Skip to main content
Question

Is it guaranteed that all personal access tokens start with `figd_`?

  • January 17, 2023
  • 6 replies
  • 596 views
subal

Hi.

I’m developing our company’s design system library, where we’re using Figma REST API.

We’re considering to introduce some tools like secretlint, so that we can prevent mistakenly committing credentials like Figma’s personal access tokens.

So we need to know what patterns the tokens are following. It seems they usually start with the prefix figd_, but I’m not sure they are always so.

Is it guaranteed that all personal access tokens start with figd_ ? Or are there any other rules of format that access tokens are following ?

I looked around in https://www.figma.com/developers/api#access-tokens but could not found any information about it ( Is it documented somewhere ? )

This topic has been closed for replies.

6 replies

tank666
  • tank666
  • January 17, 2023

Personal access tokens are unique. Why did you decide that tokens should start with figd_?

UX/UI designer. Figma expert. Creator and developer of plugins and widgets for Figma and FigJam. Check out my resources in Figma Community: figma.com/@tank666
subal
  • subal
  • Author
  • January 17, 2023

Not that I want them to start with the prefix, they currently seem to do so and I would like to know it’s a kind of specification.

You can generate personal access tokens over and over here ( https://www.figma.com/developers/api#access-tokens ) and you will see they always start with figd_.

tank666
  • tank666
  • January 17, 2023

The previously created personal access tokens had no prefixes. So, if today Figma generates a token with the figd_ prefix, this does not guarantee that it will not change in the future.

UX/UI designer. Figma expert. Creator and developer of plugins and widgets for Figma and FigJam. Check out my resources in Figma Community: figma.com/@tank666
Gleb
  • Gleb
  • Power Member
  • January 17, 2023

I still have an old personal token that doesn’t have this structure. But that was a recent change in how tokens work and are issued. So it could be that the structure is now set like this and will not change in the foreseeable future, but only Figma team can answer this for sure in terms of what their intentions are with the current structure.

subal
  • subal
  • Author
  • January 17, 2023

Thank you for sharing @tank666 @Gleb .

So it seems that, detecting access tokens with something like /^figd_/ would not work perfectly in terms of preventing leakage ( if you happen to use older tokens ).

And yes, only Figma team could have further answer for this questions if they think this as a long-term specification.

Gleb
  • Gleb
  • Power Member
  • January 17, 2023

Note that you need to have generated these tokens and kept using them actively. If the tokens were generated and were not used in the specific 1-month window during the transition to the new system, such old tokens are not functional after the update. So there aren’t many of such tokens left.

subal
Terms & ConditionsCookie settingsAccessibility statement