Skip to main content
Figma The Figma connector exposes the Figma design platform REST API to Agent Factory agents (through MCP) and to Builder automations (through the Figma.op: App instructions) — covering files, nodes, rendered images, comments, projects, components, styles, webhooks, variables, dev resources and library analytics. The 46 Figma operations are grouped into 13 entity tools, each driven by an action argument. The MCP server runs in the tenant app-instance context: it resolves the installing workspace’s own credentials and authorizes the calling agent against that workspace’s allowlist. Authentication is per-user and supports several modes:
  • Per-user OAuth2 — central client (oauthCentral, recommended) — one Figma OAuth application is registered once by the platform maintainer; every end user signs in with their own Figma account. Nothing to register per workspace: each one just installs the app and clicks Connect.
  • Per-user OAuth2 — tenant client (oauth) — paste your own Figma OAuth client ID/secret in the connector config app. Each user signs in with their own account against your client (authorization-code + PKCE flow).
  • Direct access token (accessToken) — a caller-managed Figma token (e.g. a Personal Access Token), used as-is with no exchange.

Design Files

Files, nodes, rendered images, version history, components and styles

Collaboration

Comments, reactions, dev resources, webhooks and library analytics

Per-user auth

Per-user OAuth (central or tenant client) resolved server-side, or a direct access token

Who is this for?

This connector is used by three different roles. Jump to the section that matches yours — each one is self-contained.

Agent builder

You build agents in Agent Factory and want them to use Figma. → Agent builder tab.

Platform admin

You run the platform and set up the shared Figma OAuth client once for everyone. → Platform admin setup accordion below.

Workspace builder

You write Builder automations (DSUL) that call Figma operations directly. → Workspace builder tab.

Prerequisites

  • A Figma account.
  • For the OAuth modes — a Figma OAuth application created at Figma > Developers > My apps (https://www.figma.com/developers/apps); copy its Client ID and Client Secret. The platform maintainer registers one app for the central mode; a workspace can also register its own for the tenant mode.
  • For the access-token mode — a Personal Access Token created at Figma > Settings > Security > Personal access tokens (https://www.figma.com/developers/api#access-tokens) with the scopes the operations you call require.
  • The default OAuth scopes requested are:
    current_user:read file_content:read file_metadata:read file_versions:read file_comments:read projects:read
    
    Add file_variables:read / file_variables:write (variables), library_analytics:read (library analytics) or org:activity_log_read (activity logs, Enterprise) when your agents need those endpoints.
  • Base URL: https://api.figma.com — paths already include /v1 or /v2.
Figma variables, dev resources and library analytics are gated by plan tier (Enterprise / Organization). The connector exposes them, but the Figma API returns 403 if your account or token is not entitled.
Goal: two one-time tasks — (1) configure the shared central OAuth client so every workspace lets its users sign in with their own Figma account, and (2) optionally expose Figma as a reusable capability in AI Governance so agent builders can pick it without pasting endpoint URLs. Throughout, <api-url> is your environment’s API URL (https://api.studio.prisme.ai/v2 on production).

1. Configure the connector

1

Register the OAuth application at Figma

Open https://www.figma.com/developers/apps and create a new app. Set the single authorized redirect URI (callback URL) to the core workspace callback:
<api-url>/workspaces/slug:figma/webhooks/oauthCallback
(e.g. https://api.studio.prisme.ai/v2/workspaces/slug:figma/webhooks/oauthCallback on production). Add the scopes listed in Prerequisites. Save and copy the Client ID and Client Secret (the secret is shown only once).
2

Enter the credentials through the configuration app

Open the central figma workspace and launch its Configuration app<studio>/apps/figma (e.g. https://studio.prisme.ai/apps/figma). Loaded from the core workspace, the app shows the maintainer view (org owner / editor / admin only); paste the Client ID and Client Secret there and Save — the app stores them in the core workspace’s secrets for you. Do not edit Studio’s raw Secrets by hand. These credentials stay in the figma workspace and are never exposed to tenants or end users; token exchange is proxied through the core centralTokenExchange webhook so the client secret never leaves the core workspace.
3

Tell workspaces to use the central client

Each consuming workspace selects auth mode oauthCentral in the connector configuration app (no client id/secret to enter on their side). Their users then just click Connect.
4

(Optional) Publish to the Capabilities catalog

From that same maintainer view, the Add to catalog button publishes Figma to the org-wide Capabilities catalog in one click (org owner / admin only; it stays disabled until the central client is saved). Once published, every agent builder in the org can enable Figma from the catalog without pasting an endpoint — see Option A in the Agent builder tab.

