Hugging Face's logo

joshhayles
/
token-test-model

Model card Files
xet
Community
token-test-model
File size: 2,281 Bytes
37e8e2e
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
72e8381
 
 
 
37e8e2e
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
 
---
license: apache-2.0
---

# Token vs. Resource Group Access Rights Demo

## Purpose
This README explains how to set up a quick test to demonstrate how fine-grained tokens interact with resource group permissions in Hugging Face.

## The Question We're Answering
If a user has access to a model through a resource group, but their fine-grained token doesn't explicitly mention that model, will an API request to write to the model succeed?

## Materials Needed
- Hugging Face account with Enterprise access
- Admin rights to create resource groups
- Permission to create models and tokens

## Setup Steps

### 1. Create a Test Model
1. Go to your Hugging Face profile
2. Click "New Model"
3. Name it "token-test-model" (or similar)

### 2. Create a Resource Group
1. Go to your organization settings
2. Navigate to Resource Groups
3. Create a new resource group named "token-test-group"
4. Add your test model to this resource group
5. Add yourself as a user with write permissions to this resource group

### 3. Create a Fine-Grained Token
1. Go to your profile settings (top right icon on the HF page - NOT your organization settings) > select Access Tokens
2. Click "Create new Token"
3. Select "Fine-grained" as token type
4. Give it a name like "limited-test-token"
5. Important: DO NOT select your test model or check any global repository permissions
6. This token will have minimal, read access to public repositories (which is the default for any token, as noted in the UI: "The token will always have read access to all public repos contents").
7. Create the token and save the value on the next screen for testing

### 4. Test the Token
1. Use the API Playground (https://huggingface.co/spaces/enzostvs/hub-api-playground)
2. Set up a POST request to `/api/repos/create`
3. Add your fine-grained token code in the Headers / Authorization section (the code you copied)
4. In the BODY section: Type: model Name: whatever_you_want Organization: name_of_your_org (don't worry about Sdk)
6. Send the request - it should fail with a permission error

## Expected Result
The request will fail despite your user having access to the model through the resource group. This demonstrates that fine-grained tokens require explicit permissions, regardless of resource group access.