Skip to content

feat: support OAuth2 access tokens in addition to PATs#371

Open
rvetere wants to merge 1 commit into
figma:mainfrom
rvetere:fix/oauth2-token-support
Open

feat: support OAuth2 access tokens in addition to PATs#371
rvetere wants to merge 1 commit into
figma:mainfrom
rvetere:fix/oauth2-token-support

Conversation

@rvetere

@rvetere rvetere commented Mar 4, 2026

Copy link
Copy Markdown

Summary

The CLI currently hardcodes the X-Figma-Token header for all API requests, which only works with Personal Access Tokens (PATs). OAuth2 access tokens (prefixed with figu_) require the Authorization: Bearer header instead (Figma auth docs).

This change detects OAuth2 tokens by their prefix and uses the correct header, while keeping PATs working exactly as before.

Changes

  • cli/src/connect/figma_rest_api.ts: Updated getHeaders() to detect OAuth2 tokens by their figu_ prefix and use Authorization: Bearer instead of X-Figma-Token
  • cli/src/connect/wizard/run_wizard.ts: Replaced duplicated inline header construction with the shared getHeaders() function

Context

Organizations managing Figma tokens centrally via OAuth2 apps cannot use Code Connect today — the CLI always sends X-Figma-Token, which Figma rejects for OAuth2 tokens with 403 Invalid token. This forces every developer to generate individual Personal Access Tokens, defeating the purpose of the OAuth2 app.

Related issue: #370

Testing

Verified locally using yarn patch against v1.4.1:

  • Before patch: 403 Invalid token when using OAuth2 token
  • After patch: Validation and GET requests succeed with OAuth2 token (confirming the token is valid and the header fix works)

Note: There is a separate server-side issue where POST /v1/code_connect rejects OAuth2 tokens with 403 Invalid scope(s) even when the OAuth2 app has file_code_connect:write configured. This PR fixes the CLI side; the API side needs a server-side fix (tracked in the linked issue).

The CLI currently hardcodes the `X-Figma-Token` header for all API
requests, which only works with Personal Access Tokens. OAuth2 access
tokens (prefixed with `figu_`) require the `Authorization: Bearer`
header instead.

This change detects OAuth2 tokens by their prefix and uses the correct
header, while keeping PATs working as before.

Also consolidates the duplicated header construction in run_wizard.ts
to use the shared `getHeaders()` function.

See: https://developers.figma.com/docs/rest-api/authentication/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant