Skill

figma-security-basics

Secures Figma API integrations: stores tokens safely, configures least-privilege scopes, rotates credentials, verifies webhook passcodes.

Figma

Typescript

Bash

security

api-development

npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin figma-pack

Tool Access

This skill is limited to using the following tools:

ReadWriteGrep

Preview

Secure your Figma API integration: store tokens safely, apply least-privilege scopes, rotate credentials, and verify webhook signatures.

SKILL.md

Similar Skills

figma-install-auth

1.9k

Configures Figma REST API authentication with personal access tokens or OAuth 2.0, covering token generation, scopes, secure storage, and verification for integrations.

6 tools

figma-pack

anima-security-basics

1.9k

Secures Anima and Figma tokens for design-to-code: checklists for minimal scopes, server-side TypeScript enforcement, GCP secret loading, CI secrets, and gitignore.

4 tools

anima-pack

canva-security-basics

1.9k

Applies Canva Connect API security best practices for OAuth tokens: client secret handling, encrypted storage, revocation, least-privilege scopes, and webhook verification.

3 tools

canva-pack

Stats

Parent Repo Stars1854

Parent Repo Forks248

Last CommitMar 22, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Figma Security Basics

Overview

Secure your Figma API integration: store tokens safely, apply least-privilege scopes, rotate credentials, and verify webhook signatures.

Prerequisites

Figma PAT or OAuth app configured
Understanding of environment variables
.gitignore configured for secret files

Instructions

Step 1: Token Storage

# .env (NEVER commit)
FIGMA_PAT="figd_your-personal-access-token"
FIGMA_OAUTH_CLIENT_SECRET="your-oauth-secret"

# .gitignore
.env
.env.local
.env.*.local
*.pem

// Validate token exists before any API call
function getToken(): string {
  const token = process.env.FIGMA_PAT;
  if (!token) throw new Error('FIGMA_PAT is not set');
  if (!token.startsWith('figd_')) {
    console.warn('Token does not have expected figd_ prefix');
  }
  return token;
}

Step 2: Least-Privilege Scopes

Assign the minimum scopes needed for each use case:

Use Case	Required Scopes
Read file structure	`file_content:read`
Export images	`file_content:read`
Post comments	`file_comments:write`
Read variables (Enterprise)	`file_variables:read`
Manage webhooks	`webhooks:write`
Read team components	`team_library_content:read`
Dev mode resources	`file_dev_resources:read`

Deprecated scope: files:read is deprecated. Use specific scopes like file_content:read, file_comments:read instead.

Step 3: Token Rotation

# PATs have a maximum 90-day lifetime
# Schedule rotation before expiry

# 1. Generate new token in Figma Settings > Personal access tokens
# 2. Test new token
curl -s -H "X-Figma-Token: ${NEW_TOKEN}" \
  https://api.figma.com/v1/me | jq '.handle'

# 3. Update environment
# For CI: gh secret set FIGMA_PAT --body "${NEW_TOKEN}"
# For production: update your secret manager

# 4. Verify old token is revoked in Figma Settings

Step 4: Webhook Passcode Verification

Figma webhooks use a passcode field (not HMAC signatures) for verification:

// When creating a webhook, you provide a passcode:
// POST /v2/webhooks
// { "event_type": "FILE_UPDATE", "team_id": "...", "endpoint": "...", "passcode": "my-secret" }

// Figma sends the passcode back in the webhook payload body
interface FigmaWebhookPayload {
  event_type: string;
  passcode: string;      // Your secret, echoed back
  timestamp: string;
  file_key?: string;
  file_name?: string;
  webhook_id: string;
}

function verifyFigmaWebhook(
  payload: FigmaWebhookPayload,
  expectedPasscode: string
): boolean {
  // Timing-safe comparison to prevent timing attacks
  if (payload.passcode.length !== expectedPasscode.length) return false;

  const a = Buffer.from(payload.passcode);
  const b = Buffer.from(expectedPasscode);
  return crypto.timingSafeEqual(a, b);
}

// Express handler
app.post('/webhooks/figma', express.json(), (req, res) => {
  const payload: FigmaWebhookPayload = req.body;

  if (!verifyFigmaWebhook(payload, process.env.FIGMA_WEBHOOK_PASSCODE!)) {
    console.warn('Invalid webhook passcode');
    return res.status(401).json({ error: 'Invalid passcode' });
  }

  // Process the event
  handleFigmaEvent(payload);
  res.status(200).json({ received: true });
});

Step 5: Security Checklist

- [ ] PAT stored in environment variable, not in code
- [ ] `.env` files listed in `.gitignore`
- [ ] Token uses minimum required scopes
- [ ] Token rotation scheduled before 90-day expiry
- [ ] Webhook passcode verified on every incoming request
- [ ] OAuth client secret stored in secret manager (not repo)
- [ ] No tokens in frontend/client-side code
- [ ] Git history scanned for leaked tokens (use `git log -p | grep figd_`)
- [ ] Different tokens for dev/staging/prod environments

Output

Secure token storage configured
Minimum-privilege scopes applied
Webhook passcode verification implemented
Rotation schedule documented

Error Handling

Security Issue	Detection	Mitigation
Token in git history	`git log -p \| grep figd_`	Revoke immediately, rotate, use BFG Repo Cleaner
Expired PAT	403 errors in production	Set calendar reminder for 80-day mark
Over-scoped token	Audit in Figma Settings	Regenerate with minimum scopes
Webhook spoofing	Missing passcode check	Always verify passcode before processing

Resources

Next Steps

For production deployment, see figma-prod-checklist.