2. Declare the capability in AI Governance

As an alternative to (or in addition to) the catalog button, you can declare Figma as a named capability in AI Governance. Agent builders then enable that capability on their agents instead of pasting a raw MCP endpoint.
1

Open AI Governance > Capabilities

Create (or edit) the Figma capability.
2

Point it at the MCP endpoint

Set the capability’s MCP server URL to the connector’s MCP Endpoint, and set its Scope to:
context_id,agent_id,user_id
The agent_id in the scope is what lets the connector identify and authorize the calling agent.
3

Make it available to agent builders

Once created, the capability appears in the capability picker for agent builders in your organization, who enable it on their agents. Access to the catalog follows your organization’s existing roles; there is no per-capability role grant.
4

Smoke-test

From an agent that has the capability, in a workspace configured for oauthCentral, trigger any tool (e.g. users with action: "getMe"). The user is prompted to connect once (Figma sign-in); subsequent calls reuse the stored token transparently and refresh it automatically.
Declaring the capability makes the connector available; it does not by itself authorize a specific agent. This connector follows the tenant-context model — which agents may actually call it is gated per-workspace by the authorized-agents allowlist in the configuration app (see the Workspace builder tab). There is also no OAuth auth-config JSON to attach in Governance: connect / status / disconnect are handled by the connector’s own webhooks, wired automatically.

Agent builder

Goal: let an agent you build in Agent Factory use Figma through MCP tools.
Before an agent can call the connector, a Workspace builder must have installed and configured the Figma app in a workspace (see the Workspace builder tab), and — for the central OAuth mode — a Platform admin must have provisioned the shared OAuth client (see the Platform admin setup accordion above).
This connector runs in the tenant app-instance context: your agent is authorized two ways at once — it is identified by the agent_id that Agent Factory injects through the capability Scope, and that agent must appear in the connector’s authorized-agents allowlist (managed in the configuration app). The Figma access token itself is resolved server-side from the configured auth mode.There are two ways to wire it up. Pick based on how much isolation you need.

Option A — Enable the shared capability from the catalog

The fastest path: a Platform admin has already published a Figma capability to the Capabilities catalog (see the Platform admin setup accordion above — the Add to catalog button, or §2), so you just pick it from the catalog.
1

Open your agent in Agent Factory

Open the agent you want to extend and go to its capabilities / tools.
2

Add the Figma capability

Browse the capability catalog, select Figma, and enable it. The MCP endpoint URL and the Scope (context_id,agent_id,user_id) are already wired by the admin — nothing to paste, and the shared instance accepts every agent, so there is no allowlist step on your side.
3

Connect a Figma account

On the first tool call, an unconnected user is prompted to sign in — Agent Factory surfaces a connect_url to Figma’s authorization page. After sign-in the per-user token is stored and reused on subsequent calls.
Convenient, but your agent runs against a shared, platform-managed instance: its Figma credentials are owned by someone else and the instance accepts every agent that is granted the capability. Prefer Option B for anything beyond quick experiments.
For production agents, install the connector in your own workspace and point the agent at that workspace’s MCP endpoint.
Prefer this mode for security. Because the MCP runs in your app-instance context, the Figma credentials, the per-user OAuth tokens and the authorized-agents allowlist are all scoped to your workspace — not shared platform-wide. You decide exactly which agents may call it and which Figma account / auth mode backs them, and a misconfiguration elsewhere can never expose your data. The shared catalog capability (Option A) is a broad surface many agents can reach; your own workspace is an isolated, least-privilege boundary.
1

Install and configure the connector in your workspace

Follow the Workspace builder tab: install Figma in your workspace, open its Configuration app, choose the auth mode and connect a Figma account.
2

Allowlist your agent

In that workspace’s config app, open Authorized agents and tick your agent (the Install capability button does this for you), or enable Allow all agents.
3

Add the MCP capability to your agent

In your agent, add a capability pointing at your workspace’s MCP Endpoint URL, and set its Scope to:
context_id,agent_id,user_id
The agent_id is what lets the connector identify and authorize your agent — without it, every call is rejected with an explicit “agent could not be identified” message. This Scope is separate from the Figma OAuth scopes.
4

Connect a Figma account

On the first tool call, the user is prompted to sign in (or uses Connect in the config app). The per-user token is stored and reused; refresh is automatic.

