Figma.op: App instructions) — covering files, nodes, rendered images, comments, projects, components, styles, webhooks, variables, dev resources and library analytics. The 46 Figma operations are grouped into 13 entity tools, each driven by an action argument. The MCP server runs in the tenant app-instance context: it resolves the installing workspace’s own credentials and authorizes the calling agent against that workspace’s allowlist. Authentication is per-user and supports several modes:
- Per-user OAuth2 — central client (
oauthCentral, recommended) — one Figma OAuth application is registered once by the platform maintainer; every end user signs in with their own Figma account. Nothing to register per workspace: each one just installs the app and clicks Connect. - Per-user OAuth2 — tenant client (
oauth) — paste your own Figma OAuth client ID/secret in the connector config app. Each user signs in with their own account against your client (authorization-code + PKCE flow). - Direct access token (
accessToken) — a caller-managed Figma token (e.g. a Personal Access Token), used as-is with no exchange.
Design Files
Files, nodes, rendered images, version history, components and styles
Collaboration
Comments, reactions, dev resources, webhooks and library analytics
Per-user auth
Per-user OAuth (central or tenant client) resolved server-side, or a direct access token
Who is this for?
This connector is used by three different roles. Jump to the section that matches yours — each one is self-contained.Agent builder
You build agents in Agent Factory and want them to use Figma. → Agent builder tab.
Platform admin
You run the platform and set up the shared Figma OAuth client once for everyone. → Platform admin setup accordion below.
Workspace builder
You write Builder automations (DSUL) that call Figma operations directly. → Workspace builder tab.
Prerequisites
- A Figma account.
-
For the OAuth modes — a Figma OAuth application created at Figma > Developers > My apps (
https://www.figma.com/developers/apps); copy its Client ID and Client Secret. The platform maintainer registers one app for the central mode; a workspace can also register its own for the tenant mode. -
For the access-token mode — a Personal Access Token created at Figma > Settings > Security > Personal access tokens (
https://www.figma.com/developers/api#access-tokens) with the scopes the operations you call require. -
The default OAuth scopes requested are:
Add
file_variables:read/file_variables:write(variables),library_analytics:read(library analytics) ororg:activity_log_read(activity logs, Enterprise) when your agents need those endpoints. -
Base URL:
https://api.figma.com— paths already include/v1or/v2.
Figma variables, dev resources and library analytics are gated by plan tier (Enterprise / Organization). The connector exposes them, but the Figma API returns
403 if your account or token is not entitled.Platform admin (Governance) — one-time platform setup
Platform admin (Governance) — one-time platform setup
Goal: two one-time tasks — (1) configure the shared central OAuth client so every workspace lets its users sign in with their own Figma account, and (2) optionally expose Figma as a reusable capability in AI Governance so agent builders can pick it without pasting endpoint URLs. Throughout,
<api-url> is your environment’s API URL (https://api.studio.prisme.ai/v2 on production).1. Configure the connector
Register the OAuth application at Figma
Open (e.g.
https://www.figma.com/developers/apps and create a new app. Set the single authorized redirect URI (callback URL) to the core workspace callback:https://api.studio.prisme.ai/v2/workspaces/slug:figma/webhooks/oauthCallback on production). Add the scopes listed in Prerequisites. Save and copy the Client ID and Client Secret (the secret is shown only once).Enter the credentials through the configuration app
Open the central
figma workspace and launch its Configuration app — <studio>/apps/figma (e.g. https://studio.prisme.ai/apps/figma). Loaded from the core workspace, the app shows the maintainer view (org owner / editor / admin only); paste the Client ID and Client Secret there and Save — the app stores them in the core workspace’s secrets for you. Do not edit Studio’s raw Secrets by hand. These credentials stay in the figma workspace and are never exposed to tenants or end users; token exchange is proxied through the core centralTokenExchange webhook so the client secret never leaves the core workspace.Tell workspaces to use the central client
Each consuming workspace selects auth mode
oauthCentral in the connector configuration app (no client id/secret to enter on their side). Their users then just click Connect.(Optional) Publish to the Capabilities catalog
From that same maintainer view, the Add to catalog button publishes Figma to the org-wide Capabilities catalog in one click (org owner / admin only; it stays disabled until the central client is saved). Once published, every agent builder in the org can enable Figma from the catalog without pasting an endpoint — see Option A in the Agent builder tab.
