Learn how AI coding assistants can introduce security risks—register for the webinar

TRUFFLEHOG

CUSTOMERS

COMPANY

RESOURCES

LOG IN

Get Started

How do I Find the Owner of a Hugging Face API Key?

Tutorials - Secrets analysis

tl;dr To identify the owner of a Hugging Face API key, you can run the command trufflehog analyze huggingface for automated ownership detection. Or you can manually query the HuggingFace API endpoint /api/whoami-v2.

Leaked Hugging Face API keys can grant access to private AI models, datasets, and other resources. If you find one, your first step should be determining who owns it.

Identifying the Owner Using TruffleHog

Manually checking API keys is inefficient, especially at scale. TruffleHog automates the process.

Run the following command:

trufflehog analyze huggingface

You'll be prompted to enter the API key.

What Happens Behind the Scenes?

  • TruffleHog authenticates using the provided Hugging Face API key.

  • It queries the /api/whoami-v2 endpoint.

  • The tool extracts and outputs details about the key’s owner (username, token name, token type, and associated organizations).

Why Use TruffleHog?

Automates ownership detection – No need to manually configure API requests.
Scalable – Works across multiple keys and repositories.
Immediate context – Quickly identifies key owners for faster incident response.
Permission analysis – Helps determine what the key can access.

Querying Hugging Face Manually (Alternative Method)

If you prefer a manual approach, use the following API request:

curl -H "Authorization: Bearer <HUGGINGFACE_API_KEY>" https://huggingface.co/api/whoami-v2

A successful response will include details like:

{
  "name": "johndoe",
  "orgs": [
    {
      "name": "example-org",
      "role": "admin"
    }
  ]
}

Key fields to look for:

  • name – The username of the API key owner.

  • orgs – Lists any organizations the user belongs to, providing additional context.

Why This Matters

Exposed Hugging Face API keys can lead to unauthorized access to private AI models, datasets, and pipelines. To mitigate risks:

🔹 Immediately rotate the exposed key.
🔹 Alert the owner about the leaked key.
🔹 Audit access logs to check for unauthorized use.

TruffleHog simplifies the process of detecting, attributing, and securing exposed Hugging Face API keys.

For more on TruffleHog's capabilities, visit the TruffleHog GitHub repository.

STAY STRONG

DIG DEEP

TRUFFLEHOG

Open-source

Enterprise

Analyze

NEW!

Forager

Security

Integrations

Pricing

CUSTOMERS

COMPANY

About

Careers

Press

FAQ

Contact us

RESOURCES

Blog

Newsletter

Content library

Events

Videos

GitHub

Enterprise docs

Open-source docs

How to rotate

Brand assets

NEW!

DOING IT THE RIGHT WAY

SINCE 2021

#trufflehog-community

#Secret Scanning

© 2025 Truffle Security Co.

Privacy policy

Terms and conditions

Data processing agreement

Acceptable use policy