Docs/oauth token exchange (#2201)

Charlie-Boyer · web-flow · commit 6f196f3db59a · 2026-02-06T16:47:41.000+01:00
diff --git a/docs/hub/_toctree.yml b/docs/hub/_toctree.yml
@@ -515,4 +515,4 @@
   - local: api
     title: Hub API Endpoints
   - local: oauth
-    title: Sign-In with HF (OAuth)
+    title: OAuth / Sign in with HF
diff --git a/docs/hub/enterprise-tokens-management.md b/docs/hub/enterprise-tokens-management.md
@@ -53,3 +53,7 @@ When a token is revoked or denied, the user who created the token receives an em
     <img class="block dark:hidden" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/tokens-management-review.png" />
     <img class="hidden dark:block" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/tokens-management-review.png" />
 </div>
+
+## Programmatic Token Issuance
+
+For organizations that need to programmatically issue access tokens for their members (e.g., for internal platforms, CI/CD pipelines, or custom integrations), see [OAuth Token Exchange](./oauth#token-exchange-for-organizations-rfc-8693). This Enterprise plan feature allows your backend services to issue scoped tokens for organization members without requiring interactive user consent.
diff --git a/docs/hub/enterprise.md b/docs/hub/enterprise.md
@@ -75,6 +75,7 @@ Team & Enterprise organization plans add advanced capabilities to organizations,
 | [SSO to private org](./enterprise-sso)             |  ❌  | ✅ Basic SSO | ✅ Basic SSO | ✅ Advanced SSO |
 | [SSO to public Hub](./enterprise-advanced-sso) |  ❌  |      ❌      |      ❌      |       ✅        |
 | [Enforce 2FA](./enterprise-advanced-security)  |  ❌  |      ✅      |      ✅      |       ✅        |
+| [OAuth Token Exchange](./oauth#token-exchange-for-organizations-rfc-8693) |  ❌  |      ❌      |      ✅      |       ✅        |
 | Disable personal public repos for users            |  ❌  |      ❌      |      ❌      |       ✅        |
 | Disable joining other orgs for users               |  ❌  |      ❌      |      ❌      |       ✅        |
 | Disable PRO subscription                           |  ❌  |      ❌      |      ❌      |       ✅        |
@@ -140,6 +141,7 @@ In the following sections we will document the following Team & Enterprise featu
 - [Advanced Compute Options](./advanced-compute-options)
 - [Advanced Security](./enterprise-advanced-security)
 - [Tokens Management](./enterprise-tokens-management)
+- [OAuth Token Exchange](./oauth#token-exchange-for-organizations-rfc-8693)
 - [Publisher Analytics](./enterprise-analytics)
 - [Gating Group Collections](./enterprise-gating-group-collections)
 - [Network Security](./enterprise-network-security)
diff --git a/docs/hub/oauth.md b/docs/hub/oauth.md
@@ -89,3 +89,150 @@ Check out [our badges](https://huggingface.co/datasets/huggingface/badges#sign-i
 
