About Figma
Iru uses OAuth 2.0 (authorization code). When you enable the source, a browser popup sends you to Figma to sign in and approve scopes (files, projects, org, teams, components, webhooks, analytics, etc.). Some scopes (for examplevariables:read) require Enterprise - lower tiers simply omit those datasets rather than failing outright.
How It Works
Iru uses Figma’s OAuth 2.0 authorization code flow. When you turn the source on, a browser popup sends you to Figma; you sign in, review scopes, and grant access. Figma returns an authorization code that Iru exchanges for an access token (and refresh where applicable).| Detail | Value |
|---|---|
| Category | Design systems |
| Authentication | OAuth 2.0 |
| Recommended plan | Organization or Enterprise for broad API coverage |
files:read, projects:read, org:read, org_teams:read, components:read, webhooks:write (for incremental updates), and analytics:read - exact lists follow the Figma authorization screen.
Official references: Authentication, Scopes, REST API.
Prerequisites
- Admin or Owner on the Figma organization you want Iru to read.
Connect Figma to Iru
- Figma
- Iru Compliance
Complete this tab before you enable Figma in Iru Compliance, so the right org member completes OAuth.
Sign in to Figma
Open figma.com and sign in with an Admin or Owner on the organization Iru should read.
Confirm org and files visibility
Open teams, projects, and files your compliance program expects in evidence. Enterprise-only scopes (for example some variables reads) require the right plan and role.
Review scopes documentation
Skim Figma authentication and Scopes so the consent screen matches your expectations.
Continue on the Iru Compliance tab.
Troubleshooting
Nothing opens when you turn the source on
Nothing opens when you turn the source on
Check pop-up blocker settings for the Iru site and try again.
Popup blocked
Popup blocked
Allow popups for Iru; toggle source off/on.
Access denied
Access denied
Authorize with Org Admin/Owner; Editors may lack org scopes.
Missing teams/files
Missing teams/files
Re-authorize with a user who can access those teams/projects.
Token expired
Token expired
Re-run the OAuth flow from Iru.
Considerations
Removing the authorizing user from the org can…
Removing the authorizing user from the org can invalidate access - reconnect with a durable admin account.
Related Articles
Sources Management
Browse and manage every Compliance source.
Getting Started With Compliance
Frameworks, actions, and Artifacts.
Iru Overview
How Endpoint, Compliance, and Identity fit together.
Artifacts Management
Upload, review, and organize evidence from sources and actions.