Brief the agent in its system prompt

Whichever option you pick, wiring the capability is not enough — the agent must know the connector exists and when to reach for it. Add a short paragraph to the agent’s system prompt. Copy-pasteable starter:
You have access to the Figma MCP server. Use it whenever the user asks about Figma content — files, nodes, rendered images, comments, projects, components, styles, webhooks, variables or library analytics. Examples: "Summarize the comments on this Figma file", "Render the hero frame as a PNG", "List the published components in our design system". Each tool is an entity that takes an `action` argument. Prefer calling tools over guessing, and confirm with the user before any destructive action (delete a comment, delete a webhook, modify variables).
Refine the trigger keywords (file keys, team names, component conventions) so the agent reliably picks up the right intent in your context.
Legacy AI Knowledge agents (no native MCP picker): add the connector under Advanced > Tools > MCP and paste the MCP Endpoint URL. The agent still has to be allowlisted in the config app and its identity propagated so the connector can read its agent_id.
Read-only by design. Figma tools are read-only: the connector requests only *:read scopes (current_user:read file_content:read file_metadata:read file_versions:read file_comments:read projects:read) and exposes no write operation. Write-capable scopes (e.g. file_variables:write) are never obtained unless you explicitly add them to the Scopes field in the configuration app. No action is needed to keep this connector least-privilege.

Available Tools

Each tool is an entity. Pass the action argument to select the operation, plus the parameters that operation needs.
ToolActionsDescription
filesget, getNodes, getMeta, getVersionsFigma files — read document JSON, nodes, metadata and version history.
imagesrender, getFillsRender images of Figma nodes and fetch image-fill download links.
commentslist, create, delete, listReactions, addReaction, deleteReactionComments and comment reactions on a Figma file.
projectslistByTeam, listFilesFigma team projects and the files they contain.
componentslistByTeam, listByFile, get, listSetsByTeam, listSetsByFile, getSetPublished components and component sets (file- or team-level).
styleslistByTeam, listByFile, getPublished styles (file- or team-level).
usersgetMeThe authenticated Figma user.
webhookslist, create, get, update, delete, listByTeam, getRequestsFigma webhooks v2 — subscribe to file and library events.
variablesgetLocal, getPublished, modifyFigma variables (Enterprise) — local, published and bulk modify.
devResourceslist, create, update, deleteDev resources (Dev Mode links) attached to files.
analyticscomponentActions, componentUsages, styleActions, styleUsages, variableActions, variableUsagesLibrary analytics — component, style and variable actions and usages.
activityLogslistOrganization activity logs (Enterprise / org-scoped token).
embedgetoEmbed metadata for a public Figma URL.

Output Formats

Every tool accepts an outputFormat parameter that controls the MCP response shape:
  • verbose (default) — human-readable text for LLM consumption
  • structured — machine-readable JSON in structuredContent
  • both — both text and structured content

Tool Details

files

Read document data for a file. The action selects what to return.
{
  "name": "files",
  "arguments": {
    "action": "get",
    "file_key": "omLm4Pdg2a3BzTKU8EcDo7",
    "depth": 1
  }
}
ParameterRequiredDescription
actionYesget, getNodes, getMeta or getVersions
file_keyYesFile key from the Figma file URL (figma.com/design/<file_key>/...)
idsFor getNodesComma-separated node ids
depthNoTree traversal depth (limits the document JSON size)
versionNoSpecific file version id (defaults to current)
geometryNoSet to paths to export vector geometry

