The API Report CardAPI Index
Figma

Figma API

figma.com

Figma has a mature public REST API with an open-source OpenAPI spec, Webhooks V2, granular OAuth scopes, and an official MCP server. Tokens are self-serve on any plan. Rate limits are tiered by seat and plan, and Variables and Library Analytics are Enterprise-only.

Last verified: July 2026Software & Data Tools
API GRADE
A
VERIFIED JUL 2026

SCORECARD

ExistenceGOODMature REST API plus Plugin, Widget, and MCP surfaces; the OpenAPI spec is open source on GitHub.
AccessGOODSelf-serve PATs and OAuth apps on any plan; Variables, Library Analytics, and Activity Logs are Enterprise-gated.
CoverageGOODFiles, images, comments, projects, components, variables, and webhooks; REST is read-heavy, mutation lives in plugins.
AuthGOODThree token models: PATs, plan access tokens, and OAuth 2.0 with granular scopes replacing the old files:read.
Docs & DXGOODdevelopers.figma.com with an OpenAPI spec, TypeScript types, Webhooks V2 docs, and a huge plugin ecosystem.
StabilityGOODScope deprecation (files:read to finer grants) is underway with published guidance; endpoints are otherwise long-lived.
MORE FROM THE REPORT CARD
Supergood: Figma shipped a real API. Most vendors don't; we ship near-native APIs for the rest.

Frequently asked questions

Figma scores A on the API Report Card. Figma has a mature public REST API with an open-source OpenAPI spec, Webhooks V2, granular OAuth scopes, and an official MCP server. Tokens are self-serve on any plan. Rate limits are tiered by seat and plan, and Variables and Library Analytics are Enterprise-only.

Tried to integrate with Figma?
SOURCES
Free Starter plan restricts users to just **6 read-tool calls per month** for View/Collab seats, effectively unusable for any real integration on Starter developers.figma.com β†—
Pro plan users with Full seat still hit `X-Figma-Rate-Limit-Type: low` with multi-day `Retry-After` values on legitimate workloads forum.figma.com β†—
Tier-3 endpoints (Activity Logs, Components, Library Analytics) are capped at 10/min on Starter, 50/min on Pro, too slow for any meaningful org-wide analytics developers.figma.com β†—
Variables read/write API and Library Analytics are gated behind **Enterprise plan only**, locking out mid-market design-system tooling developers.figma.com β†—
Activity Logs require Enterprise plus the `org:activity_log_read` scope, most security/audit use cases are paywalled developers.figma.com β†—
`files:read` scope is being deprecated in favor of `file_content:read` / `file_comments:read`, integrators must migrate OAuth apps and re-prompt users developers.figma.com β†—
Existing Supabase Auth provider integration broke due to the `files:read` scope deprecation github.com β†—
Plugin API is **JavaScript/TypeScript only and runs in-app**, no server-side automation outside the REST API track developers.figma.com β†—
Plugins in Dev Mode cannot edit layers (nodes), only certain metadata, write-API surface is fundamentally restricted figma.com β†—
Plugin API runtime limits (bundle size, memory, async constraints, dynamic page loading restrictions) require non-trivial bundling workarounds sam.today β†—
Critical command-injection vulnerability (**CVE-2025-53967**, CVSS 7.5) in the third-party figma-developer-mcp MCP server allowed remote code execution via unsanitized input passed to the Figma API endpoint thehackernews.com β†—
Detailed anatomy of the Figma MCP attack chain published by Salt Security showing AI-agent / design-platform integration risks salt.security β†—
Plugin marketplace quality varies; abandoned plugins are common across the ecosystem forum.figma.com β†—
Webhook creation requires a paid team plan; Dev Resources require a Dev Mode seat, feature/license gating is dense developers.figma.com β†—
Performance degradation on large or complex files, Variables tab stutters, big design systems become unresponsive news.ycombinator.com β†—
'Figma is an absolutely awful design tool that has great collaboration features', long-running HN sentiment about feature creep vs design depth news.ycombinator.com β†—
'When Figma starts designing us', concern that Figma's defaults shape product design across the industry news.ycombinator.com β†—
Pricing increases and seat-type confusion (View / Collab / Dev / Full), buyers struggle to predict org spend post-IPO forum.figma.com β†—
Vendor lock-in concerns driving teams to evaluate Penpot, Sketch, Framer alternatives penpot.app β†—
Variables / Modes UI is sluggish on large design systems news.ycombinator.com β†—
Figma Make / AI feature pricing and quota model is opaque (especially for Starter accounts capped at 6 read-tool calls/month) instagit.com β†—
Severe security vulnerability (CVE-2025-53967, CVSS 7.5) in the third-party figma-developer-mcp Model Context Protocol server allowed remote command execution via unsanitized user input thehackernews.com β†—
Security analysts deconstructed the Figma MCP attack chain showing risks of AI-agent integrations with design platforms salt.security β†—
Comparison sentiment: many designers feel Reddit-style web app performance proves Figma's bloat is avoidable news.ycombinator.com β†—