API call results in an empty data response (202 Statuscode)

Hi together we are facing a strange behaviour regarding the Figma API Endpoint /v1/images

We are fetching some images but sometimes it happens that we get an API response with an empty data field, but no additional error like “to many request” or similar.

Is there any know issue or limitation?


Update: Looks like we get an Response with status code 202. How is the best way to resolve this status code?

The 202 (Accepted) status code indicates that the request has been accepted for processing, but the processing has not been completed.

For me its out of context what this status code means in combination of the called endpoint.

We’ve also been struggling with this behavior for a couple of hours so far.

We took a look at the headers sent by the server:

'server' => { name: 'Server', value: 'CloudFront' },
    'date' => { name: 'Date', value: 'Tue, 26 Mar 2024 11:12:35 GMT' },
    'content-length' => { name: 'Content-Length', value: '0' },
    'connection' => { name: 'Connection', value: 'keep-alive' },
    'x-amzn-waf-action' => { name: 'x-amzn-waf-action', value: 'challenge' },
    'cache-control' => { name: 'Cache-Control', value: 'no-store, max-age=0' },
    'content-type' => { name: 'Content-Type', value: 'text/html; charset=UTF-8' },
    'x-cache' => { name: 'X-Cache', value: 'Error from cloudfront' },
    'via' => {
      name: 'Via',
      value: '1.1 6752f2850d05a4fdd1d6e5786f5d2938.cloudfront.net (CloudFront)'
    'x-amz-cf-pop' => { name: 'X-Amz-Cf-Pop', value: 'SOF50-C1' },
    'alt-svc' => { name: 'Alt-Svc', value: 'h3=":443"; ma=86400' },
    'x-amz-cf-id' => {
      name: 'X-Amz-Cf-Id',
      value: '...'
    'strict-transport-security' => {
      name: 'Strict-Transport-Security',
      value: 'max-age=31536000; includeSubDomains; preload'

AWS website suggests that ‘x-amzn-waf-action’ header is sent when a challenge for «legitimate client session» is required.


Yep we got the same response header

Same here.

AWS website suggests that ‘x-amzn-waf-action’ header is sent when a challenge for «legitimate client session» is required.

AWS says it is “Missing, invalid, or expired token”, but token is correct. Creating new token changes nothing

Making request with curl works. Using js fetch does not. Maybe it is something to do with User-Agent. Investigating…

We’re running into the same issues. We’ve written a bunch of tools that call the Figma API with node-fetch and since of today all we get back is a 202.
I can use the same token in postman and it works most of the time. But even then I’ll get back a 202 every now and then by adding or removing the X-Figma-Token:

Using node-libcurl also works within nodejs, but node-fetch or node:https does not. Changing User-Agent does not help

same here. btw, 2 days ago it worked fine. now data: ‘’ :person_facepalming:

1 Like

We are using axios to call the endpoint :man_shrugging: and I can confirm what @Eugene_Gromadsky wrote. The first time I discovered the problem was around yesterday afternoon.

yep, worked for years for me also until today.

Seems like AWS is doing a challenge check on these requests:

On Node v20.11.1 the standard fetch request always works while axios always returns empty string

const teamProjects = await fetch(`https://api.figma.com/v1/teams/${FIGMA.TEAM_ID}/projects`, {
		headers: {
			'X-Figma-Token': FIGMA.ACCESS_TOKEN
	}).then((response) => response.json());

Works well with fetch (node v20). Its a workaround for now, but it should not matter which http lib we are using.

We’re also seeing this issue with fetch in node (v18).

Not sure what is going on here, but it seems like downgrading Node from v20 to v16 fixes the issue with axios for us.

It helps for me (v20.11.0) Thank you

I think this was just fixed on Figma’s end. Node version shouldn’t really affect this? It’s working for us again now with no node version changes.

1 Like

It matters for server requests because native Fetch API only exists on NodeJS since v18.
But my guess is that that AWS Challenge was turned on by default during an upgrade (AWS does stuff like that) and Axios - and others - are maybe adding something that makes it trigger (User Agent or any other header) the browser challenge.
But of course, I can be totally wrong and this is something else entirely.
Figma is a massively complex system, so better not make any assumptions :wink:
For what is worth, in my use case I dropped the reliance on a third-party package and refactored to use native Fetch instead.

Hey folks, Jeff from Figma here. We appreciate everyone’s patience on this issue and sincerely apologize for the disruption.

First, the details: we had a misconfiguration in our anti-automation protection. This was in effect from March 25 5:50PM Pacific to March 26 8:50AM Pacific, and affected about 0.5% of our REST API traffic. As others have observed in this thread, if you hit this issue, you’d get a 202 status code with an empty response body. Definitely not great!

We’re working on trying to prevent this thing from happening again. More than that, we’re also not happy with how long it took us to get to a solution. We had some early metrics that didn’t accurately convey the scope of the issue, and we’re working on improving our response time.

Thanks again for everyone bearing with us.