| | --- |
| | license: apache-2.0 |
| | --- |
| | |
| | # Token vs. Resource Group Access Rights Demo |
| |
|
| | ## Purpose |
| | This README explains how to set up a quick test to demonstrate how fine-grained tokens interact with resource group permissions in Hugging Face. |
| |
|
| | ## The Question We're Answering |
| | If a user has access to a model through a resource group, but their fine-grained token doesn't explicitly mention that model, will an API request to write to the model succeed? |
| |
|
| | ## Materials Needed |
| | - Hugging Face account with Enterprise access |
| | - Admin rights to create resource groups |
| | - Permission to create models and tokens |
| |
|
| | ## Setup Steps |
| |
|
| | ### 1. Create a Test Model |
| | 1. Go to your Hugging Face profile |
| | 2. Click "New Model" |
| | 3. Name it "token-test-model" (or similar) |
| |
|
| | ### 2. Create a Resource Group |
| | 1. Go to your organization settings |
| | 2. Navigate to Resource Groups |
| | 3. Create a new resource group named "token-test-group" |
| | 4. Add your test model to this resource group |
| | 5. Add yourself as a user with write permissions to this resource group |
| |
|
| | ### 3. Create a Fine-Grained Token |
| | 1. Go to your profile settings (top right icon on the HF page - NOT your organization settings) > select Access Tokens |
| | 2. Click "Create new Token" |
| | 3. Select "Fine-grained" as token type |
| | 4. Give it a name like "limited-test-token" |
| | 5. Important: DO NOT select your test model or check any global repository permissions |
| | 6. This token will have minimal, read access to public repositories (which is the default for any token, as noted in the UI: "The token will always have read access to all public repos contents"). |
| | 7. Create the token and save the value on the next screen for testing |
| |
|
| | ### 4. Test the Token |
| | 1. Use the API Playground (https://huggingface.co/spaces/enzostvs/hub-api-playground) |
| | 2. Set up a POST request to `/api/repos/create` |
| | 3. Add your fine-grained token code in the Headers / Authorization section (the code you copied) |
| | 4. In the BODY section: Type: model Name: whatever_you_want Organization: name_of_your_org (don't worry about Sdk) |
| | 6. Send the request - it should fail with a permission error |
| | |
| | ## Expected Result |
| | The request will fail despite your user having access to the model through the resource group. This demonstrates that fine-grained tokens require explicit permissions, regardless of resource group access. |
