From 2bdfe4018e16b23c3dca33821f174db12732a725 Mon Sep 17 00:00:00 2001
From: Ludovic Muller <ludovicmuller1@gmail.com>
Date: Tue, 24 Mar 2026 10:48:55 +0100
Subject: [PATCH 1/3] env: set maptiler key at runtime instead of build time

---
 .env.example                 | 2 +-
 CHANGELOG.md                 | 3 +++
 Dockerfile                   | 3 ---
 app/.env.development         | 2 +-
 app/domain/env.ts            | 2 +-
 app/pages/api/client-env.ts  | 1 +
 scripts/docker-build-push.sh | 1 -
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.env.example b/.env.example
index 81e449e5c6..a821022946 100644
--- a/.env.example
+++ b/.env.example
@@ -7,7 +7,7 @@ NEXTAUTH_URL=123
 NEXTAUTH_SECRET=123
 
 # Maptile configuration
-NEXT_PUBLIC_MAPTILER_STYLE_KEY=123
+MAPTILER_STYLE_KEY=123
 
 # SEO
 PREVENT_SEARCH_BOTS=false
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 198e4bb9e4..39fb752d8c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,9 @@ You can also check the
 
 - Features
   - Add SPARQL endpoints in the OpenTelemetry traces
+- Maintenance
+  - Set Maptiler API key from environment variable at runtime, to avoid having
+    to rebuild the application when the key is rotated
 
 ### 6.4.0 – 2026-03-13
 
diff --git a/Dockerfile b/Dockerfile
index 1b2cc054e4..25d12a1d06 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,7 +8,6 @@ WORKDIR /usr/src/app
 #   --build-arg PREVENT_SEARCH_BOTS=<true/false> \
 #   --build-arg COMMIT=$(git rev-parse HEAD) \
 #   --build-arg VECTOR_TILE_URL=<url of the vector service> \
-#   --build-arg MAPTILER_STYLE_KEY=<maptiler style key> \
 #   --build-arg ADFS_ID=<adfs client id> \
 #   --build-arg ADFS_ISSUER=<adfs issuer> \
 #   --build-arg ADFS_PROFILE_URL=<adfs profile url> \
@@ -19,7 +18,6 @@ WORKDIR /usr/src/app
 ARG PREVENT_SEARCH_BOTS
 ARG COMMIT
 ARG VECTOR_TILE_URL
-ARG MAPTILER_STYLE_KEY
 ARG ADFS_ID
 ARG ADFS_ISSUER
 ARG ADFS_PROFILE_URL
@@ -40,7 +38,6 @@ ENV PORT=3000
 ENV PREVENT_SEARCH_BOTS=$PREVENT_SEARCH_BOTS
 ENV NEXT_PUBLIC_COMMIT=$COMMIT
 ENV NEXT_PUBLIC_BASE_VECTOR_TILE_URL=$VECTOR_TILE_URL
-ENV NEXT_PUBLIC_MAPTILER_STYLE_KEY=$MAPTILER_STYLE_KEY
 ENV ADFS_ID=$ADFS_ID
 ENV ADFS_ISSUER=$ADFS_ISSUER
 ENV ADFS_PROFILE_URL=$ADFS_PROFILE_URL
diff --git a/app/.env.development b/app/.env.development
index 18585d13fb..e7ddc0c0f3 100644
--- a/app/.env.development
+++ b/app/.env.development
@@ -4,6 +4,6 @@ SPARQL_GEO_ENDPOINT=https://geo.ld.admin.ch/query
 GRAPHQL_ENDPOINT=/api/graphql
 WHITELISTED_DATA_SOURCES=["Prod", "Prod-uncached", "Int", "Int-uncached", "Test", "Test-uncached", "LINDASold-Prod", "LINDASold-Prod-uncached", "LINDASold-Int", "LINDASold-Int-uncached", "LINDASold-Test", "LINDASold-Test-uncached"]
 NEXT_PUBLIC_VECTOR_TILE_URL=https://world.vectortiles.geo.admin.ch
-NEXT_PUBLIC_MAPTILER_STYLE_KEY=123
+MAPTILER_STYLE_KEY=123
 ADFS_PROFILE_URL=https://www.myaccount-r.eiam.admin.ch/
 NEXTAUTH_URL=https://localhost:3000
diff --git a/app/domain/env.ts b/app/domain/env.ts
index 8cfffc326f..42243f4016 100644
--- a/app/domain/env.ts
+++ b/app/domain/env.ts
@@ -67,4 +67,4 @@ export const BUILD_GITHUB_REPO = (
 export const BASE_VECTOR_TILE_URL =
   process.env.NEXT_PUBLIC_BASE_VECTOR_TILE_URL ?? "";
 export const MAPTILER_STYLE_KEY =
-  process.env.NEXT_PUBLIC_MAPTILER_STYLE_KEY ?? "";
+  clientEnv?.MAPTILER_STYLE_KEY ?? process.env.MAPTILER_STYLE_KEY ?? "";
diff --git a/app/pages/api/client-env.ts b/app/pages/api/client-env.ts
index d368c1b608..15092f8c41 100644
--- a/app/pages/api/client-env.ts
+++ b/app/pages/api/client-env.ts
@@ -24,6 +24,7 @@ export default async function clientEnvApi(
           PUBLIC_URL: process.env.PUBLIC_URL,
           GRAPHQL_ENDPOINT: process.env.GRAPHQL_ENDPOINT,
           ADFS_PROFILE_URL: process.env.ADFS_PROFILE_URL,
+          MAPTILER_STYLE_KEY: process.env.MAPTILER_STYLE_KEY,
         })}`;
 