comments

List, create and delete comments and reactions on a file.
{
  "name": "comments",
  "arguments": {
    "action": "create",
    "file_key": "omLm4Pdg2a3BzTKU8EcDo7",
    "message": "Please review the updated hero section."
  }
}
ParameterRequiredDescription
actionYeslist, create, delete, listReactions, addReaction, deleteReaction
file_keyYesTarget file key
messageFor createComment text
comment_idFor delete / reactions / a replyTarget comment id
emojiFor addReaction / deleteReactionEmoji shortcode, e.g. :eyes:
client_metaNoPin location for the comment ({x, y} vector or frame offset)

images

Render nodes as images, or fetch the download links of a file’s image fills.
{
  "name": "images",
  "arguments": {
    "action": "render",
    "file_key": "omLm4Pdg2a3BzTKU8EcDo7",
    "ids": "1:23,1:45",
    "format": "png",
    "scale": 2
  }
}
ParameterRequiredDescription
actionYesrender or getFills
file_keyYesTarget file key
idsFor renderComma-separated node ids to render
formatNojpg, png, svg or pdf
scaleNoRender scale, 0.014

webhooks

Manage Figma v2 webhooks subscribing to file and library events.
{
  "name": "webhooks",
  "arguments": {
    "action": "create",
    "event_type": "FILE_UPDATE",
    "context": "file",
    "context_id": "omLm4Pdg2a3BzTKU8EcDo7",
    "endpoint": "https://example.com/figma-hook",
    "passcode": "a-shared-secret"
  }
}
ParameterRequiredDescription
actionYeslist, create, get, update, delete, listByTeam, getRequests
event_typeFor createe.g. FILE_UPDATE, FILE_COMMENT, LIBRARY_PUBLISH
endpointFor createHTTPS endpoint that receives webhook events
passcodeFor createShared secret sent with each event
context / context_idNoScope the webhook to a team, project or file
webhook_idFor get / update / delete / getRequestsTarget webhook id

components

Browse published components and component sets at file or team level.
{
  "name": "components",
  "arguments": {
    "action": "listByTeam",
    "team_id": "1303310645528056530"
  }
}
ParameterRequiredDescription
actionYeslistByTeam, listByFile, get, listSetsByTeam, listSetsByFile, getSet
team_idFor team-level actionsFigma team id
file_keyFor file-level actionsTarget file key
keyFor get / getSetPublished component / component set key

Error Handling

HTTP StatusErrorSolution
400Bad requestCheck argument shapes (node ids, dates, enum values)
401UnauthorizedSign in again (OAuth modes), or verify the access token
403ForbiddenThe token lacks the required scope or plan entitlement — Figma names the missing scope in the error message
404Not FoundVerify the file_key, team_id, project_id or resource id
429Rate LimitedFigma throttles per token; back off and retry
500Server ErrorTransient Figma issue; retry after a few seconds

Common Issues

“This agent is not authorized to use this connector” — The calling agent is not in the allowlist. Open the configuration app → Authorized agents → tick this agent (id is shown in the error) or enable Allow all agents, and Save. The Install capability button does this for you. “The calling agent could not be identified” — The MCP capability Scope does not declare agent_id, so Agent Factory never injects the agent identity. Set the Scope to context_id,agent_id,user_id on the capability (this is separate from the Figma OAuth scopes), then allow the agent in the config app. “Figma is not connected for this user” — No per-user OAuth token is stored for the caller. Open the configuration app (OAuth mode) and click Connect, or use the agent’s connect flow. “Figma token refresh failed … must reconnect” — The stored refresh token was rejected by Figma (revoked / expired). The connection is dropped automatically; the user must reconnect from the config app. “Figma OAuth is not configured” — Neither a tenant OAuth client nor the central platform client is available. Set the OAuth client ID/secret in the config app (tenant mode), or ask the platform maintainer to provision the central OAuth client from the core workspace’s config app. Activity logs require OAuthgetActivityLogs (the activityLogs tool) only accepts an OAuth bearer token with org:activity_log_read; a plain access token without that scope is rejected. This endpoint is Enterprise-only. No token revocation — Figma has no token-revocation endpoint, so disconnecting deletes the stored tokens on Prisme.ai’s side rather than revoking them at Figma.

External Resources

Figma REST API

Official Figma REST API reference

Tool Agents

Learn how Agent Factory agents consume MCP tools in Prisme.ai.