This page demonstrates how to integrate HuggingFace OAuth authentication in your Shinmun blog, allowing visitors to sign in with their HuggingFace account and run AI inference directly in the browser.
Try the HuggingFace OAuth login below. Once signed in, you can use your HuggingFace token to run inference:
HuggingFace provides OAuth 2.0 authentication that allows third-party applications to authenticate users and access HuggingFace services on their behalf. This is perfect for:
The demo uses the Proof Key for Code Exchange (PKCE) flow, which is secure for client-side applications:
┌─────────┐ ┌──────────────┐
│ User │ │ HuggingFace │
└────┬────┘ └──────┬───────┘
│ │
│ 1. Click "Sign in with HuggingFace" │
│ ────────────────────────────────────────────────>│
│ │
│ 2. HF shows consent screen │
│ <────────────────────────────────────────────────│
│ │
│ 3. User approves, redirected back with code │
│ ────────────────────────────────────────────────>│
│ │
│ 4. Exchange code for access token │
│ <────────────────────────────────────────────────│
│ │
│ 5. Use token for HF Inference API │
│ ────────────────────────────────────────────────>│
│ │
│ 6. Get AI response │
│ <────────────────────────────────────────────────│
sessionStorage (cleared when browser closes)localStorageOnce authenticated, users can call the HuggingFace Inference API directly from the browser using their OAuth token.
https://yourblog.com/hf-oauth-demo)openid profile inference-apiAdd the OAuth Client ID to your config.yml under the variables section:
# config.yml
variables:
HF_OAUTH_CLIENT_ID: "your-client-id-here"
HF_INFERENCE_MODEL: "google/gemma-2-2b-it" # optional, customize the model
These variables are automatically injected as window.* JavaScript variables via the <%= variables_script_tag %> helper in your layout template.
Reference the component in your markdown page:
@@typescript-file[hf-oauth-demo](public/apps/hf-oauth-demo.tsx)
You can easily change the model by setting HF_INFERENCE_MODEL in your config.yml:
variables:
HF_OAUTH_CLIENT_ID: "your-client-id"
HF_INFERENCE_MODEL: "meta-llama/Llama-3.2-1B-Instruct"
Alternatively, edit hf-oauth-demo.tsx and update the DEFAULT_MODEL constant.
Available scopes include:
openid - Required for OAuthprofile - Access to user profile informationemail - Access to user emailinference-api - Access to HuggingFace Inference APIread-repos - Read access to user’s repositoriesUpdate the scope in the component:
const HF_OAUTH_SCOPES = 'openid profile inference-api email';
OAuth tokens have an expiration time (typically 1 hour). The demo checks expiration and requires re-authentication when expired.
generateOAuthLoginUrl()Generates the HuggingFace OAuth login URL with PKCE parameters.
const loginUrl = await generateOAuthLoginUrl();
window.location.href = loginUrl;
handleOAuthRedirect()Handles the OAuth callback, exchanges the authorization code for an access token.
const result = await handleOAuthRedirect();
if (result) {
console.log('Logged in as:', result.userInfo.name);
console.log('Token:', result.accessToken);
}
loadSavedOAuthResult()Loads a previously saved OAuth result from session storage.
const saved = loadSavedOAuthResult();
if (saved && saved.accessTokenExpiresAt > new Date()) {
// Still valid
}
interface OAuthResult {
accessToken: string;
accessTokenExpiresAt: Date;
userInfo: UserInfo;
}
interface UserInfo {
sub: string; // Unique user ID
name: string; // Display name
preferred_username: string; // Username
picture: string; // Avatar URL
email?: string; // Email (if scope granted)
}
Make sure you’ve set window.HF_OAUTH_CLIENT_ID before the component loads.
Ensure the redirect URL in your HuggingFace application settings matches your page URL exactly.
OAuth tokens expire after ~1 hour. Users will need to sign in again.
The HuggingFace API supports CORS for browser requests. If you see CORS errors, ensure you’re using the correct endpoints.