If you're using Mapbox and wondering whether that token should be pk.* or sk.*, or if URL restrictions actually matter, this breaks it down clearly. It covers the three token types, scope management by use case, and the storage patterns that prevent you from accidentally committing secrets. The rotation and incident response references are thorough enough to hand to a team lead. Honestly, the checklist format makes it more useful than Mapbox's own docs for the "am I doing this securely?" question. Good for onboarding, code review, or that moment when you realize a secret token made it into a React bundle.
npx skills add https://github.com/mapbox/mapbox-agent-skills --skill mapbox-token-security