As per the HivePress documentation, you mentioned that the region generation only happens when we use a non-HTTP restricted Google API key in the secret API section under HivePress settings. I understand that for Mapbox, we are required to use the default API token to generate regions.
However, there is a difference between Google Maps API and Mapbox API. When we add a Google Maps API key (which is not restricted) in the secret API section, it does not appear in the view source of the page. But when we add the Mapbox API key in the settings, it becomes visible in the view source.
While restricting the URL works to some extent, we are using the default token for Mapbox, which means anyone can potentially access and misuse the token.
I have tried using PHP code and JavaScript to hide the token,
Example 
1. Create a PHP file called mapbox-proxy.php in the root directory of your WordPress site or inside your theme folder (e.g., wp-content/themes/your-theme/mapbox-proxy.php).
2. Add the following code to mapbox-proxy.php:
<?php
// Mapbox Token
$mapboxToken = 'your_mapbox_token_here';
// Check if there's a valid query parameter
$endpoint = 'https://api.mapbox.com' . $_SERVER['REQUEST_URI'] . '&access_token=' . $mapboxToken;
// Initialize cURL to send the request to Mapbox
$ch = curl_init($endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
// Return the API response
header('Content-Type: application/json');
echo $response;
?>
1. In JavaScript (or your custom code):
fetch('/mapbox-proxy.php' + window.location.search)
.then(response => response.json())
.then(data => {
// Handle the data from Mapbox here
})
.catch(error => console.error('Error:', error));
but it may cause functionality issues or custom code might be overwritten in future updates. I believe this is a bigger issue that needs to be addressed at the core of HivePress.
Could you kindly look into this issue and provide a fix in the next update as soon as possible?