MBTiles and PMTiles File Sources
Martin can serve any type of tiles from PMTile
and MBTile files. To serve a file from CLI, simply put the path to the file or
the directory with *.mbtiles or *.pmtiles files. A path to PMTiles file may be a URL. For example:
martin /path/to/mbtiles/file.mbtiles /path/to/directory https://example.org/path/tiles.pmtiles
You may also want to generate a config file using the --save-config my-config.yaml, and later edit
it and use it with --config my-config.yaml option.
tip
See our tile sources explanation for a more detailed explanation on the difference between our available data sources.
Autodiscovery
For mbtiles or local pmtiles files, we support auto discovering at startup. This means that the following will discover all mbtiles and pmtiles files in the directory:
martin /path/to/directory
warning
For remote PMTiles, we don’t currently support auto-discovery. If you want to implement this feature, please see https://github.com/maplibre/martin/issues/2180
We also don’t currently support refreshing the catalog at runtime. If you want to implement this feature, please see https://github.com/maplibre/martin/issues/288 instead.
Serving PMTiles from local file systems, http or Object Storage
The settings avaliable for a PMTiles source depend on the backend:
For local sources, you need to provide the path or URL. For example:
martin path/to/tiles.pmtiles
The available schemes are:
file:///path/to/my/file.pmtilespath/to/my/file.pmtiles
You can also configure this via the configuration file:
pmtiles:
sources:
tiles: file:///path/to/my/file.pmtiles
For HTTP(s), you need to provide the url. For example:
martin https://example.com/tiles.pmtiles
The available url schemes are:
http://example.com/path.pmtileshttps://example.com/path.pmtiles
If you want more control over your requests, you can configure additional options here as such:
pmtiles:
allow_http: true
sources:
tiles: s3://bucket/path/to/tiles.pmtiles
Available http client settings
Security options
| configuration | description | example |
|---|---|---|
allow_http | Allow non-TLS, i.e. non-HTTPS connections Security warning: If you enable this option, attackers may be able to read the data you request | true |
allow_invalid_certificates | Skip certificate validation on https connections Security warning: You should think very carefully before using this method. If invalid certificates are trusted, any certificate for any site will be trusted for use. This includes expired certificates. This introduces significant vulnerabilities, and should only be used as a last resort or for testing | true |
Connection options
| configuration | description | example |
|---|---|---|
user_agent | User-Agent header to be used by this client | martin 1.0.0 |
randomize_addresses | Randomize order addresses that the DNS resolution yields. This will spread the connections across more servers. | true |
connect_timeout | Timeout for only the connect phase of a Client | 5s |
timeout | The timeout is applied from when the request starts connecting until the response body has finished | 10s |
pool_idle_timeout | The pool max idle timeout | 5m |
pool_max_idle_per_host | maximum number of idle connections per host | 10 |
http1_only | Only use http1 connections | false |
http2_only | Only use http2 connections | false |
http2_keep_alive_interval | Interval for HTTP2 Ping frames should be sent to keep a connection alive. | 15s |
http2_keep_alive_timeout | Timeout for receiving an acknowledgement of the keep-alive ping. | 15s |
http2_keep_alive_while_idle | Enable HTTP2 keep alive pings for idle connections | true |
http2_max_frame_size | Sets the maximum frame size to use for HTTP2. |
Proxy settings
| configuration | description | example |
|---|---|---|
proxy_url | HTTP proxy to use for requests | http://proxy.example.com:8080 |
proxy_ca_certificate | PEM-formatted CA certificate for proxy connections | -----BEGIN CERTIFICATE-----… -----END CERTIFICATE----- |
proxy_excludes | List of hosts that bypass proxy | example.com, maplibre.org |
important
Even though we name this section Amazon S3, it also works with other providers that support the S3 API, such as MinIO, Ceph, Cloudflare R2, hetzner object storage and many more.
For AWS, you need to provide the bucket name and the prefix of the object key. For example:
martin s3://my-bucket/tiles.pmtiles
The available url schemes are:
s3://bucket/paths3a://bucket/path
If you want more control over your requests, you can configure additional options here as such:
pmtiles:
allow_http: true
sources:
tiles: s3://bucket/path/to/tiles.pmtiles
tip
All settings are also available under the aws_ prefix.
This can be useful if you want to have different cloud providers.
