figma guide

Designing third-party app approvals and marketplace UI in Figma: OAuth consent, allowlists, and handoff

Design third-party app approval and marketplace UI in Figma with app catalog, OAuth consent, org allowlists, scope review, and Dev Mode specs for enterprise integration admin.

Published
Updated
Jul 16, 2026
Read time
8 min
Level
Intermediate

Quick answer

Third-party app approvals control which integrations members can install—configured under Organization → Security → Apps & integrations. Design an org app catalog (approved, blocked, pending); member install flow with scope disclosure before OAuth consent; admin approval queue for new app requests; scope comparison table (read files, write comments, org admin); revoke and offboard hooks tied to member deprovisioning; and usage audit in security activity. Start from the Figma guides hub and pair with connected accounts, API keys, and DLP.


Who this is for

  • Product designers building enterprise integration settings, OAuth consent screens, and marketplace admin.
  • Design system teams aligning app cards with cards and permission copy with team roles.
  • Engineers implementing allowlist enforcement, token revocation, and scope diff on app updates.

App governance entry points

LocationAudienceActions
Org → Security → Apps & integrationsSecurity adminAllowlist, blocklist, approval queue
Marketplace / CommunityAll membersBrowse; install gated by policy
OAuth consent screenInstalling memberGrant scopes
Member → Connected appsEnd userView/revoke personal installs
Audit logSecurity adminInstall, revoke, scope change events

Verdict: central Apps & integrations admin page plus consent screen at install time—policy invisible until blocked installs frustrate users.


Org app catalog states

StateMember experienceAdmin UI
ApprovedInstall without extra approvalGreen status in catalog
Approved with restrictionsInstall; limited scopesBadge: “View-only scopes”
Requires approvalRequest → admin queuePending count in nav
BlockedHidden or “Not allowed by org”Block reason in admin
DeprecatedExisting installs work; no newSunset date shown
OrgAppCatalogTable
├── Tabs: Approved (24) · Pending (3) · Blocked (8) · All
├── Columns: App · Publisher · Scopes · Installs · Status · Actions
└── Toolbar: [ Add to allowlist ] [ Import blocklist ] [ Review pending ]

App card and detail drawer

Marketplace and admin views share a consistent app detail pattern:

AppDetailDrawer
├── Logo + name + publisher (verified badge)
├── Description + privacy policy link
├── Scopes requested: bullet list with plain-language explanations
├── Org status chip: Approved / Requires approval / Blocked
├── Install count: 142 members · 3 teams
├── Last scope update: Mar 12, 2026 — "Review required" banner if breaking
└── Actions: [ Approve for org ] [ Block ] [ View audit ]
ScopePlain-language labelRisk tier
Read filesView files you can accessLow
Write commentsPost and edit commentsLow
Read org membershipSee member list and emailsMedium
Manage webhooksCreate org-level webhooksHigh
Admin actionsChange org settingsCritical

Use risk tier colors sparingly—pair with text for accessibility.


When policy is requires approval or blocked, intercept before OAuth redirect:

InstallBlockedModal
├── App: Acme Sync for Jira
├── Status: Not on your organization's approved list
├── Actions: [ Request admin approval ] [ Cancel ]
└── Link: Why can't I install?

Approved apps still show consent screen with scope checklist:

OAuthConsentScreen
├── App logo + "Acme Sync wants to access your Figma account"
├── Scopes:
│   [x icon] Read files in teams you belong to
│   [x icon] Post comments on your behalf
├── Org note: "Approved by IT · View-only data access"
├── Checkbox: [ ] I understand this app can read file content
└── [ Deny ] [ Authorize ]

Critical scopes require explicit checkbox—not pre-checked—for SOC2-friendly consent.


Admin approval queue

ColumnSpec
RequestedTimestamp + requester
AppName + publisher
ScopesDiff vs org default template
JustificationMember-provided reason
Similar approved”Like Slack plugin (approved)“
ActionsApprove once / Approve org-wide / Deny
ApprovalQueueRow
├── Requester: jane@acme.com · Design team
├── App: Vendor DAM Connector · scopes: read files, export assets
├── Justification: "Need asset sync for Q3 campaign"
└── [ Approve for requester ] [ Approve for org ] [ Deny ]

Approve for org adds to allowlist—future installs skip queue if scopes unchanged.


