GET image Filesecurity

@JochenLeinberger_ESD can you provide more details on what you’re looking to achieve? We’ve touched base with the teams that work on the API, and it would be helpful to have more context + specific example scenarios you’d like to address.

@ksn thnx for your support!

I am working on a system to export assets into our production system as part of our CI/CD pipeline. The assets (images / icons etc.) are confidential and should not be accessibal for anyone without permission. The process looks like that:

1. Get a list of all Frames on a Board using the GET File API. This Endpoint is secured via the Figma Access token.
2. Export all Frames to images using the GET image endpoint. While this Endpoint is secured the response JSON contains the actual download link to the file. i.e.

  {
    '8:7': 'https://figma-alpha-api.s3.us-west-2.amazonaws.com/images/XXX-YYY-ZZZ-YYY'
  }

While all API Endpoints are secured the download link to the File found in the response JSON itself is unsecured. This is the actual problem.

The reason is everyone who might get to know the image url has access to the confidential assets, which does not comply with my company guidelines to handle confidential data. Therefore I can’t make use of the Get File Image API as of today.

A simple solution would be to restrict downloading the file for authenticated users only. I.e. by requesting the Figma authentication Token as for the other Endpoints, or by a similar mechanism.

@ksn are there any updates on that topic. is that something which will eventually adressed, or is the Figame REST API considered unsafe by definition and should not be used for confidential Assets?