docs / getting-started / authentication

Authentication

opentraces publishes to HuggingFace Hub. You need an HF account.

Auth and sync are separate from egress security. What a dataset's rows are allowed to carry before publication is governed by that dataset's manifest policy (opentraces dataset security <name>), distinct from bucket auth and sync.

Browser Login

opentraces auth login

By default, opentraces auth login starts Hugging Face's OAuth device flow in your browser. This is the simplest path on a developer machine and supports the normal dataset workflow.

The CLI requests the scopes it needs to read, create, push, delete, and change visibility on datasets in namespaces you belong to.

When a coding agent is driving setup for you, use a bounded wait so the session does not hang if you cannot complete the browser step:

opentraces auth login --device-timeout 180

If that times out, complete auth outside the agent session with opentraces auth login, opentraces auth login --token, or HF_TOKEN, then verify with opentraces --json auth whoami.

Token Login

opentraces auth login --token

Use a personal access token when you are headless, on CI, or cannot complete the browser flow.

Generate the token at huggingface.co/settings/tokens.

Environment Variable

export HF_TOKEN=hf_...

The CLI checks for HF_TOKEN automatically. Useful in CI pipelines where interactive login isn't available.

Auth Precedence

  1. HF_TOKEN environment variable
  2. Stored credentials from opentraces auth login

Verify

opentraces auth whoami

Shows your authenticated HuggingFace username.

Logout

opentraces auth logout

Clears stored credentials from ~/.opentraces/credentials.