         if (result) {
diff --git a/scripts/docker-build-push.sh b/scripts/docker-build-push.sh
index 9721732650..d7e62a4eb4 100755
--- a/scripts/docker-build-push.sh
+++ b/scripts/docker-build-push.sh
@@ -19,7 +19,6 @@ docker build \
     --label "COMMIT=$CI_COMMIT_SHA" \
     --label "TAGS=$DOCKER_IMAGE_TAGS" \
     --build-arg COMMIT=$CI_COMMIT_SHA \
-    --build-arg MAPTILER_STYLE_KEY=$MAPTILER_STYLE_KEY \
     --build-arg VECTOR_TILE_URL=$VECTOR_TILE_URL \
     --build-arg ADFS_ID=$ADFS_ID \
     --build-arg ADFS_ISSUER=$ADFS_ISSUER \

From f9754a2a6dee26ea8aa1519c1e33eafa0511ba44 Mon Sep 17 00:00:00 2001
From: Ludovic Muller <ludovicmuller1@gmail.com>
Date: Wed, 25 Mar 2026 13:52:27 +0100
Subject: [PATCH 2/3] env: MAPTILER_STYLE_KEY -> MAPTILER_API_KEY

---
 .env.example                           | 2 +-
 CHANGELOG.md                           | 4 ++--
 app/.env.development                   | 2 +-
 app/charts/map/get-base-layer-style.ts | 4 ++--
 app/domain/env.ts                      | 5 +++--
 app/pages/api/client-env.ts            | 2 +-
 6 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/.env.example b/.env.example
index a821022946..84bd766f63 100644
--- a/.env.example
+++ b/.env.example
@@ -7,7 +7,7 @@ NEXTAUTH_URL=123
 NEXTAUTH_SECRET=123
 
 # Maptile configuration
-MAPTILER_STYLE_KEY=123
+MAPTILER_API_KEY=123
 
 # SEO
 PREVENT_SEARCH_BOTS=false
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 39fb752d8c..48723479db 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,8 +14,8 @@ You can also check the
 - Features
   - Add SPARQL endpoints in the OpenTelemetry traces
 - Maintenance
-  - Set Maptiler API key from environment variable at runtime, to avoid having
-    to rebuild the application when the key is rotated
+  - Set Maptiler API key from `MAPTILER_API_KEY` environment variable at
+    runtime, to avoid having to rebuild the application when the key is rotated
 
 ### 6.4.0 – 2026-03-13
 
diff --git a/app/.env.development b/app/.env.development
index e7ddc0c0f3..8a86b1f981 100644
--- a/app/.env.development
+++ b/app/.env.development
@@ -4,6 +4,6 @@ SPARQL_GEO_ENDPOINT=https://geo.ld.admin.ch/query
 GRAPHQL_ENDPOINT=/api/graphql
 WHITELISTED_DATA_SOURCES=["Prod", "Prod-uncached", "Int", "Int-uncached", "Test", "Test-uncached", "LINDASold-Prod", "LINDASold-Prod-uncached", "LINDASold-Int", "LINDASold-Int-uncached", "LINDASold-Test", "LINDASold-Test-uncached"]
 NEXT_PUBLIC_VECTOR_TILE_URL=https://world.vectortiles.geo.admin.ch
-MAPTILER_STYLE_KEY=123
+MAPTILER_API_KEY=123
 ADFS_PROFILE_URL=https://www.myaccount-r.eiam.admin.ch/
 NEXTAUTH_URL=https://localhost:3000
diff --git a/app/charts/map/get-base-layer-style.ts b/app/charts/map/get-base-layer-style.ts
index 4a09884861..2a910df912 100644
--- a/app/charts/map/get-base-layer-style.ts
+++ b/app/charts/map/get-base-layer-style.ts
@@ -2,7 +2,7 @@ import merge from "lodash/merge";
 import { useMemo } from "react";
 import { MapboxStyle } from "react-map-gl";
 
