Spaces:

jdsan
/

plot-digitizer-gateway

Running

App Files Files Community

plot-digitizer-gateway / README.md

jdsan

deploy: sync

63b9729 verified 29 days ago

preview code

raw

history blame contribute delete

1.8 kB

metadata

title: Plot Digitizer Gateway
emoji: 🛡️
colorFrom: gray
colorTo: blue
sdk: docker
app_port: 7860
pinned: true
short_description: Public proxy for the private plot-digitizer backend

plot-digitizer-gateway

Public entry point for the plot-digitizer MCP.

Forwards authenticated requests to a private backend Space. Callers authenticate with their own Hugging Face read token (Authorization: Bearer <hf_token>); the gateway validates it via whoami-v2, rate-limits per HF username, and forwards to the backend using the gateway's own credentials.

Required secrets

Set in Settings → Variables and secrets:

Key	Type	Value
`GATEWAY_HF_TOKEN`	Secret	Fine-grained HF token with Read on the backend Space
`BACKEND_URL`	Secret	e.g. `https://jdsan-plot-digitizer.hf.space`

Endpoints

GET  /health                  → {"status":"ok","gateway":true}
POST /v1/digitize             → requires Authorization: Bearer <user HF token>

Auth flow

Caller sends Authorization: Bearer <their HF read token>.
Gateway validates via https://huggingface.co/api/whoami-v2 (5-min cache).
Gateway rate-limits per HF username (100/day, 10/min).
Gateway forwards to the private backend with its own GATEWAY_HF_TOKEN (the only thing that unlocks the Space) and X-Forwarded-User: <hf-username> for backend-side attribution and rate-limiting. The caller's token is never forwarded.

The backend Space remains private; only the gateway can reach it.