How do I Find the Owner of a Hugging Face API Key?

tl;dr To identify the owner of a Hugging Face API key, you can run the command trufflehog analyze huggingface for automated ownership detection. Or you can manually query the HuggingFace API endpoint /api/whoami-v2.

Leaked Hugging Face API keys can grant access to private AI models, datasets, and other resources. If you find one, your first step should be determining who owns it.

Identifying the Owner Using TruffleHog

Manually checking API keys is inefficient, especially at scale. TruffleHog automates the process.

Run the following command:

trufflehog analyze huggingface

You'll be prompted to enter the API key.

What Happens Behind the Scenes?

  • TruffleHog authenticates using the provided Hugging Face API key.

  • It queries the /api/whoami-v2 endpoint.

  • The tool extracts and outputs details about the key’s owner (username, token name, token type, and associated organizations).

Why Use TruffleHog?

Automates ownership detection – No need to manually configure API requests.
Scalable – Works across multiple keys and repositories.
Immediate context – Quickly identifies key owners for faster incident response.
Permission analysis – Helps determine what the key can access.

Querying Hugging Face Manually (Alternative Method)

If you prefer a manual approach, use the following API request:

curl -H "Authorization: Bearer <HUGGINGFACE_API_KEY>" https://huggingface.co/api/whoami-v2

A successful response will include details like:

{
  "name": "johndoe",
  "orgs": [
    {
      "name": "example-org",
      "role": "admin"
    }
  ]
}

Key fields to look for:

  • name – The username of the API key owner.

  • orgs – Lists any organizations the user belongs to, providing additional context.

Why This Matters

Exposed Hugging Face API keys can lead to unauthorized access to private AI models, datasets, and pipelines. To mitigate risks:

🔹 Immediately rotate the exposed key.
🔹 Alert the owner about the leaked key.
🔹 Audit access logs to check for unauthorized use.

TruffleHog simplifies the process of detecting, attributing, and securing exposed Hugging Face API keys.

For more on TruffleHog's capabilities, visit the TruffleHog GitHub repository.