, 2021, 4:57 PM
so essentially, this URL would be my custom sanity studio domain?
Sep 6, 2021, 5:13 PM
Correct. You would lock it down to your production studio domain. This page recommends using multiple tokens to handle different environments (e.g., to open up localhost in development).
Sep 6, 2021, 5:18 PM
great article, and makes sense, a key for each env
Sep 6, 2021, 5:21 PM
so they seem safe to checkin then
Sep 6, 2021, 5:21 PM
If you want to be absolutely sure and can wait until tomorrow, I can double-check, but yes, I am fairly confident these are not just safe but required to be checked in.
Sep 6, 2021, 5:24 PM
thanks geoff!
Sep 6, 2021, 5:31 PM
Got confirmation: Lock the key to the same domain as the studio and make sure your repo is private, and you should be golden.
Sep 6, 2021, 5:43 PM
thank you again, hmm my repo is public, do you think that should be a big deal given these are locked to the domain?
Sep 6, 2021, 5:50 PM

Sanity– build remarkable experiences at scale

Sanity is a modern headless CMS that treats content as data to power your digital business. Free to get started, and pay-as-you-go on all plans.

Was this answer helpful?