just·figma

figma guide

Password-Protected Prototypes & Share Links: Security Basics in Figma

Share Figma prototypes safely: password gates, view vs edit links, org policies, expiring access, and team norms that stop accidental leaks of unreleased UI.

Published
Updated
May 22, 2026
Read time
6 min
Level
Intermediate

Quick answer

Anyone with a Figma prototype link can open it unless your organization restricts sharing—so treat prototype URLs like lightweight credentials. Use password protection on sensitive flows, prefer view-only links for stakeholders who do not need edit access, and document who may receive links (clients, research participants, executives). Pair technical settings with file hygiene from how to organize a Figma file so it scales and prototyping basics in how to use Figma to create a prototype. For browser-only reviewers, see working with Figma in the browser for session and logout habits on shared machines.

What “sharing” actually exposes

Figma offers several link types. Confusing them is the most common security mistake on product teams.

Link typeTypical useRisk if mishandled
Prototype linkUsability tests, exec walkthroughsUnreleased UI visible to anyone who receives the URL
View link (design file)Read-only critique of framesScreens and comments visible; no canvas edits
Edit linkActive design collaborationFull change access unless org policy blocks
Dev Mode linkEngineering pick-upSpecs, assets, and structure exposed to holders

Prototype links are not “private by obscurity.” URLs get forwarded in email threads, pasted into Slack, and saved in ticket systems. Assume every prototype link will travel one hop beyond the person you sent it to.

Password-protected prototypes (when and how)

Figma allows a password on published prototype links (availability depends on your plan and organization admin settings). The password is separate from the viewer’s Figma account—think of it as a shared gate for external audiences.

Use password protection when:

  • You show pre-release product UI to clients, press, or partners under NDA.
  • Research includes realistic data in placeholder copy (even fake names can look like PII).
  • You run competitive flows you do not want indexed or casually reshared.

Skip password protection when:

  • The flow is already public marketing creative.
  • You need frictionless mobile testing with dozens of participants and your research tool manages access instead.
  • Your org uses SSO-only sharing policies that supersede prototype passwords.

Workflow:

  1. Finish the prototype flow on a delivery page—not a sandbox full of alternate explorations.
  2. Open Share → choose Prototype → enable password and set a strong, unique passphrase per study or client (not your team’s single shared password forever).
  3. Send the password through a different channel than the link (e.g., link in calendar invite, password in DM or research platform).
  4. Rotate passwords when a study ends or a contractor offboards.

Verdict: Passwords reduce casual forwarding; they do not replace contracts, access reviews, or org-level sharing restrictions.

View-only vs edit: default to the least privilege

NeedShare thisAvoid
Stakeholder reviewView or prototypeEdit link “because it is easier”
Usability testPrototype (password if needed)Entire edit file link
Developer specsDev Mode or controlled project accessPublic edit link to production library
Agency handoffProject invite with roleAnonymous edit link in a PDF

Document defaults in your design ops README: “External = prototype or view; internal = project role.” Engineers picking up builds should follow best Figma dev handoff plugins inside governed projects—not ad hoc edit links.

Organization policies that override individual habits

Enterprise and many Team plans expose admin controls that matter more than any single designer’s caution:

  • Disable public links or restrict sharing to the org domain.
  • Require approval before links leave the workspace.
  • Audit logs of who opened or exported assets (features vary by plan).
  • Guest seats with explicit expiration for contractors.

If you are a team lead, align with IT before a incident: agree whether client reviews use password prototypes, watermarked PDFs, or controlled guest accounts. Designers cannot “security policy” their way around a disabled public link setting.

Data hygiene inside files you share

Even with passwords, prototypes reveal structure and copy. Before sharing:

  1. Replace realistic customer data with obviously fake content (user@example.com, Alex Demo).
  2. Remove internal codenames from layer names visible in some presentation contexts; rename presentation frames for outsiders.
  3. Hide or detach experimental pages from the prototype flow—participants should not navigate to archived explorations via miswired hotspots.
  4. Rasterize sensitive diagrams if policy requires (trade-off: less editable for you, safer for them).

For export discipline on marketing assets that sometimes accompany prototypes, use production-ready export guidance.

Research and client testing checklist

Use this before every external session:

  • Prototype built only from approved frames on a delivery page.
  • Password enabled (if policy requires) and stored outside the link message.
  • No edit link in the recruiting email or Notion doc.
  • Recording consent covers what appears on screen (including notifications and other tabs if remote).
  • Offboarding: disable link or rotate password after the study window closes.
  • Mobile path tested on a real device—browser chrome and OS keyboards affect auth flows; see mobile UI presets and safe areas if you test native-sized frames.

Common mistakes teams repeat

  1. One immortal edit link in the wiki — Anyone who joins the company inherits full file access.
  2. Prototype wired to the wrong starting frame — Reviewers see deprecated UI that still looks official.
  3. Sharing the whole file when a five-screen prototype would do — Increases leak surface for free.
  4. Reusing passwords across clients — A leaked password from Study A opens Study B’s build.
  5. Forgetting Slack unfurls — Pasting a link in a public channel broadcasts thumbnails; use private channels or delink previews per org norms.
  6. Assuming “internal” comments stay internal — Viewers with comment rights can surface feedback you wrote for the team.

Troubleshooting

Password gate not available

Your plan or admin may disable prototype passwords. Fallbacks: guest access with expiry, PDF/video walkthrough, or in-person moderated sessions.

Reviewers see the wrong flow

Re-check prototype starting frame and hotspot order. Duplicate the flow to a External review page if engineers still need messy WIP pages elsewhere—see file organization patterns.

Confirm they are not blocked by SSO-only org rules, VPN requirements, or regional restrictions. Try an incognito window without your Figma session to simulate a cold open.

Offer comment access on a view link or schedule a 15-minute working session instead of permanent edit rights.

FAQ

Does a password-protected prototype stop screenshots?

No. Passwords control who can open the URL in Figma, not screen capture or screen recording. Combine with NDAs and moderated sessions for high-sensitivity work.

Public links can be discovered if shared broadly; org policies and link hygiene matter more than designer intent. Do not treat unpublished URLs as secret without organizational controls.

Should user research use Figma’s prototype player or a third-party tool?

Use Figma when fidelity and real components matter; use dedicated research tools when you need panel management, consent, and analytics—export or link prototypes accordingly. Start from how to use Figma to create a prototype before choosing tooling.

Different exposure: Dev Mode reveals implementation detail. Share it only with people who need specs, inside projects governed like production repos.

What about FigJam or slides?

Same principles: least privilege link, separate passwords where supported, and no edit links in public docs. Deck teams can borrow presentation structure from slide decks in Figma.

What to do next

  • Tighten team defaults: Add link rules to your design ops README and Figma guides hub.
  • Improve flows: Refine interactions before the next external review using the tutorials index.
  • Quarterly audit: Revisit org sharing settings when features change—see Figma quarterly check-in.

Final recommendation

Treat prototype and view links as access grants, not convenience shortcuts. Default to view or password-protected prototypes for outsiders, keep edit access inside projects, and rotate credentials when studies end. Passwords help with casual resharing; org policy, data hygiene, and least-privilege habits do the heavy lifting for real security.

Tagged figma prototyping security share-links collaboration teams
Share on X

§ Keep reading

Related guides.

figma guide 7m

Best Notion × Figma Workflow Stack for Designers (2026)

figma guide 5m

Interactive components in Figma: hover, pressed, and disabled states that survive handoff

figma guide 8m

Alternatives to Figma for UI design teams: an honest 2026 shortlist