Allowlist and blocklist management

ActionUIAudit event
Add approved appSearch marketplace ID or paste URLapp.approved
Block appBlock with reason; optional notify installsapp.blocked
Scope templateMax scopes any app may requestapp.policy.updated
Publisher trustAllow all from verified publisherpublisher.trusted
AddToAllowlistModal
├── Search: [ slack ▾ ]
├── App: Slack Notifications v2.4
├── Scope ceiling: [x] Read files  [x] Post comments  [ ] Org admin
├── Auto-approve future scope patches: ( ) Yes  (•) No
└── [ Cancel ] [ Add to approved list ]

Auto-approve scope patches should default off—app updates that add scopes trigger re-approval.


When a publisher ships new scopes, existing installs enter review required:

ScenarioMember UIAdmin UI
Minor scope addRe-consent banner on next usePending re-approval count
Critical scope addApp disabled until re-consentAlert Security Admin
Publisher changeBlock + force uninstall optionMigration wizard
ScopeChangeBanner
├── "Acme Sync updated permissions — review before Mar 20"
├── New scope: Export files (previously not requested)
└── [ Review and authorize ] [ Revoke access ]

Admin dashboard: apps with drift from approved scope template highlighted.


Revoke, offboard, and token lifecycle

Tie to member offboarding and connected accounts:

EventBehavior
Member offboardedRevoke all user OAuth tokens for org apps
App blockedGrace period banner; then hard revoke
Admin revokeImmediate; notify affected members
Sponsor leavesRevoke guest-scoped app tokens if applicable
RevokeAppAccessModal
├── App: Legacy CRM Sync · 89 active connections
├── Effect: Members lose sync immediately
├── Reason: [ Required ] Security review failed
└── [ Cancel ] [ Revoke all org access ]

Log revocations to audit log with actor, app ID, member count.


DLP and data egress alignment

Data loss prevention and classification labels apply to app exports:

ControlSpec
Confidential file blockApp cannot read Restricted-labeled files
Export scope capApproved apps max at read-only
Webhook payload filterNo PII in outbound events—link webhooks
Audit on app readLog app.file.access for Confidential+

Settings note: “App policies stack with DLP—most restrictive wins.”


Developer-built vs marketplace apps

TypeApproval pathUI difference
Marketplace publicStandard catalog + queuePublisher verified badge
Private org appAdmin uploads client IDInternal-only badge
Personal API tokenSeparate from OAuth—link API keysNot in marketplace

Do not conflate OAuth apps and personal access tokens in the same table—cross-link with clear labels.


Common mistakes

MistakeWhy it hurtsFix
Scope jargon on consentMembers over-grantPlain-language scope list
No approval queueShadow IT via personal tokensGate install + monitor API keys
Block without uninstall pathOrphan tokens activeRevoke job on block
Scope updates silentOver-permissioned appsRe-consent on diff
Marketplace shows blocked apps as installableClick → error frustrationHide or show blocked state early
No publisher trust optionAdmin approves same vendor 20×Trust verified publisher
Offboard ignores app tokensEx-employee access persistsRevoke on deprovision
Apps bypass classificationData leak via integrationEvaluate label on app read
Consent checkbox pre-checkedCompliance failureExplicit opt-in for critical scopes
Admin and member app views differConfusing statusShared app detail component

  1. Design org app catalog with approved, pending, blocked tabs and scope summary.
  2. Build OAuth consent screen with plain-language scopes and org approval note.
  3. Add install intercept for blocked and requires-approval states with request flow.
  4. Create admin approval queue with approve-once vs approve-org-wide actions.
  5. Spec scope change re-consent banners and admin drift dashboard.
  6. Wire revoke to offboarding and blocklist hard-revoke jobs.
  7. Link DLP and classification rules for app file access in Dev Mode.

FAQ

Are Figma plugins the same as OAuth apps?

Related but distinct—plugins run in-editor; OAuth apps use REST API. Admin may need separate allowlists or unified “integrations” view with type filter.

Can teams override org app policy?

No—org allowlist is ceiling; teams cannot approve blocked apps.

How do apps relate to webhooks?

Apps may register webhooks—show webhook scopes on consent; admin revokes webhooks when app blocked.

Personal token when app is blocked?

Separate policy—org can disable personal tokens or restrict scopes; link from Apps settings.

Monitor mode for new app policy?

Recommend log-only period—track app.install.attempted blocked events before enforce, similar to DLP monitor mode.


Next steps

Share on X

§ Keep reading

Related guides.