Skip to main content

Best way to store env variables in figma plugin (building figma plugin)


DesingLens

I am using supabase auth for users in my figma plugin, and it requires me to store supabase_url and anon_key. These are sensitive variables that should not go public.

 

Storing them in ui.html is not recommended as it is easily inspectable. So I researched about different approaches.

 

One way I found is by storing them main thread (code.ts) which can communicate to ui.html via post messages. Although I am not sure that this is the perfect way to conceal your sensitive variables.

 

I need help of developers building on plugin to give some insights. Thanks!

3 replies

DesingLens
  • Author
  • New Member
  • 2 replies
  • March 10, 2025

One more thing I want to know, Is main thread code inspectable using dev tools? if so is it safe to store sensitive variables?


tank666
  • 4854 replies
  • March 10, 2025

Never store sensitive information in the plugin code. You should have your own backend or use external services.


DesingLens
  • Author
  • New Member
  • 2 replies
  • March 10, 2025

Hey ​@tank666 ,

Thanks for replying, I have my own backend but I have made the services authorized, if Authorization is not passed in any backend service, it will not work (401 unauthorized).
I am using supabase client authorization (supabase auth) which requires supabase_url and supbase_anon_key (sensitive vars)

 

I cannot store them in backend for 2 reason (if i fetch variables from backend) -

  • my services are secure currently, I don’t want to allow any api without authorization header.
  • if I fetch these variables in frontend, it can be intercepted using dev tools.

 

If you have used any client in figma plugin how have you managed the secrets and user token?


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings