figma guide

Designing API keys and personal access tokens UI in Figma: scopes, rotation, and developer security settings

Design API keys and personal access tokens UI in Figma with create/revoke flows, scope pickers, one-time secret display, rotation, and Dev Mode specs for developer security settings.

Published
Updated
Jul 09, 2026
Read time
7 min
Level
Intermediate

Quick answer

API keys and personal access tokens (PATs) let developers authenticate scripts and integrations programmatically—usually under Account → Developer, Settings → API, or Organization → Integrations. Design a token list with name, masked prefix, scopes, created/last-used dates, and Revoke; a create flow with name, expiration, scope checkboxes, and one-time secret display (copy once, never shown again); plus rotation and last-used metadata for hygiene. Keep this separate from connected OAuth apps—keys are bearer secrets, not user-delegated consent screens. After compromise, link from account recovery review. Start from the Figma guides hub and pair with Dev Mode handoff for engineering specs.


Who this is for

  • Product designers building developer settings for SaaS APIs, CLI tools, and automation platforms.
  • Design system teams distinguishing PAT UI from OAuth app directories and admin API credentials.
  • Engineers implementing scoped tokens, hashing at rest, rotation without downtime, and audit events.

API keys vs OAuth apps vs service accounts

Credential typeWho createsTypical useUI home
Personal access tokenEnd userScripts, CI, local devUser Developer settings
OAuth connected appUser authorizes third party”Sign in with”, calendar syncConnected accounts
Org service accountAdminServer-to-server, ETLAdmin → Integrations
Publishable client keyDeveloperBrowser SDK (limited)App settings with domain allowlist
Webhook signing secretAuto-generatedVerify payloadsWebhook detail page

Verdict: never list PATs beside consumer “Google connected” rows—different mental model, different revoke consequences. Mention in copy that revoking a key breaks automations immediately.


Token list row anatomy

PartSpecNotes
NameUser-defined label”CI deploy”, “Local dev”
Prefixsk_live_abc… maskedShow first 8 + ellipsis
Scopes summaryChips or comma listread:orders, write:products
CreatedDate
ExpiresDate or “Never”Encourage expiry
Last usedRelative time or “Never”Stale key hygiene
RevokeDestructive text buttonConfirm modal
ApiKeyListRow
├── Variant: status=active | expired | revoked
├── Variant: stale=true | false (e.g. unused 90d)
└── Layers:
    ├── KeyIcon
    ├── NameLabel
    ├── PrefixBadge
    ├── ScopeChips
    ├── MetaLine (created · expires · last used)
    ├── StaleWarning (conditional)
    └── RevokeButton

Link View in activity log to audit log when keys are created or revoked.


Create token flow

StepUIValidation
1. NameText inputRequired, 3–64 chars
2. Expiration7 / 30 / 90 days, 1 year, customDefault 90 days
3. ScopesGrouped checkboxes with descriptionsAt least one; warn on admin
4. ConfirmSummary + re-auth password or 2FAStep-up for sensitive scopes
5. Secret revealFull token + copy button + downloadOne-time only
6. Done”You won’t see this again”Link back to list

Secret reveal screen:

┌─────────────────────────────────────────────┐
│  Copy your token now                        │
│  ┌─────────────────────────────────────┐    │
│  │ sk_live_xxxxxxxxxxxxxxxxxxxxxxxx    │ 📋 │
│  └─────────────────────────────────────┘    │
│  ☐ I have stored this token securely        │
│  [ Done ]  (disabled until checkbox)        │
└─────────────────────────────────────────────┘

Reuse patterns from 2FA recovery codes—same one-time display discipline.


Scope picker design

PatternBest for
Grouped checkboxes< 20 scopes in 4–6 categories
Search + multi-selectLarge API surface
Preset bundles”Read only”, “Full access” with expand
Danger tierRed label on delete:*, admin:*
Scope tierUI treatmentExtra gate
ReadStandard checkboxNone
WriteStandardOptional confirm copy
Admin / billingWarning iconRe-auth + typed confirm
ImpersonationRare; separate flowEnterprise policy

Document scope strings verbatim in Dev Mode—engineers map 1:1 to authorization middleware.