Available AWS S3 settings
AWS specific Authentication & Credentials
| configuration | description | example |
|---|---|---|
access_key_id | AWS Access Key | AKIAIOSFODNN7EXAMPLE |
secret_access_key | Secret Access Key | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
session_tokentoken | AWS session token used for temporary credentials | IQoJb3JpZ2luX2VjEOr... |
web_identity_token_file | Web identity token file path for AssumeRoleWithWebIdentity | /var/run/secrets/eks.amazonaws.com/serviceaccount/token |
role_arn | Role ARN to assume with web identity token | arn:aws:iam::123456789012:role/MyWebIdentityRole |
role_session_name | Session name for web identity assumption | my-session |
endpoint_url_sts | Custom STS endpoint for web identity token exchange | https://sts.amazonaws.com |
AWS specific Connection & Endpoint Configuration
| configuration | description | example |
|---|---|---|
region | AWS region Defaults to us-east-1 | us-west-2 |
bucketbucket_name | Bucket name | my-app-bucket |
endpointendpoint_url | Custom S3 endpoint Defaults to regional endpoint Ensure consistency with virtual_hosted_style_requestBy default, only HTTPS schemes are enabled; enabling HTTP can expose sensitive data Local testing example: "http://localhost:4566" | https://s3.us-west-2.amazonaws.com |
metadata_endpoint | Instance metadata endpoint (IPv4 default http://169.254.169.254)IPv6 alternative: http://fd00:ec2::254 | http://169.254.169.254 |
container_credentials_relative_uri | ECS container credentials relative URI | /v2/credentials/12345678-1234-1234-1234-123456789012 |
container_credentials_full_uri | EKS container credentials full URI | http://169.254.170.2/v2/credentials/abc123 |
container_authorization_token_file | Authorization token file for EKS container creds | /var/run/secrets/eks.amazonaws.com/serviceaccount/token |
AWS specific Request Behavior & Fallbacks
| configuration | description | example |
|---|---|---|
imdsv1_fallback | Fall back to IMDSv1 if IMDSv2 is not supported (useful for older kube2iam deployments) Security note: AWS recommends IMDSv2 only; IMDSv1 is vulnerable to SSRF attacks Has no effect if not using instance credentials | true |
virtual_hosted_style_request | Use virtual-hosted-style requests instead of path-style Endpoint must match the style Ensures correct bucket addressing for security and routing | true |
skip_signature | Skip signing request Security warning: Unsigned requests may expose credentials or allow tampering if endpoint is public | true |
unsigned_payload | Use unsigned payload option (UNSIGNED-PAYLOAD) instead of signedImpact: Checksums for request body are not computed in canonical requests, which can reduce integrity guarantees Default is signed payload with checksum | true |
disable_tagging | Disable tagging objects (useful if unsupported by backend) | true |
s3_express | Enable S3 Express One Zone | true |
request_payer | Enable S3 Requester Pays | true |
AWS Specific Object Integrity & Encryption
| configuration | description | example |
|---|---|---|
checksum | Checksum algorithm for uploads | SHA256 |
server_side_encryption | Type of server-side encryption:AES256 (SSE-S3)aws:kms (SSE-KMS)aws:kms:dsse (DSSE-KMS)sse-c | AES256 |
kms_key_id | KMS Key ID for SSE-KMS or DSSE-KMS | arn:aws:kms:us-east-1:123456789012:key/abcd-1234-efgh-5678 |
bucket_key_enabled | Use bucket’s default KMS key (true/false) | true |
customer_encryption_key | Base64-encoded 256-bit key for SSE-C | MDEyMzQ1Njc4OUFCQ0RFRjAxMjM0NTY3ODlBQkNERUY= |
Security options
| configuration | description | example |
|---|---|---|
allow_http | Allow non-TLS, i.e. non-HTTPS connections Security warning: If you enable this option, attackers may be able to read the data you request | true |
allow_invalid_certificates | Skip certificate validation on https connections Security warning: You should think very carefully before using this method. If invalid certificates are trusted, any certificate for any site will be trusted for use. This includes expired certificates. This introduces significant vulnerabilities, and should only be used as a last resort or for testing | true |
Connection options
| configuration | description | example |
|---|---|---|
user_agent | User-Agent header to be used by this client | martin 1.0.0 |
randomize_addresses | Randomize order addresses that the DNS resolution yields. This will spread the connections across more servers. | true |
connect_timeout | Timeout for only the connect phase of a Client | 5s |
timeout | The timeout is applied from when the request starts connecting until the response body has finished | 10s |
pool_idle_timeout | The pool max idle timeout | 5m |
pool_max_idle_per_host | maximum number of idle connections per host | 10 |
http1_only | Only use http1 connections | false |
http2_only | Only use http2 connections | false |
http2_keep_alive_interval | Interval for HTTP2 Ping frames should be sent to keep a connection alive. | 15s |
http2_keep_alive_timeout | Timeout for receiving an acknowledgement of the keep-alive ping. | 15s |
http2_keep_alive_while_idle | Enable HTTP2 keep alive pings for idle connections | true |
http2_max_frame_size | Sets the maximum frame size to use for HTTP2. |
Proxy settings
| configuration | description | example |
|---|---|---|
proxy_url | HTTP proxy to use for requests | http://proxy.example.com:8080 |
proxy_ca_certificate | PEM-formatted CA certificate for proxy connections | -----BEGIN CERTIFICATE-----… -----END CERTIFICATE----- |
proxy_excludes | List of hosts that bypass proxy | example.com, maplibre.org |
For Google Cloud, you need to provide the bucket name and the prefix of the object key. For example:
martin gs://my-bucket/tiles.pmtiles
The available url scheme is:
gs://bucket/path
If you want more control over your requests, you can configure additional options here as such:
pmtiles:
allow_http: true
sources:
tiles: gs://bucket/path/to/tiles.pmtiles
tip
All settings are also available under the google_ prefix.
