Hello friends,
I noticed the only permission scope of Figma authentication via OAuth2 is “file_read”, but this is too much for me. In my circumstances, users are posting some data to my server inside the Figma plugin, for which I only have to get a valid user identity, not an access to their Figma files.
I think it’s very similar to those “Sign in with Google/Facebook” buttons, does Figma provide something like this? A “Sign in with Figma” button?
There is no such thing unfortunately. But I think it’s still kind of valid to use it for auth until they add more permissions control because without having specific Figma file or team links you won’t be able to get any of their files.
Yes, but how users will know that? they see “xxx would like to access your files”, this is so scary. 
You can tell users about it on the login page but yeah I agree it doesn’t look good. Interestingly, even the Figma Forum itself asks you for those permissions when you are signing up.
Adding a data point to this conversation:
The future of design tools will be built around Figma. However, if we’re serious about building tools on top of Figma, we also be sensitive about the users’ data. That is, as an app integrating with Figma, we should be given access to the minimal amount of data for the functionality of our app.
An easy first step would be to include a user_profile scope on top of the current file_read scope. This would minimally allow developers to build a “Login with Figma” feature, which can be used as a distribution channel for getting more developers to use the Figma REST APIs.
Is there any plans at all to add this in the future?
Having exactly this same situation 2 years later.
Many of our users are paranoid about our tool asking for so much access, while all we need is user information…
Yeah, totally agree that you shouldn’t ask for access you don’t need if you only need user identity.
In June 2023, we deprecated the file_read scope, and created several new scopes to separate write endpoints from read endpoints: https://www.figma.com/developers/api#authentication-scopes
Future endpoints will get reduced scopes where applicable. For the existing GET /v1/me endpoint, I’ve noted the need for a reduced scope internally.
Thanks James,
Looking forward to this being released!
Hello,
Not trying to be too pushy, just wondering if we could get some information about expected release of this IMO critical change.
Is this a ‘definitely coming next month’ kinda thing, or a ‘maybe try next year’ kinda thing?
Apologies that i keep bumping this, but we keep having users stop our onboarding process because 'i’m worried about my data privacy giving away all these permissions to this plugin"
Any update please? i cannot imagine this taking longer than 15minutes for someone to add an additional permission flag.
The screenshot from the docs seems to be impossible to achieve? files:read reads way more permissions than that screenshot. Please just add a ‘user’ permission, all i need is that user id an email.
