Because we are committed to improving the security of our services, we are making changes to the way you authenticate when interacting with the Hugging Face Hub through Git. Starting from October 1st, 2023, we will no longer accept passwords as a way to authenticate your command-line Git operations. Instead, we recommend using more secure authentication methods, such as replacing the password with a personal access token or using an SSH key.
In recent months, we have implemented various security enhancements, including sign-in alerts and support for SSH keys in Git. However, users have still been able to authenticate Git operations using their username and password. To further improve security, we are now transitioning to token-based or SSH key authentication. Token-based and SSH key authentication offer several advantages over traditional password authentication, including unique, revocable, and random features that enhance security and control.
If you currently use your HF account password to authenticate with Git, please switch to using a personal access token or SSH keys before October 1st, 2023.
You will need to generate an access token for your account; you can follow https://huggingface.co/docs/hub/security-tokens#user-access-tokens to generate one.
After generating your access token, you can update your Git repository using the following commands:
$: git remote set-url origin https://<user_name>:<token>@huggingface.co/<repo_path> $: git pull origin
<repo_path> is in the form of:
If you clone a new repo, you can just input a token in place of your password when your Git credential manager asks you for your authentication credentials.
Follow our guide to generate an SSH key and add it to your account: https://huggingface.co/docs/hub/security-git-ssh
Then you'll be able to update your Git repository using:
$: git remote set-url origin email@example.com:<repo_path> # see above for the format of the repo path
Here's what you can expect in the coming weeks:
- Today: Users relying on passwords for Git authentication may receive emails urging them to update their authentication method.
- October 1st: Personal access tokens or SSH keys will be mandatory for all Git operations.
For more details, reach out to HF Support to address any questions or concerns at firstname.lastname@example.org