Authentication
opentraces publishes to HuggingFace Hub. You need an HF account.
Auth and sync are separate from egress security. What a dataset's rows are
allowed to carry before publication is governed by that dataset's manifest
policy (opentraces dataset security <name>), distinct from bucket auth and
sync.
Browser Login
opentraces auth login
By default, opentraces auth login starts Hugging Face's OAuth device flow in your browser. This is the simplest path on a developer machine and supports the normal dataset workflow.
The CLI requests the scopes it needs to read, create, push, delete, and change visibility on datasets in namespaces you belong to.
When a coding agent is driving setup for you, use a bounded wait so the session does not hang if you cannot complete the browser step:
opentraces auth login --device-timeout 180
If that times out, complete auth outside the agent session with
opentraces auth login, opentraces auth login --token, or HF_TOKEN, then
verify with opentraces --json auth whoami.
Token Login
opentraces auth login --token
Use a personal access token when you are headless, on CI, or cannot complete the browser flow.
Generate the token at huggingface.co/settings/tokens.
Environment Variable
export HF_TOKEN=hf_...
The CLI checks for HF_TOKEN automatically. Useful in CI pipelines where interactive login isn't available.
Auth Precedence
HF_TOKENenvironment variable- Stored credentials from
opentraces auth login
Verify
opentraces auth whoami
Shows your authenticated HuggingFace username.
Logout
opentraces auth logout
Clears stored credentials from ~/.opentraces/credentials.