Authentication with Figma

Typper Figma Plugin Deploy requires secure authentication with your Figma account. This guide explains how to properly set up your credentials.

Authentication Requirements

To publish plugins to Figma, you need:
  1. A Figma account with 2FA enabled
  2. Administrator permissions for the plugin
  3. Access to the team where the plugin is hosted

Setting up 2FA

1. Enable 2FA in Figma

If you haven’t enabled 2FA yet:
  1. Access your Figma settings
  2. Go to the security section
  3. Enable two-factor authentication
  4. Important: During activation, save the TOTP secret code
If you already have 2FA enabled but didn’t save the TOTP secret code, you’ll need to disable and re-enable 2FA to get a new code.

2. Obtain Required Credentials

You’ll need three pieces of information:
  1. Figma account email
  2. Figma account password
  3. TOTP secret code (obtained during 2FA activation)

Configuring Secrets

In GitHub

  1. Go to your GitHub repository
  2. Navigate to Settings > Secrets and Variables > Actions
  3. Add the following secrets:
FIGMA_EMAIL

TOTP Secret Format

The TOTP code must be in base32 format. Example: 
ABCDEFGHIJKLMNOPQRSTUVWXYZ234567
The TOTP code is case-sensitive. Make sure to copy it exactly as provided by Figma.

Security Best Practices

Dedicated Publishing Account

We strongly recommend creating a dedicated Figma account for plugin publishing. This approach:
  1. Enhanced Security
    • Limits access to only plugin-related functionalities
    • Reduces risk of compromising main company/team accounts
    • Provides better control over publishing credentials
    • Simplifies team member transitions
  2. Account Setup
    • Create a new Figma account with a company email
    • Use a strong, unique password
    • Enable two-factor authentication (required for plugin publishing)
    • Store credentials in a secure password manager
  3. Best Practices
    • Use this account exclusively for plugin publishing
    • Grant minimal necessary permissions
    • Regularly rotate credentials
    • Document access procedures securely
Store the dedicated account’s credentials using your organization’s secret management system and never share them through unsecured channels.

General Security Guidelines

  1. Never share your credentials
  2. Don’t store credentials in repository files
  3. Regularly review repository access
  4. Monitor account activity regularly

Testing Authentication

To verify your credentials are configured correctly:
  1. Make a test push to your configured workflow branch
  2. Check the logs in the Actions tab
  3. Look for any authentication-related error messages

Troubleshooting

Common Errors

Next Step

Learn how to configure your workflow to automate deployments