0

I'm building an MCP server using fastMCP, with Cursor as the MCP client. The server will fetch and process Figma design information.​​

​As we know, a Figma access token is required to make API requests. For a local MCP server, the token can be easily configured like this:​​

"figma-to-code": { "command": "uv", "args": [ "run", "--with", "fastmcp", "fastmcp", "run", "/Users/xxx/figma_mcp_server.py", "--", "--figma_token", "figd_xxxxx-6iHOMRhSMEXPkPE487VKqG" ], "env": {} }

​However, I'm unsure how to securely obtain and pass the Figma token for a remote MCP server deployment.​​

I have reviewed the FastMCP OAuth and Figma OAuth documentation: https://gofastmcp.com/servers/auth/oauth-proxy#token-verification https://developers.figma.com/docs/rest-api/authentication/

The FastMCP OAuth documentation indicates that provider information such as client_id is required. However, I don't think it's a right way to work on the MCP side to achieve my desired workflow. Here is the intended procedure:

  1. My MCP users will receive a remote MCP server endpoint such as http://xxx:9000/mcp
  2. They will configure this endpoint in Cursor as follows:
"figma-to-code-http": { "url": "http://10.91.214.50:9000/mcp" }
  1. When they enable the server, Cursor will prompt them to authenticate with Figma
  2. Upon user consent, the remote MCP server will obtain the access token and function properly
Improve this question

1 Answer 1

Reset to default
0

Short answer

Use fastMCP’s built‑in OAuth flow. Your HTTP MCP server must declare an OAuth provider (figma) and verify tokens; Cursor will handle the browser login, store/refresh the token, and send it with every MCP request. Do not pass tokens via args or put client secrets on the server.

How to wire it

  1. Server: declare OAuth and require it for requests
// Node/TS skeleton import { createHttpServer, oauth } from "fastmcp/http"; const server = createHttpServer({ auth: oauth.configure({ // just declare the provider; no client_id/secret on the server providers: [oauth.providers.figma({ id: "figma", scopes: ["file_read"] })], }), }); // Any tool that talks to Figma server.tool("getFile", async (ctx, { fileKey }) => { const token = await ctx.auth.require("figma"); // throws if not authenticated const res = await fetch(`https://api.figma.com/v1/files/${fileKey}`, { headers: { Authorization: `Bearer ${token.accessToken}` }, }); return await res.json(); }); server.listen(9000);

Python (shape only):

from fastmcp.http import HttpServer from fastmcp.oauth import configure, figma server = HttpServer( auth=configure(providers=[figma(id="figma", scopes=["file_read"])]) ) @server.tool() def get_file(ctx, file_key: str): token = ctx.auth.require("figma") # call Figma with token.access_token
  1. Token verification on the server

  • Keep it “stateless”: enable the oauth verification middleware/helper from fastMCP (it calls Figma’s GET /v1/me or similar to validate the bearer and handles expiry).

  • You never store client secrets; you only accept/verify a bearer sent by the client.

  1. Cursor config for your users
"figma-to-code-http": { "url": "http://10.91.214.50:9000/mcp" }

  • When enabled, Cursor reads the server’s auth/providers, opens the Figma OAuth screen, and on success injects the access token into MCP requests.

  • Cursor also refreshes the token; your server just calls ctx.auth.require("figma") each time.

TIP

  • This is the only way to make Cursor “prompt to authenticate”: the server must advertise an OAuth provider in its MCP handshake; Cursor drives the browser flow.

  • Avoid passing tokens in args or env; that’s for local/dev only.

  • Ensure your MCP endpoint is HTTPS in production.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I don't think there is a built-in figma token provider in fastMCP.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.