Rotation and dual-key workflow

PatternUXEngineering note
Rotate in placeNew secret; old valid 24hGrace period banner on list
Create new + revoke oldManual two-stepUser manages overlap
Auto-expireEmail 7 days beforeLink to create replacement

Rotation modal copy: “A new token will be generated. The current token stops working on Jul 12, 2026 at 3:00 PM UTC.”

Show both prefixes during overlap on the list with Expiring badge on the old row.


Empty, error, and revoked states

StateCopy / UI
Empty list”No tokens yet” + Create CTA + link to API docs
RevokedRow moves to collapsed “Revoked” section or disappears after 30d
ExpiredGray row + “Create replacement”
Rate limited create”Too many tokens—revoke unused keys”
Org policy disabled”Your admin disabled personal tokens”

Stale key nudge: banner when 3+ keys unused 90 days—“Review unused tokens” with bulk revoke optional.


Security settings page layout

SectionContents
Header”API tokens” + docs link
Policy note”Treat tokens like passwords”
Create buttonPrimary, top-right
Active tokensTable or card list
Revoked / expiredCollapsible archive
Org settings linkAdmin-only service accounts

Place under Developer or Advanced in account dashboard—not inside consumer Profile. Cross-link privacy when tokens access personal data exports.


Audit, compliance, and recovery

Log these events to security activity:

EventSeverity
Token createdInfo
Token revokedInfo
Token used from new IP (optional)Warning
Admin disabled PATs for orgWarning
Leaked key reported (GitHub scan)Critical + auto-revoke email

Post-account recovery, show “Review API tokens” with keys used during incident window highlighted.


Mobile and responsive considerations

BreakpointPattern
MobileCard list; scope chips wrap; revoke in overflow menu
Secret revealMonospace scroll; copy via Web Share API optional
DesktopTable with sort by last used

Never show full secret on mobile push notifications or email—creation confirmation email lists name + prefix only.


Handoff checklist

ItemDev Mode annotation
Token formatPrefix + entropy length
Hash at restOnly prefix stored for display
Scope enumFull list with descriptions
Expiration optionsDefault selection
Grace period on rotateHours
Last used timestampUTC, update throttled
Revoke confirmationModal copy + irreversible note
a11yCopy button announces success; secret not in aria-label
Rate limitsMax active tokens per user

For CLI docs, specify env var name (API_TOKEN) in a comment layer—not in user-facing UI unless product is developer-first.


Common mistakes

MistakeWhy it hurtsFix
Showing full key after create stepLeak via screenshot historyOne-time reveal only
OAuth UI mixed with PAT listWrong revoke expectationsSeparate pages
No expiration defaultKeys live foreverDefault 90 days
Scopes without descriptionsOver-permissioned tokensPlain-language scope help
Revoke without confirmationBroken production CIModal with token name
”Regenerate” without graceInstant outageOverlap window
Missing last-usedNo stale key cleanupShow relative last used
Email contains full secretInbox breach = API breachPrefix only in email

  1. Inventory scopes with API team—group for checkbox UI.
  2. Design list row with prefix, scopes, dates, revoke.
  3. Build create wizard through one-time secret reveal.
  4. Add rotation with grace period and dual-prefix list state.
  5. Wire audit events to security activity feed.
  6. Link from account recovery review checklist.
  7. Separate from OAuth in IA and connected accounts navigation.
  8. Prototype expired token and re-auth on admin scope create.

FAQ

Personal access tokens vs OAuth for my integration?

OAuth when a third-party app acts on behalf of a user with consent screens. PATs when the user owns the script (CLI, notebook, personal automation).

How many active tokens should we allow?

Common caps: 10–25 per user; show count toward limit on create. Enterprise may allow more via admin policy.

Support “view secret again”?

No. Industry standard is create new + revoke old. Explain in empty-state docs link.

Org-level vs user-level keys?

User PAT = that user’s permissions. Service account = non-human, admin-provisioned—separate admin UI, not covered by the same list component.

Browser-exposed keys?

Never for full secrets—use short-lived session or publishable keys with domain restrictions. Full PAT creation only in authenticated settings, not embeddable widgets.


Next steps

Share on X

§ Keep reading

Related guides.