figma-security-basics

Featured

Secure Figma API tokens, configure scopes, and validate webhook signatures. Use when securing API keys, implementing least-privilege scopes, or auditing Figma security configuration. Trigger with phrases like "figma security", "figma secrets", "secure figma token", "figma scopes", "figma webhook verify".

AI & Automation 2,266 stars 315 forks Updated today MIT

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Figma Security Basics ## Overview Secure your Figma API integration: store tokens safely, apply least-privilege scopes, rotate credentials, and verify webhook signatures. ## Prerequisites - Figma PAT or OAuth app configured - Understanding of environment variables - `.gitignore` configured for secret files ## Instructions ### Step 1: Token Storage ```bash # .env (NEVER commit) FIGMA_PAT="figd_your-personal-access-token" FIGMA_OAUTH_CLIENT_SECRET="your-oauth-secret" # .gitignore .env .env.local .env.*.local *.pem ``` ```typescript // Validate token exists before any API call function getToken(): string { const token = process.env.FIGMA_PAT; if (!token) throw new Error('FIGMA_PAT is not set'); if (!token.startsWith('figd_')) { console.warn('Token does not have expected figd_ prefix'); } return token; } ``` ### Step 2: Least-Privilege Scopes Assign the minimum scopes needed for each use case: | Use Case | Required Scopes | |----------|----------------| | Read file structure | `file_content:read` | | Export images | `file_content:read` | | Post comments | `file_comments:write` | | Read variables (Enterprise) | `file_variables:read` | | Manage webhooks | `webhooks:write` | | Read team components | `team_library_content:read` | | Dev mode resources | `file_dev_resources:read` | **Deprecated scope:** `files:read` is deprecated. Use specific scopes like `file_content:read`, `file_comments:read` instead. ### Step 3: Token Rotation ```bash # PATs have a maximu...

Details

Author
jeremylongshore
Repository
jeremylongshore/claude-code-plugins-plus-skills
Created
7 months ago
Last Updated
today
Language
Python
License
MIT

Integrates with

Anthropic · AI

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

figma-install-auth

Set up Figma REST API authentication with personal access tokens or OAuth 2.0. Use when connecting to the Figma API, generating tokens, configuring scopes, or setting up OAuth flows for Figma integrations. Trigger with phrases like "install figma", "setup figma API", "figma auth", "figma personal access token", "figma OAuth".

2,266 Updated today
jeremylongshore
AI & Automation Featured

figma-policy-guardrails

Enforce security policies and coding standards for Figma API integrations. Use when setting up linting rules for Figma tokens, preventing accidental credential leaks, or enforcing API usage best practices. Trigger with phrases like "figma policy", "figma lint", "figma guardrails", "figma security rules", "figma best practices check".

2,266 Updated today
jeremylongshore
AI & Automation Featured

anima-security-basics

Secure Anima and Figma tokens for design-to-code pipelines. Use when protecting API credentials, restricting Figma access scope, or hardening CI/CD design automation pipelines. Trigger: "anima security", "anima token safety", "figma token security".

2,266 Updated today
jeremylongshore
AI & Automation Featured

figma-common-errors

Diagnose and fix common Figma REST API and Plugin API errors. Use when encountering HTTP errors, plugin sandbox crashes, or unexpected API responses from Figma. Trigger with phrases like "figma error", "fix figma", "figma not working", "figma 403", "figma 429".

2,266 Updated today
jeremylongshore
AI & Automation Solid

webflow-security-basics

Apply Webflow API security best practices — token management, scope least privilege, OAuth 2.0 secret rotation, webhook signature verification, and audit logging. Use when securing API tokens, implementing least privilege access, or auditing Webflow security configuration. Trigger with phrases like "webflow security", "webflow secrets", "secure webflow", "webflow API key security", "webflow token rotation".

2,266 Updated today
jeremylongshore