Skip to content
Migrating from NextAuth.js v4? Read our migration guide.
API reference@auth/coreprovidershuggingface

providers/huggingface

Built-in Hugging Face integration.

HuggingfaceProfile

Properties

canPay?

optional canPay: boolean;

Whether the user has a payment method set up.

Needs the read-billing scope.

email?

optional email: string;

Need ‘email’ scope

Email address of the user.

email_verified?

optional email_verified: boolean;

Need ‘email’ scope

Whether the user’s email address is verified. Should always be true, Hugging Face enforces email verification for users to grant access to OAuth apps.

isPro

isPro: boolean;

Whether the user has a paid subscription.

name?

optional name: string;

Full name of the user.

Needs ‘profile’ scope

orgs

orgs: {
  canPay: boolean;
  isEnterprise: boolean;
  missingMFA: boolean;
  name: string;
  pendingSSO: boolean;
  picture: string;
  preferred_username: string;
  resourceGroups: {
     name: string;
     role: "admin" | "write" | "read" | "contributor";
     sub: string;
    }[];
  roleInOrg: "admin" | "write" | "read" | "contributor";
  sub: string;
 }[];

List of the user’s organizations.

canPay?
optional canPay: boolean;

Whether the organization has a payment method set up.

Access to the organization needs to be granted to the oauth app for this field to be present.

isEnterprise
isEnterprise: boolean;

Whether the organization has a paid enterprise subscription.

missingMFA?
optional missingMFA: boolean;

User needs to enable MFA to access the organization.

Access to the organization needs to be granted to the oauth app for this field to be present.

name
name: string;

Name of the organization.

pendingSSO?
optional pendingSSO: boolean;

User needs to re-authenticate to access the organization.

Access to the organization needs to be granted to the oauth app for this field to be present.

picture
picture: string;

URL of the organization’s avatar.

preferred_username
preferred_username: string;

Username of the organization.

resourceGroups?
optional resourceGroups: {
  name: string;
  role: "admin" | "write" | "read" | "contributor";
  sub: string;
 }[];

Resource groups are a feature of enterprise organizations.

They allow granular access control to resources within the organization.

Access to the organization needs to be granted to the oauth app for this field to be present.

roleInOrg?
optional roleInOrg: "admin" | "write" | "read" | "contributor";

The role of the user in the organization.

Access to the organization needs to be granted to the oauth app for this field to be present.

sub
sub: string;

Unique identifier for the organization.

picture?

optional picture: string;

URL of the user’s profile picture.

Need ‘profile’ scope

preferred_username?

optional preferred_username: string;

Username of the user.

Need ‘profile’ scope

profile?

optional profile: string;

URL of the user’s avatar.

Need ‘profile’ scope

sub

sub: string;

Unique identifier for the user.

website?

optional website: string;

Need ‘profile’ scope

Website of the user.

default()

function default(options): OIDCConfig<HuggingfaceProfile>

Add HuggingFace login to your page.

Setup

Callback URL

https://example.com/api/auth/callback/huggingface

Configuration

import { Auth } from "@auth/core"
import HuggingFace from "@auth/core/providers/huggingface"
 
const request = new Request(origin)
const response = await Auth(request, {
  providers: [
    HuggingFace({
      clientId: HUGGINGFACE_CLIENT_ID,
      clientSecret: HUGGINGFACE_CLIENT_SECRET,
      authorization: {
       params: {
         scope: "openid profile email", // specify the scopes you need
         //  orgIds: "unique_org_id" // If your oauth app needs access to a specific organization of the user
       }
      },
    }),
  ],
})

The following scopes are available:

  • openid: Grants access to the user’s OpenID Connect profile.
  • profile: Grants access to the user’s profile information.
  • email: Grants access to the user’s email address.
  • read-repos: Grants read access to the user’s repositories.
  • write-repos: Grants write access to the user’s repositories.
  • manage-repos: Can create/delete repositories on behalf of the user.
  • write-discussions: Can post on the user’s behalf.
  • read-billing: Know if the user has a payment method set up.
  • inference-api: Can make calls to Inference providers on behalf of the user.
  • webhooks: Can manage webhooks on behalf of the user.

You need to enable them first in your OAuth app settings.

/!\ By default, the profile and email scopes are enabled in NextAuth. So you need to enable the email scope in your OAuth app settings or you will get a scope error.

Resources

Notes

By default, Auth.js assumes that the Hugging Face provider is based on the OIDC specification.

💡

The HuggingFace provider comes with a default configuration. To override the defaults for your use case, check out customizing a built-in OAuth provider.

Disclaimer If you think you found a bug in the default configuration, you can open an issue.

Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec, we might not pursue a resolution. You can ask for more help in Discussions.

Parameters

ParameterType
optionsOIDCUserConfig<HuggingfaceProfile>

Returns

OIDCConfig<HuggingfaceProfile>

hubspotidentity-server4

About Auth.js

Download

Acknowledgements

Auth.js © Balázs Orbán and Team - 2025