Is there a way to hide the "token = os.getenv('MAPBOX_ACCESS_TOKEN')"

[dprophet]

In all of the example notebooks you get the mapbox token from the environment like so

"token = os.getenv('MAPBOX_ACCESS_TOKEN')"

If we used a hosted Jupyter notebook environment we certainly dont want to pass our Mapbox token around to users. How do make the token part of the install/Jupyter platform not part of the notebook runtime?

[vincentsarago]

Hi @dprophet
When looking at the code, I think the token will be set by default, so there is no need to pass the token to the viz as long as you have MAPBOX_ACCESS_TOKEN in your env https://github.com/mapbox/mapboxgl-jupyter/blob/master/mapboxgl/viz.py#L177

[dprophet]

The problem with MAPBOX_ACCESS_TOKEN is that token can be viewed via os.environ. In a hosted Jupyter environment, like a Docker container, the access token must not be exposed to the user.

[akacarlyann]

I'm not sure if this works for your use case, but it sounds like you could avoid supplying the MAPBOX_ACCESS_TOKEN via your hosted notebook at all and require the user to sign up for a free token from Mapbox that they would then supply to the viz constructor directly? Otherwise, I think this requires use of the Mapboxgl JavaScript library tokens api (https://docs.mapbox.com/api/accounts/#tokens). Maybe @ryanbaumann has more insight on this?

[dprophet]

MAPBOX_ACCESS_TOKEN is bad. All I need to do is print the environment variables and its exposed. Commercial usage of MAPBOX_ACCESS_TOKEN can be quite expensive.

[ryanbaumann]

@dprophet we should update the examples to not use an environment variable - you can simply pass your mapbox access token as a variable to the map viz initialization i.e.

viz = CircleViz('points.geojson',
                access_token="pk...."
)