Previously, you could generate a eno expire] token
If users rely on tokens to access the figma open api, forgetting to replace expired tokens can cause serious problems.
The expiration date of the limited period will cause the figma token to no longer have usage value.
Hi
Our team is investing in security improvements to our API, so as a first step, we decided to remove the ability to create non-expiring personal access tokens.
Hi
Our team is investing in security improvements to our API, so as a first step, we decided to remove the ability to create non-expiring personal access tokens.
Thanks for your reply.
Please provide alternatives instead of removing this feature.
Hi
Thank you for elaborating on the situation.
Could it be possible to have a more extended option? For example, 6 months? The maintenance of updating pipelines and machines every 3 months (90 days) is too high for us. So a longer extended period for us would be great, but ideally a non-expired / yearly period would be a better option
Hey All, thanks for the additional feedback!
We’ve updated this topic into a feature request, and we’ve passed this along to the team for future consideration.
While this isn’t on the team’s immediate pipeline, they will be monitoring this topic to collect feedback from the community.
I value the limitation for security purposes — but:
As I already mentioned on X, I’d really appreciate it if this limitation could be extended or removed for read-only tokens.
Idea 1:
Adjust the restriction based on the file’s visibility status — e.g. whether it’s private, public, or something in between. Introducing a third state like “confidential” or “sensitive” could help better reflect the security context.
Idea 2:
Figma could implement an AI-based check to determine whether a token might pose a security risk, depending on its scope or the sensitivity of the data it grants access to.
Idea 3:
Log the usage of the token and allow users to monitor it — for example, by seeing which hosts or users are making requests. Similar to "known device" features on other platforms, users could then confirm, “yes, that’s me.”
Idea 3a:
Allow passing a label or tag as a second argument when registering the token, to help track its usage more easily.
Thanks for your feedback,
I’ll pass this onto our team for their consideration.
Hi folks, please consider making it possible to create long-lived, readonly api tokens.
We need a way to periodically access Figma API from CI pipelines. With the current tokens lifetime, someone is going to have to manually update the token every 3 month, which is not a great solution, to say mildly.
This is a showstopper for running code-connect on the ci and thus using it in a professional context.
Please let us have a workspace token or something similar that does not expire.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.