2. Declare the capability in AI Governance
As an alternative to (or in addition to) the catalog button, you can declare Figma as a named capability in AI Governance. Agent builders then enable that capability on their agents instead of pasting a raw MCP endpoint.Point it at the MCP endpoint
Set the capability’s MCP server URL to the connector’s MCP Endpoint, and set its Scope to:The
agent_id in the scope is what lets the connector identify and authorize the calling agent.Make it available to agent builders
Once created, the capability appears in the capability picker for agent builders in your organization, who enable it on their agents. Access to the catalog follows your organization’s existing roles; there is no per-capability role grant.
- Agent builder (Agent Factory)
- Workspace builder (DSUL)
Agent builder
Goal: let an agent you build in Agent Factory use Figma through MCP tools.Before an agent can call the connector, a Workspace builder must have installed and configured the Figma app in a workspace (see the Workspace builder tab), and — for the central OAuth mode — a Platform admin must have provisioned the shared OAuth client (see the Platform admin setup accordion above).
agent_id that Agent Factory injects through the capability Scope, and that agent must appear in the connector’s authorized-agents allowlist (managed in the configuration app). The Figma access token itself is resolved server-side from the configured auth mode.There are two ways to wire it up. Pick based on how much isolation you need.Option A — Enable the shared capability from the catalog
The fastest path: a Platform admin has already published a Figma capability to the Capabilities catalog (see the Platform admin setup accordion above — the Add to catalog button, or §2), so you just pick it from the catalog.Open your agent in Agent Factory
Open the agent you want to extend and go to its capabilities / tools.
Add the Figma capability
Browse the capability catalog, select Figma, and enable it. The MCP endpoint URL and the Scope (
context_id,agent_id,user_id) are already wired by the admin — nothing to paste, and the shared instance accepts every agent, so there is no allowlist step on your side.Convenient, but your agent runs against a shared, platform-managed instance: its Figma credentials are owned by someone else and the instance accepts every agent that is granted the capability. Prefer Option B for anything beyond quick experiments.
Option B — Run it from your own workspace (recommended)
For production agents, install the connector in your own workspace and point the agent at that workspace’s MCP endpoint.Install and configure the connector in your workspace
Follow the Workspace builder tab: install Figma in your workspace, open its Configuration app, choose the auth mode and connect a Figma account.
Allowlist your agent
In that workspace’s config app, open Authorized agents and tick your agent (the Install capability button does this for you), or enable Allow all agents.
Add the MCP capability to your agent
In your agent, add a capability pointing at your workspace’s MCP Endpoint URL, and set its Scope to:The
agent_id is what lets the connector identify and authorize your agent — without it, every call is rejected with an explicit “agent could not be identified” message. This Scope is separate from the Figma OAuth scopes.Brief the agent in its system prompt
Whichever option you pick, wiring the capability is not enough — the agent must know the connector exists and when to reach for it. Add a short paragraph to the agent’s system prompt. Copy-pasteable starter:Legacy AI Knowledge agents (no native MCP picker): add the connector under Advanced > Tools > MCP and paste the MCP Endpoint URL. The agent still has to be allowlisted in the config app and its identity propagated so the connector can read its
agent_id.Read-only by design. Figma tools are read-only: the connector requests only
*:read scopes (current_user:read file_content:read file_metadata:read file_versions:read file_comments:read projects:read) and exposes no write operation. Write-capable scopes (e.g. file_variables:write) are never obtained unless you explicitly add them to the Scopes field in the configuration app. No action is needed to keep this connector least-privilege.Available Tools
Each tool is an entity. Pass theaction argument to select the operation, plus the parameters that operation needs.| Tool | Actions | Description |
|---|---|---|
files | get, getNodes, getMeta, getVersions | Figma files — read document JSON, nodes, metadata and version history. |
images | render, getFills | Render images of Figma nodes and fetch image-fill download links. |
comments | list, create, delete, listReactions, addReaction, deleteReaction | Comments and comment reactions on a Figma file. |
projects | listByTeam, listFiles | Figma team projects and the files they contain. |
components | listByTeam, listByFile, get, listSetsByTeam, listSetsByFile, getSet | Published components and component sets (file- or team-level). |
styles | listByTeam, listByFile, get | Published styles (file- or team-level). |
users | getMe | The authenticated Figma user. |
webhooks | list, create, get, update, delete, listByTeam, getRequests | Figma webhooks v2 — subscribe to file and library events. |
variables | getLocal, getPublished, modify | Figma variables (Enterprise) — local, published and bulk modify. |
