subtree
Back to Support
Guide

Setting up a personal
access token

Figma personal access tokens let you authenticate with Subtree without the standard browser-based OAuth flow. This is useful for restricted environments, CI/CD setups, or when OAuth redirects aren't available.

When should you use a personal token?

The standard OAuth flow is recommended for most users — it's more secure and handles token refresh automatically.

Use a personal access token if:

  • Your organization blocks OAuth redirects to custom protocols
  • You're behind a corporate proxy that interferes with OAuth
  • You need to authenticate in a headless or CI environment

Step by step

Setup guide

01

Open Figma account settings

  • Log in to Figma at figma.com.
  • Click your profile avatar in the top-right corner.
  • Select "Settings" from the dropdown menu.
02

Navigate to Personal access tokens

  • Scroll down to the "Personal access tokens" section.
  • You can also access this directly via the Security tab in your account settings.
03

Generate a new token

  • Click "Generate new token".
  • Give your token a descriptive name, e.g. "Subtree".
  • For expiration, select up to 90 days — Figma does not allow tokens longer than that.
  • Under scopes, Subtree only needs: Users → current_user:read (Read only). No other scopes are required.
  • Click "Generate token".
04

Copy your token

  • Your token is displayed once — copy it immediately.
  • It starts with "figd_" followed by a long string of characters.
  • Store it somewhere safe. If you lose it, you'll need to generate a new one.
05

Connect to Subtree

  • Open the Subtree desktop app.
  • Go to Account > Sign in.
  • Select "Use personal access token" instead of the OAuth option.
  • Paste your token and click Connect.
  • Subtree validates the token against Figma's API and creates your session.

Reference

How it works

Token format

figd_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

All Figma personal tokens start with the figd_ prefix.

What happens when you connect

Subtree sends your token to our backend over HTTPS.
We validate it against Figma's API (GET /v1/me) to confirm it's genuine.
Your Figma user profile (name, email) is retrieved to create your account.
The token is encrypted with AES-256-GCM and stored — we never store plaintext tokens.
A session token is returned to the desktop app for subsequent requests.

Security considerations

Personal tokens expire after the date you chose (max 90 days). Generate a new one when it expires.
Unlike OAuth tokens, personal tokens can't be refreshed automatically. If one expires or is revoked, you'll need to generate a new token.
Your Subtree session expires after 90 days regardless, requiring re-authentication.
Rate limiting (10 requests/minute) protects the token endpoint from brute-force attempts.

Revoking a token

To revoke a personal access token:

  1. 1.Go to Figma > Settings > Personal access tokens.
  2. 2.Find the token you created for Subtree.
  3. 3.Click the trash icon to delete it.
  4. 4.The token is immediately invalidated — Subtree will require re-authentication.

Ready to connect?

Download Subtree and sign in with your personal access token.

Download Subtree