Best way to store env variables in figma plugin (building figma plugin)

6 months ago
March 10, 2025
4 replies
198 views

DesingLens
New Member
2 replies

I am using supabase auth for users in my figma plugin, and it requires me to store supabase_url and anon_key. These are sensitive variables that should not go public.

Storing them in ui.html is not recommended as it is easily inspectable. So I researched about different approaches.

One way I found is by storing them main thread (code.ts) which can communicate to ui.html via post messages. Although I am not sure that this is the perfect way to conceal your sensitive variables.

I need help of developers building on plugin to give some insights. Thanks!

This topic has been closed for replies.

DesingLens
Author
New Member
2 replies
6 months ago
March 10, 2025

One more thing I want to know, Is main thread code inspectable using dev tools? if so is it safe to store sensitive variables?

tank666
4873 replies
6 months ago
March 10, 2025

Never store sensitive information in the plugin code. You should have your own backend or use external services.

UX/UI designer. Figma expert. Creator and developer of plugins and widgets for Figma and FigJam. Check out my resources in Figma Community: figma.com/@tank666

DesingLens
Author
New Member
2 replies
6 months ago
March 10, 2025

Hey @tank666 ,

Thanks for replying, I have my own backend but I have made the services authorized, if Authorization is not passed in any backend service, it will not work (401 unauthorized).
I am using supabase client authorization (supabase auth) which requires supabase_url and supbase_anon_key (sensitive vars)

I cannot store them in backend for 2 reason (if i fetch variables from backend) -

my services are secure currently, I don’t want to allow any api without authorization header.
if I fetch these variables in frontend, it can be intercepted using dev tools.

If you have used any client in figma plugin how have you managed the secrets and user token?

Jacopo_Marrone
New Member
4 replies
6 months ago
March 22, 2025

Supabase anon key is safe to expose if I remember well, but requires RLS in the db to limit operations .if you dont use RLS then anon key became sensitive and should not be exposed .

I am using supabase auth for users in my figma plugin, and it requires me to store supabase_url and anon_key. These are sensitive variables that should not go public.

Storing them in ui.html is not recommended as it is easily inspectable. So I researched about different approaches.

One way I found is by storing them main thread (code.ts) which can communicate to ui.html via post messages. Although I am not sure that this is the perfect way to conceal your sensitive variables.

I need help of developers building on plugin to give some insights. Thanks!

Page 1 / 1

One more thing I want to know, Is main thread code inspectable using dev tools? if so is it safe to store sensitive variables?

Never store sensitive information in the plugin code. You should have your own backend or use external services.

Hey @tank666 ,

Thanks for replying, I have my own backend but I have made the services authorized, if Authorization is not passed in any backend service, it will not work (401 unauthorized).
I am using supabase client authorization (supabase auth) which requires supabase_url and supbase_anon_key (sensitive vars)

I cannot store them in backend for 2 reason (if i fetch variables from backend) -

my services are secure currently, I don’t want to allow any api without authorization header.
if I fetch these variables in frontend, it can be intercepted using dev tools.

If you have used any client in figma plugin how have you managed the secrets and user token?

Supabase anon key is safe to expose if I remember well, but requires RLS in the db to limit operations .if you dont use RLS then anon key became sensitive and should not be exposed .

Best way to store env variables in figma plugin (building figma plugin)

4 replies

Solved topics

Change typography

Transfer files from one edu account to another.

Lost access to all my files after I graduated & lost access to school email

Figma Support please can you help me with verification!?

Unable to re-verify my student account

Cookie policy

Cookie settings

Related topics

Storing sensitive variablesicon

Changes of plugin data get lost after offline data integrationicon

How to trigger a plugin from the code?icon

Store license key once verified successfullyicon

How to Store User Information on Plugin Start in Figma Enterprise?icon

Solved topics

Change typography

Transfer files from one edu account to another.

Lost access to all my files after I graduated & lost access to school email

Figma Support please can you help me with verification!?

Unable to re-verify my student account

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings