Get Basemaps
const url = 'https://example.com/settings/basemaps/';const options = {method: 'GET'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request GET \ --url https://example.com/settings/basemaps/Return the configured basemap list (public, no auth required).
Basemaps with {api_key} in the URL are filtered out when no key is
configured. When a key IS set the placeholder is resolved server-side.
The response uses BasemapPublicResponse which excludes api_key.
SEC-S10 (2026-05-20 audit): the resolved url field intentionally
includes the substituted api_key value when configured. Client-side
tile-provider keys (Mapbox, Stadia, MapTiler) are designed for browser
exposure and the frontend MUST receive them to load tiles. Do NOT put a
backend-only commercial-tier key in this field — rotate the key in the
provider dashboard if it is misused. Rate-limited via
_basemap_proxy_rate_limit to cap replay-cost from anonymous clients.
Responses
Section titled “ Responses ”Successful Response
Public basemap response — excludes api_key.
object
Whether the basemap is currently selectable.
Unique basemap identifier.
Whether this is a built-in preset.
Display label.
Tile URL or style JSON URL with API key already substituted (or omitted) for client use.
Example generated
[ { "attribution": "example", "enabled": true, "id": "example", "is_preset": true, "label": "example", "url": "example" }]Bad request — invalid query parameters or payload
object
Example
{ "type": "about:blank"}Unauthorized — missing or invalid credentials
object
Example
{ "type": "about:blank"}Forbidden — caller lacks access to this resource
object
Example
{ "type": "about:blank"}Not found
object
Example
{ "type": "about:blank"}Validation error
object
Example
{ "type": "about:blank"}Internal server error
object
Example
{ "type": "about:blank"}