Is it guaranteed that all personal access tokens start with `figd_`?


I’m developing our company’s design system library, where we’re using Figma REST API.

We’re considering to introduce some tools like secretlint, so that we can prevent mistakenly committing credentials like Figma’s personal access tokens.

So we need to know what patterns the tokens are following. It seems they usually start with the prefix figd_, but I’m not sure they are always so.

Is it guaranteed that all personal access tokens start with figd_ ? Or are there any other rules of format that access tokens are following ?

I looked around in but could not found any information about it ( Is it documented somewhere ? )

Personal access tokens are unique. Why did you decide that tokens should start with figd_?

Not that I want them to start with the prefix, they currently seem to do so and I would like to know it’s a kind of specification.

You can generate personal access tokens over and over here ( ) and you will see they always start with figd_.

The previously created personal access tokens had no prefixes. So, if today Figma generates a token with the figd_ prefix, this does not guarantee that it will not change in the future.

I still have an old personal token that doesn’t have this structure. But that was a recent change in how tokens work and are issued. So it could be that the structure is now set like this and will not change in the foreseeable future, but only Figma team can answer this for sure in terms of what their intentions are with the current structure.

Thank you for sharing @tank666 @Gleb .

So it seems that, detecting access tokens with something like /^figd_/ would not work perfectly in terms of preventing leakage ( if you happen to use older tokens ).

And yes, only Figma team could have further answer for this questions if they think this as a long-term specification.

Note that you need to have generated these tokens and kept using them actively. If the tokens were generated and were not used in the specific 1-month window during the transition to the new system, such old tokens are not functional after the update. So there aren’t many of such tokens left.

1 Like