This can be useful if you want to have different cloud providers.
Available google settings
Google specific configuration
| configuration | description | example |
|---|---|---|
service_accountservice_account_path | Path to the service account file | some/path/to/file |
service_account_key | The serialized service account key | {"private_key": "private_key", "private_key_id": "private_key_id", "client_email":"client_email", "disable_oauth":true} |
bucketbucket_name | Bucket name | foobar-abc |
application_credentials | Set the path to the application credentials file | some/path/to/file |
skip_signature | Skip signing request | true |
Security options
| configuration | description | example |
|---|---|---|
allow_http | Allow non-TLS, i.e. non-HTTPS connections Security warning: If you enable this option, attackers may be able to read the data you request | true |
allow_invalid_certificates | Skip certificate validation on https connections Security warning: You should think very carefully before using this method. If invalid certificates are trusted, any certificate for any site will be trusted for use. This includes expired certificates. This introduces significant vulnerabilities, and should only be used as a last resort or for testing | true |
Connection options
| configuration | description | example |
|---|---|---|
user_agent | User-Agent header to be used by this client | martin 1.0.0 |
randomize_addresses | Randomize order addresses that the DNS resolution yields. This will spread the connections across more servers. | true |
connect_timeout | Timeout for only the connect phase of a Client | 5s |
timeout | The timeout is applied from when the request starts connecting until the response body has finished | 10s |
pool_idle_timeout | The pool max idle timeout | 5m |
pool_max_idle_per_host | maximum number of idle connections per host | 10 |
http1_only | Only use http1 connections | false |
http2_only | Only use http2 connections | false |
http2_keep_alive_interval | Interval for HTTP2 Ping frames should be sent to keep a connection alive. | 15s |
http2_keep_alive_timeout | Timeout for receiving an acknowledgement of the keep-alive ping. | 15s |
http2_keep_alive_while_idle | Enable HTTP2 keep alive pings for idle connections | true |
http2_max_frame_size | Sets the maximum frame size to use for HTTP2. |
Proxy settings
| configuration | description | example |
|---|---|---|
proxy_url | HTTP proxy to use for requests | http://proxy.example.com:8080 |
proxy_ca_certificate | PEM-formatted CA certificate for proxy connections | -----BEGIN CERTIFICATE-----… -----END CERTIFICATE----- |
proxy_excludes | List of hosts that bypass proxy | example.com, maplibre.org |
For Azure, you need to provide the account name, container and path. For example:
martin az://account/container.pmtiles
The available url schemes are:
az://account/container/path.pmtilesadl://account/container/path.pmtilesazure://account/container/path.pmtilesabfs://account/container/path.pmtilesabfss://account/container/path.pmtiles
If you want more control over your requests, you can configure additional options here as such:
pmtiles:
allow_http: true
sources:
tiles: az://account/container/path.pmtiles
tip
All settings are also available under the azure_ prefix.
This can be useful if you want to have different cloud providers.
