I’m developing our company’s design system library, where we’re using Figma REST API.
We’re considering to introduce some tools like secretlint, so that we can prevent mistakenly committing credentials like Figma’s personal access tokens.
So we need to know what patterns the tokens are following. It seems they usually start with the prefix figd_, but I’m not sure they are always so.
Is it guaranteed that all personal access tokens start with figd_ ? Or are there any other rules of format that access tokens are following ?
The previously created personal access tokens had no prefixes. So, if today Figma generates a token with the figd_ prefix, this does not guarantee that it will not change in the future.
I still have an old personal token that doesn’t have this structure. But that was a recent change in how tokens work and are issued. So it could be that the structure is now set like this and will not change in the foreseeable future, but only Figma team can answer this for sure in terms of what their intentions are with the current structure.
So it seems that, detecting access tokens with something like /^figd_/ would not work perfectly in terms of preventing leakage ( if you happen to use older tokens ).
And yes, only Figma team could have further answer for this questions if they think this as a long-term specification.
Note that you need to have generated these tokens and kept using them actively. If the tokens were generated and were not used in the specific 1-month window during the transition to the new system, such old tokens are not functional after the update. So there aren’t many of such tokens left.