-import { BASE_VECTOR_TILE_URL, MAPTILER_STYLE_KEY } from "@/domain/env";
+import { BASE_VECTOR_TILE_URL, MAPTILER_API_KEY } from "@/domain/env";
 
 import { Locale } from "../../locales/locales";
 
@@ -10,7 +10,7 @@ import greyStyleBase from "./grey.json";
 import { hasLayout, mapLayers, replaceStyleTokens } from "./style-helpers";
 
 const tokens = {
-  "{key}": MAPTILER_STYLE_KEY,
+  "{key}": MAPTILER_API_KEY,
   "<BASE_VECTOR_TILE>": BASE_VECTOR_TILE_URL,
 };
 
diff --git a/app/domain/env.ts b/app/domain/env.ts
index 42243f4016..fe46dfec88 100644
--- a/app/domain/env.ts
+++ b/app/domain/env.ts
@@ -48,6 +48,9 @@ export const GA_TRACKING_ID =
 export const ADFS_PROFILE_URL =
   clientEnv?.ADFS_PROFILE_URL ?? process.env.ADFS_PROFILE_URL;
 
+export const MAPTILER_API_KEY =
+  clientEnv?.MAPTILER_API_KEY ?? process.env.MAPTILER_API_KEY ?? "";
+
 /**
  * Server-side-only **RUNTIME** variables (not exposed through window)
  */
@@ -66,5 +69,3 @@ export const BUILD_GITHUB_REPO = (
 ).replace(/^git\+https/, "https"); // Don't use git+https for the link, need to check with Abraxas
 export const BASE_VECTOR_TILE_URL =
   process.env.NEXT_PUBLIC_BASE_VECTOR_TILE_URL ?? "";
-export const MAPTILER_STYLE_KEY =
-  clientEnv?.MAPTILER_STYLE_KEY ?? process.env.MAPTILER_STYLE_KEY ?? "";
diff --git a/app/pages/api/client-env.ts b/app/pages/api/client-env.ts
index 15092f8c41..c5c177a23a 100644
--- a/app/pages/api/client-env.ts
+++ b/app/pages/api/client-env.ts
@@ -24,7 +24,7 @@ export default async function clientEnvApi(
           PUBLIC_URL: process.env.PUBLIC_URL,
           GRAPHQL_ENDPOINT: process.env.GRAPHQL_ENDPOINT,
           ADFS_PROFILE_URL: process.env.ADFS_PROFILE_URL,
-          MAPTILER_STYLE_KEY: process.env.MAPTILER_STYLE_KEY,
+          MAPTILER_API_KEY: process.env.MAPTILER_API_KEY,
         })}`;
 
         if (result) {

From 0726378b4ae178655c7f2173cbdfc8b0f2413f86 Mon Sep 17 00:00:00 2001
From: Ludovic Muller <ludovicmuller1@gmail.com>
Date: Wed, 25 Mar 2026 13:55:49 +0100
Subject: [PATCH 3/3] chore: remove unused NEXT_PUBLIC_VECTOR_TILE_URL

---
 app/.env.development | 1 -
 1 file changed, 1 deletion(-)

diff --git a/app/.env.development b/app/.env.development
index 8a86b1f981..d9b8f73f54 100644
--- a/app/.env.development
+++ b/app/.env.development
@@ -3,7 +3,6 @@ ENDPOINT=sparql+https://cached.lindas.admin.ch/query
 SPARQL_GEO_ENDPOINT=https://geo.ld.admin.ch/query
 GRAPHQL_ENDPOINT=/api/graphql
 WHITELISTED_DATA_SOURCES=["Prod", "Prod-uncached", "Int", "Int-uncached", "Test", "Test-uncached", "LINDASold-Prod", "LINDASold-Prod-uncached", "LINDASold-Int", "LINDASold-Int-uncached", "LINDASold-Test", "LINDASold-Test-uncached"]
-NEXT_PUBLIC_VECTOR_TILE_URL=https://world.vectortiles.geo.admin.ch
 MAPTILER_API_KEY=123
 ADFS_PROFILE_URL=https://www.myaccount-r.eiam.admin.ch/
 NEXTAUTH_URL=https://localhost:3000