Secure Anima and Figma Tokens

v20260423

anima-security-basics

This guide outlines critical security best practices for design-to-code pipelines using Anima and Figma. It covers securing API credentials by restricting token scopes (e.g., read-only access for Figma), enforcing server-side execution for SDKs, and implementing robust secret management using cloud services like GCP Secret Manager. This minimizes the risk of credential leakage in CI/CD environments.

security design figma anima tokens secrets cicd saas

Get Skill

329 downloads

Overview

Anima Security Basics

Security Checklist

Anima token stored in secret manager (not .env in prod)
Figma PAT has minimum required scope (file:read only)
SDK runs server-side only (never ship tokens to browser)
.env files gitignored and chmod 600
CI secrets stored in GitHub Secrets, not workflow files
Generated code reviewed before committing (no embedded tokens)

Instructions

Step 1: Figma Token Scope Restriction

# When creating a Figma Personal Access Token:
# - Give it the MINIMUM scope needed: File Content (read-only)
# - Do NOT grant write access unless you need Figma plugin features
# - Set an expiration date (90 days recommended)
# - Create separate tokens for dev vs CI environments

Step 2: Server-Side Only Enforcement

// src/anima/safety.ts
// Anima SDK is designed for server-side use only

function validateEnvironment(): void {
  if (typeof window !== 'undefined') {
    throw new Error('Anima SDK must run server-side only — never import in browser code');
  }
  if (!process.env.ANIMA_TOKEN) throw new Error('ANIMA_TOKEN not set');
  if (!process.env.FIGMA_TOKEN) throw new Error('FIGMA_TOKEN not set');
}

// Call this at startup
validateEnvironment();

Step 3: Secret Manager Integration

// src/anima/secrets.ts
async function loadAnimaSecrets(): Promise<{ animaToken: string; figmaToken: string }> {
  const { SecretManagerServiceClient } = await import('@google-cloud/secret-manager');
  const client = new SecretManagerServiceClient();

  const [animaVersion] = await client.accessSecretVersion({
    name: `projects/${process.env.GCP_PROJECT}/secrets/anima-token/versions/latest`,
  });
  const [figmaVersion] = await client.accessSecretVersion({
    name: `projects/${process.env.GCP_PROJECT}/secrets/figma-token/versions/latest`,
  });

  return {
    animaToken: animaVersion.payload?.data?.toString() || '',
    figmaToken: figmaVersion.payload?.data?.toString() || '',
  };
}

Output

Figma token with minimal scope (read-only)
Server-side enforcement preventing browser usage
Secrets loaded from cloud secret manager

Resources

Next Steps

For production deployment, see anima-prod-checklist.

Info

Category Development

Name anima-security-basics

Version v20260423

Size 2.83KB

Source jeremylongshore/claude-code-plugins-plus-skills

Updated At 2026-04-28