Missing `roleInOrg` in `whoami-v2` response for OAuth-based tokens

Spaces
1

Context:
In my app, I want to allow users from a Hugging Face organization to log in using OAuth.

Based on their role in the org (e.g., admin vs write), I would like to show different UI options and features — such as admin-only dashboards.

I’m using OAuth authentication and successfully obtaining an access_token using the standard OAuth flow.

Issue:

When using the token to call:

GET https://huggingface.co/api/whoami-v2
Authorization: Bearer <access_token>

…the response does not include the roleInOrg field in the organization object(s), even though this field is available when:

  • The same endpoint is accessed via browser (session cookie)
  • Or using a personal access token with whoami() from huggingface_hub

This results in an inability to determine whether the authenticated user is an admin, making fine-grained role-based access control (RBAC) within Spaces.

Ask:
Is there a safe workaround to access roleInOrg field when allowing users from a Hugging Face organization to log in using OAuth?

1 Like
2

, even though this field is available when:

  • Or using a personal access token with whoami() from huggingface_hub

I don’t understand why this implementation causes that phenomenon…

3

It appears, roleInOrg field is missing in whoami response for tokens obtained via OAuth, as the token returned is at the Org level.

Analysis:

token_url = “https://huggingface.co/oauth/token
payload = {
“grant_type”: “authorization_code”,
“code”: code,
“client_id”: HF_CLIENT_ID,
“client_secret”: HF_CLIENT_SECRET,
“redirect_uri”: HF_REDIRECT_URI,
}
response = requests.post(token_url, data=payload)
if response.status_code == 200:
access_token = response.json().get(“access_token”)

The access token obtained via OAuth returned by the above block of code is at Org Level - see error log output at the end of this post

which when passed in whoami from huggingface_hub
still missing roleInOrg item I.e., result is same as calling

GET https://huggingface.co/api/whoami-v2
Authorization: Bearer <access_token>

But when attempting to pass this token obtained via OAuth to login from huggingface_hub

login(token=access_token)

throws this error, which highlights the access token obtained via OAuth is at Org Level.

/usr/local/lib/python3.10/site-packages/huggingface_hub/_login.py:405 in _login
402 │ │ raise ValueError("You must use your personal account token, not an org
403 │
404 │ token_info = whoami(token)
❱ 405 │ permission = token_info[“auth”][“accessToken”][“role”]
406 │ logger.info(f"Token is valid (permission: {permission}).")
407 │
408 │ token_name = token_info[“auth”][“accessToken”][“displayName”]

Need Help:
Am I missing something here? I would like to hear from the experts here on How do we get roleInOrg field in the whoami response for tokens obtained via OAuth?

1 Like
4

Only someone who knows the internal implementation of the server would understand this… @pierric @meganariley