Available azure settings
Azure specific Authentication & Credentials
| configuration | description | example |
|---|---|---|
account_name | Name of the Azure Storage account | myaccount |
access_keyaccount_keymaster_key | Master key for accessing the storage account Security note: Keep this key secret; anyone with access can read/write all data in the account | abcd1234efgh5678ijkl9012mnop3456qrst7890uvwx1234yzab5678cdef9012 |
client_id | Service principal client ID for OAuth authorization | 12345678-90ab-cdef-1234-567890abcdef |
client_secret | Service principal client secret for OAuth authorization Security note: Must be kept confidential | s3cr3tV@lu3! |
tenant_idauthority_id | Tenant ID used in OAuth flows | abcdef12-3456-7890-abcd-ef1234567890 |
authority_host | Authority host used in OAuth flows | https://login.microsoftonline.com/ |
sas_keysas_token | Shared Access Signature (percent-encoded) Security note: Grants scoped access; treat as sensitive credentials | sv=2021-06-08&ss=b&srt=sco&sp=rwdl&se=2025-12-31T23:59:00Z&sig=ABCDEF1234567890 |
bearer_tokentoken | Bearer token for requests Security note: Token must be protected; use HTTPS | eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... |
identity_endpointmsi_endpoint | Endpoint to request a managed identity token | http://169.254.169.254/metadata/identity/oauth2/token |
object_id | Object ID for use with managed identity authentication | 12345678-90ab-cdef-1234-567890abcdef |
msi_resource_id | Resource ID for managed identity authentication | /subscriptions/12345678-90ab-cdef-1234-567890abcdef/resourcegroups/myrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myidentity |
federated_token_file | File containing token for Azure AD workload identity federation | /var/run/secrets/azure/federated-token |
use_azure_cli | Use Azure CLI for acquiring access token | true |
Azure specific Connection & Endpoint Configuration
| configuration | description | example |
|---|---|---|
endpoint | Override endpoint used to communicate with blob storage | https://myaccount.blob.core.windows.net |
object_store_use_emulatoruse_emulator | Use Azurite storage emulator | true |
use_fabric_endpoint | Use Azure Fabric endpoint (account.dfs.fabric.microsoft.com) | true |
container_name | Container name in the storage account | mycontainer |
Azure specific Request Behavior & Security Options
| configuration | description | example |
|---|---|---|
skip_signature | Skip signing requests Security warning: Unsigned requests may expose sensitive data or allow tampering; use only in secure or local environments | true |
disable_tagging | Disable object tagging (useful if backend does not support it) | true |
fabric_token_service_url | URL of Fabric token service | https://fabric-token.mycompany.com |
fabric_workload_host | Host for Fabric workload | https://workload.fabric.mycompany.com |
fabric_session_token | Session token for Fabric Security note: Must be protected; use HTTPS | eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... |
fabric_cluster_identifier | Identifier for Fabric cluster | fabric-cluster-01 |
Security options
| configuration | description | example |
|---|---|---|
allow_http | Allow non-TLS, i.e. non-HTTPS connections Security warning: If you enable this option, attackers may be able to read the data you request | true |
allow_invalid_certificates | Skip certificate validation on https connections Security warning: You should think very carefully before using this method. If invalid certificates are trusted, any certificate for any site will be trusted for use. This includes expired certificates. This introduces significant vulnerabilities, and should only be used as a last resort or for testing | true |
Connection options
| configuration | description | example |
|---|---|---|
user_agent | User-Agent header to be used by this client | martin 1.0.0 |
randomize_addresses | Randomize order addresses that the DNS resolution yields. This will spread the connections across more servers. | true |
connect_timeout | Timeout for only the connect phase of a Client | 5s |
timeout | The timeout is applied from when the request starts connecting until the response body has finished | 10s |
pool_idle_timeout | The pool max idle timeout | 5m |
pool_max_idle_per_host | maximum number of idle connections per host | 10 |
http1_only | Only use http1 connections | false |
http2_only | Only use http2 connections | false |
http2_keep_alive_interval | Interval for HTTP2 Ping frames should be sent to keep a connection alive. | 15s |
http2_keep_alive_timeout | Timeout for receiving an acknowledgement of the keep-alive ping. | 15s |
http2_keep_alive_while_idle | Enable HTTP2 keep alive pings for idle connections | true |
http2_max_frame_size | Sets the maximum frame size to use for HTTP2. |
Proxy settings
| configuration | description | example |
|---|---|---|
proxy_url | HTTP proxy to use for requests | http://proxy.example.com:8080 |
proxy_ca_certificate | PEM-formatted CA certificate for proxy connections | -----BEGIN CERTIFICATE-----… -----END CERTIFICATE----- |
proxy_excludes | List of hosts that bypass proxy | example.com, maplibre.org |