 [![Sign in with Hugging Face](https://huggingface.co/datasets/huggingface/badges/resolve/main/sign-in-with-huggingface-xl.svg)](https://huggingface.co/oauth/authorize?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=openid%20profile&state=STATE)
 [![Sign in with Hugging Face](https://huggingface.co/datasets/huggingface/badges/resolve/main/sign-in-with-huggingface-xl-dark.svg)](https://huggingface.co/oauth/authorize?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=openid%20profile&state=STATE)
+
+## Token Exchange for Organizations (RFC 8693)
+
+> [!WARNING]
+> This feature is part of the <a href="https://huggingface.co/enterprise" target="_blank">Enterprise</a> plan.
+
+Token Exchange allows organizations to programmatically issue access tokens for their members without requiring interactive user consent. This is particularly useful for building internal tools, automation pipelines, and enterprise integrations that need to access Hugging Face resources on behalf of organization members.
+
+This feature implements [RFC 8693 - OAuth 2.0 Token Exchange](https://www.rfc-editor.org/rfc/rfc8693.html), a standard protocol for token exchange scenarios.
+
+### Use cases
+
+Token Exchange is designed for scenarios where your organization needs to:
+
+- **Build internal platforms**: Create dashboards or portals that access Hugging Face resources on behalf of your team members, without requiring each user to manually authenticate.
+- **Automate CI/CD pipelines**: Issue short-lived, scoped tokens for automated workflows that need to push models or datasets to organization repositories.
+- **Integrate with enterprise identity systems**: Bridge your existing identity provider with Hugging Face by issuing tokens based on your internal user directory.
+- **Implement custom access controls**: Build middleware that issues tokens with specific scopes based on your organization's internal policies.
+
+### How it works
+
+1. Your organization has an OAuth application bound to your organization with the `token-exchange` privilege.
+2. Your backend service authenticates with this OAuth app using client credentials.
+3. Your service requests an access token for a specific organization member (identified by email).
+4. Hugging Face verifies the user is a member of your organization and issues a scoped token.
+5. The issued token can only access resources within your organization's scope.
+
+### Prerequisites
+
+To use Token Exchange, you need an organization-bound OAuth application with the `token-exchange` privilege. Contact Hugging Face support to set up an eligible OAuth app for your organization.
+
+Once configured, you will receive:
+- A **Client ID** (e.g., `a1b2c3d4-e5f6-7890-abcd-ef1234567890`)
+- A **Client Secret** (keep this secure!)
+
+> [!WARNING]
+> Organization administrators can manage the OAuth app after creation, including refreshing the client secret and configuring the token duration.
+
+### Authentication
+
+Token Exchange uses HTTP Basic Authentication with your OAuth app credentials. Create the authorization header by Base64-encoding your `client_id:client_secret`:
+
+```bash
+# Create the authorization header
+export CLIENT_ID="your-client-id"
+export CLIENT_SECRET="your-client-secret"
+export AUTH_HEADER=$(echo -n "${CLIENT_ID}:${CLIENT_SECRET}" | base64)
+```
+
+### Issuing tokens by email
+
+To issue an access token for an organization member using their email address:
+
+```bash
+curl -X POST "https://huggingface.co/oauth/token" \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -H "Authorization: Basic ${AUTH_HEADER}" \
+  -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
+  -d "subject_token=user@yourorg.com" \
+  -d "subject_token_type=urn:huggingface:token-type:user-email"
+```
+
+### Response
+
+A successful request returns an access token:
+
+```json
+{
+  "access_token": "hf_oauth_...",
+  "token_type": "bearer",
+  "expires_in": 28800,
+  "scope": "openid profile email read-repos",
+  "id_token": "eyJhbGciOiJS...",
+  "issued_token_type": "urn:ietf:params:oauth:token-type:access_token"
+}
+```
+
+The `id_token` field is included when the `openid` scope is requested.
+
+You can then use this token to make API requests on behalf of the user:
+
+```bash
+curl "https://huggingface.co/api/whoami-v2" \
+  -H "Authorization: Bearer ${ACCESS_TOKEN}"
+```
+
+### Scope control
+
+By default, issued tokens inherit all scopes configured on the OAuth app. You can request specific scopes by adding the `scope` parameter. See [Currently supported scopes](#currently-supported-scopes) for available values.
+
+The token's effective permissions are limited both by the requested scope and by the user's role within the organization.
+
+```bash
+curl -X POST "https://huggingface.co/oauth/token" \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -H "Authorization: Basic ${AUTH_HEADER}" \
+  -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
+  -d "subject_token=user@yourorg.com" \
+  -d "subject_token_type=urn:huggingface:token-type:user-email" \
+  -d "scope=openid profile"
+```
+
+> [!TIP]
+> Follow the principle of least privilege: request only the scopes your application actually needs.
+
+### Security considerations
+
+Tokens issued via Token Exchange have built-in security restrictions:
+
+- **Organization-scoped**: Tokens can only access resources within your organization (models, datasets, Spaces owned by the org).
+- **No personal access**: Tokens cannot access the user's personal private repositories or resources from other organizations.
+- **Short-lived**: Tokens expire after 8 hours by default. Organization administrators can configure the token duration (up to 30 days) in the OAuth app settings. No refresh tokens are provided.
+- **Auditable**: All token exchanges are logged and visible in your organization's [audit logs](./audit-logs).
+
+> [!WARNING]
+> Protect your OAuth app credentials carefully. Anyone with access to your client secret can issue tokens for any member of your organization.
+
+### Error responses
+
+| Error | Description |
+|-------|-------------|
+| `invalid_client` | Client is not authorized to use token exchange, or the app is not bound to an organization |
+| `invalid_grant` | User not found in the bound organization |
+| `invalid_scope` | Requested scope is not valid |
+
+### Reference
+
+**Grant type:**
+```
+urn:ietf:params:oauth:grant-type:token-exchange
+```
+
+**Request parameter (`subject_token_type`):**
+
+| Value | Description |
+|-------|-------------|
+| `urn:huggingface:token-type:user-email` | Identify the user by their email address |
+
+**Response field (`issued_token_type`):**
+
+| Value | Description |
+|-------|-------------|
+| `urn:ietf:params:oauth:token-type:access_token` | Indicates an access token was issued |
+
+**Related documentation:**
+- [RFC 8693 - OAuth 2.0 Token Exchange](https://www.rfc-editor.org/rfc/rfc8693.html)
+- [Audit Logs](./audit-logs)
diff --git a/docs/hub/security-tokens.md b/docs/hub/security-tokens.md
@@ -76,3 +76,7 @@ We recommend you create one access token per app or usage. For instance, you cou
 We also recommend using only fine-grained tokens for production usage. The impact, if leaked, will be reduced, and they can be shared among your organization without impacting your account.
 
 For example, if your production application needs read access to a gated model, a member of your organization can request access to the model and then create a fine-grained token with read access to that model. This token can then be used in your production application without giving it access to all your private models.
+
+### For Enterprise organizations
+
+If your organization needs to programmatically issue tokens for members without requiring each user to create their own token, see [OAuth Token Exchange](./oauth#token-exchange-for-organizations-rfc-8693). This Enterprise plan feature is ideal for building internal platforms, CI/CD pipelines, or custom integrations that need to access Hugging Face resources on behalf of organization members.