devResources | list, create, update, delete | Dev resources (Dev Mode links) attached to files. |
analytics | componentActions, componentUsages, styleActions, styleUsages, variableActions, variableUsages | Library analytics — component, style and variable actions and usages. |
activityLogs | list | Organization activity logs (Enterprise / org-scoped token). |
embed | get | oEmbed metadata for a public Figma URL. |
Output Formats
Every tool accepts anoutputFormat parameter that controls the MCP response shape:verbose(default) — human-readable text for LLM consumptionstructured— machine-readable JSON instructuredContentboth— both text and structured content
Tool Details
files
Read document data for a file. Theaction selects what to return.| Parameter | Required | Description |
|---|---|---|
action | Yes | get, getNodes, getMeta or getVersions |
file_key | Yes | File key from the Figma file URL (figma.com/design/<file_key>/...) |
ids | For getNodes | Comma-separated node ids |
depth | No | Tree traversal depth (limits the document JSON size) |
version | No | Specific file version id (defaults to current) |
geometry | No | Set to paths to export vector geometry |
comments
List, create and delete comments and reactions on a file.| Parameter | Required | Description |
|---|---|---|
action | Yes | list, create, delete, listReactions, addReaction, deleteReaction |
file_key | Yes | Target file key |
message | For create | Comment text |
comment_id | For delete / reactions / a reply | Target comment id |
emoji | For addReaction / deleteReaction | Emoji shortcode, e.g. :eyes: |
client_meta | No | Pin location for the comment ({x, y} vector or frame offset) |
images
Render nodes as images, or fetch the download links of a file’s image fills.| Parameter | Required | Description |
|---|---|---|
action | Yes | render or getFills |
file_key | Yes | Target file key |
ids | For render | Comma-separated node ids to render |
format | No | jpg, png, svg or pdf |
scale | No | Render scale, 0.01–4 |
webhooks
Manage Figma v2 webhooks subscribing to file and library events.| Parameter | Required | Description |
|---|---|---|
action | Yes | list, create, get, update, delete, listByTeam, getRequests |
event_type | For create | e.g. FILE_UPDATE, FILE_COMMENT, LIBRARY_PUBLISH |
endpoint | For create | HTTPS endpoint that receives webhook events |
passcode | For create | Shared secret sent with each event |
context / context_id | No | Scope the webhook to a team, project or file |
webhook_id | For get / update / delete / getRequests | Target webhook id |
components
Browse published components and component sets at file or team level.| Parameter | Required | Description |
|---|---|---|
action | Yes | listByTeam, listByFile, get, listSetsByTeam, listSetsByFile, getSet |
team_id | For team-level actions | Figma team id |
file_key | For file-level actions | Target file key |
key | For get / getSet | Published component / component set key |
Error Handling
| HTTP Status | Error | Solution |
|---|---|---|
| 400 | Bad request | Check argument shapes (node ids, dates, enum values) |
| 401 | Unauthorized | Sign in again (OAuth modes), or verify the access token |
| 403 | Forbidden | The token lacks the required scope or plan entitlement — Figma names the missing scope in the error message |
| 404 | Not Found | Verify the file_key, team_id, project_id or resource id |
| 429 | Rate Limited | Figma throttles per token; back off and retry |
| 500 | Server Error | Transient Figma issue; retry after a few seconds |
Common Issues
“This agent is not authorized to use this connector” — The calling agent is not in the allowlist. Open the configuration app → Authorized agents → tick this agent (id is shown in the error) or enable Allow all agents, and Save. The Install capability button does this for you. “The calling agent could not be identified” — The MCP capability Scope does not declareagent_id, so Agent Factory never injects the agent identity. Set the Scope to context_id,agent_id,user_id on the capability (this is separate from the Figma OAuth scopes), then allow the agent in the config app.
“Figma is not connected for this user” — No per-user OAuth token is stored for the caller. Open the configuration app (OAuth mode) and click Connect, or use the agent’s connect flow.
“Figma token refresh failed … must reconnect” — The stored refresh token was rejected by Figma (revoked / expired). The connection is dropped automatically; the user must reconnect from the config app.
“Figma OAuth is not configured” — Neither a tenant OAuth client nor the central platform client is available. Set the OAuth client ID/secret in the config app (tenant mode), or ask the platform maintainer to provision the central OAuth client from the core workspace’s config app.
Activity logs require OAuth — getActivityLogs (the activityLogs tool) only accepts an OAuth bearer token with org:activity_log_read; a plain access token without that scope is rejected. This endpoint is Enterprise-only.
No token revocation — Figma has no token-revocation endpoint, so disconnecting deletes the stored tokens on Prisme.ai’s side rather than revoking them at Figma.
External Resources
Figma REST API
Official Figma REST API reference
Tool Agents
Learn how Agent Factory agents consume MCP tools in Prisme.ai.