Skill

figma-install-auth

Configures Figma REST API authentication with personal access tokens or OAuth 2.0, covering token generation, scopes, secure storage, and verification for integrations.

Figma

Node

npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin figma-pack

Tool Access

This skill is limited to using the following tools:

ReadWriteEditBash(npm:*)Bash(curl:*)Grep

Preview

Configure authentication for the Figma REST API. Figma supports two auth methods: Personal Access Tokens (PATs) for scripts and server-side tools, and OAuth 2.0 for apps that act on behalf of users. All requests go to `https://api.figma.com`.

SKILL.md

Similar Skills

figma-security-basics

1.9k

Secures Figma API integrations: stores tokens safely, configures least-privilege scopes, rotates credentials, verifies webhook passcodes.

3 tools

figma-pack

canva-install-auth

1.9k

Sets up Canva Connect API OAuth 2.0 PKCE authentication, credentials, and TypeScript scaffolding for new integrations.

7 tools

canva-pack

anima-install-auth

1.9k

Installs @animaapp/anima-sdk and configures Figma/Anima tokens for server-side code generation from Figma designs to React, Vue, or HTML with Tailwind/MUI styling.

5 tools

anima-pack

Stats

Parent Repo Stars1854

Parent Repo Forks248

Last CommitMar 22, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Figma Install & Auth

Overview

Prerequisites

Figma account (Free, Professional, or Enterprise)
Node.js 18+ (for JS/TS integrations)
A Figma file key (the string after /design/ in a Figma URL)

Instructions

Step 1: Generate a Personal Access Token

Open Figma > Settings > Account > Personal access tokens
Click Generate new token
Name the token and assign scopes:

Scope	Access	Use Case
`file_content:read`	Read file JSON	Inspecting layers, extracting design tokens
`file_content:write`	Modify files	Programmatic design updates
`file_comments:read`	Read comments	Review tooling
`file_comments:write`	Post comments	Automated feedback
`file_dev_resources:read`	Dev resources	Dev mode integrations
`file_variables:read`	Read variables	Design token sync
`file_variables:write`	Write variables	Token pipeline
`webhooks:write`	Manage webhooks	Event-driven automation

Copy the token immediately -- it is shown only once
PATs expire after a maximum of 90 days

Step 2: Store Credentials Securely

# .env (NEVER commit to git)
FIGMA_PAT="figd_your-personal-access-token"
FIGMA_FILE_KEY="abc123XYZdefaultFileKey"

# .gitignore
.env
.env.local
.env.*.local

Step 3: Verify Connection

# Test with curl -- should return your user profile
curl -s -H "X-Figma-Token: ${FIGMA_PAT}" \
  https://api.figma.com/v1/me | jq '.handle, .email'

// verify-figma.ts
const PAT = process.env.FIGMA_PAT!;

const res = await fetch('https://api.figma.com/v1/me', {
  headers: { 'X-Figma-Token': PAT },
});

if (!res.ok) throw new Error(`Figma auth failed: ${res.status}`);
const me = await res.json();
console.log(`Authenticated as ${me.handle} (${me.email})`);

Step 4: OAuth 2.0 (For User-Facing Apps)

Use OAuth when your app needs to act on behalf of other Figma users.

// 1. Redirect user to Figma authorization URL
const authUrl = new URL('https://www.figma.com/oauth');
authUrl.searchParams.set('client_id', process.env.FIGMA_CLIENT_ID!);
authUrl.searchParams.set('redirect_uri', 'https://yourapp.com/auth/callback');
authUrl.searchParams.set('scope', 'file_content:read,file_comments:write');
authUrl.searchParams.set('state', crypto.randomUUID());
authUrl.searchParams.set('response_type', 'code');
// Redirect: res.redirect(authUrl.toString());

// 2. Exchange code for access token (must happen within 30 seconds)
async function exchangeCode(code: string): Promise<string> {
  const res = await fetch('https://api.figma.com/v1/oauth/token', {
    method: 'POST',
    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
    body: new URLSearchParams({
      client_id: process.env.FIGMA_CLIENT_ID!,
      client_secret: process.env.FIGMA_CLIENT_SECRET!,
      redirect_uri: 'https://yourapp.com/auth/callback',
      code,
      grant_type: 'authorization_code',
    }),
  });
  const { access_token, refresh_token, expires_in } = await res.json();
  // Store refresh_token securely for later use
  return access_token;
}

// 3. Refresh expired tokens
async function refreshToken(refreshToken: string): Promise<string> {
  const res = await fetch('https://api.figma.com/v1/oauth/refresh', {
    method: 'POST',
    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
    body: new URLSearchParams({
      client_id: process.env.FIGMA_CLIENT_ID!,
      client_secret: process.env.FIGMA_CLIENT_SECRET!,
      refresh_token: refreshToken,
    }),
  });
  const { access_token } = await res.json();
  return access_token;
}

Output

Personal access token stored in .env
Successful GET /v1/me returning your user handle
(Optional) OAuth flow with token exchange working

Error Handling

Error	Status	Cause	Solution
`403 Forbidden`	403	Token lacks required scope	Regenerate PAT with correct scopes
`Invalid token`	403	Expired or revoked PAT	Generate a new token (90-day max)
`OAuth code expired`	400	Code exchange took >30s	Retry auth flow; exchange immediately
`Invalid redirect_uri`	400	Redirect URL mismatch	Must match URL registered in Figma OAuth app settings
`Rate limited`	429	Too many auth attempts	Wait for `Retry-After` header value

Examples

Reusable Figma Client Wrapper

// src/figma-client.ts
export function figmaFetch(path: string, options: RequestInit = {}) {
  const token = process.env.FIGMA_PAT;
  if (!token) throw new Error('FIGMA_PAT environment variable is not set');

  return fetch(`https://api.figma.com${path}`, {
    ...options,
    headers: {
      'X-Figma-Token': token,
      'Content-Type': 'application/json',
      ...options.headers,
    },
  });
}

// Usage
const file = await figmaFetch(`/v1/files/${fileKey}`).then(r => r.json());

Resources

Next Steps

After successful auth, proceed to figma-hello-world for your first real API call.