HuggingFace Enterprise Security & Compliance (7.2).
Covers:
- Audit logs — track all actions on your organization's resources
- Role-based access control (RBAC) — member roles and permissions
- SSO/SAML — single sign-on configuration
- API token management — create, list, revoke tokens
- Repository access control — fine-grained repo permissions
Enterprise feature: Most functions require an Enterprise or Team Hub subscription.
See: https://huggingface.co/docs/hub/enterprise-hub
Example
# Get audit log for your organization
{:ok, logs} = HuggingfaceClient.Enterprise.audit_logs("my-enterprise-org",
limit: 100, access_token: token)
logs |> Enum.each(fn entry ->
IO.puts("#{entry["user"]} — #{entry["action"]} — #{entry["timestamp"]}")
end)Summary
Functions
Returns the audit log for an organization.
Creates a new API token for the authenticated user.
Gets SSO configuration for an organization.
Checks if the authenticated user has at least the specified role in an org.
Lists API tokens for the authenticated user.
Returns the current user's role in an organization.
Revokes an API token.
Moves a repo to a private or internal state (Enterprise feature).
Sets the visibility of a repository (public/private).
Streams all audit log entries, following pagination automatically.
Updates SSO/SAML configuration for an organization.
Functions
@spec audit_logs( String.t(), keyword() ) :: {:ok, [map()]} | {:error, Exception.t()}
Returns the audit log for an organization.
Audit logs record all significant actions taken by organization members, including repo creation/deletion, permission changes, and API access.
Enterprise feature: Requires an Enterprise Hub subscription.
Options
:limit— max entries to return (default: 100):offset— pagination offset:user— filter by username:action— filter by action type (e.g."repo.create","member.invite"):resource_type— filter by resource type:"model","dataset","space","bucket":start_date— ISO8601 start date:end_date— ISO8601 end date:access_token
Action types
"repo.create"— repository created"repo.delete"— repository deleted"repo.update"— repository settings changed"repo.visibility"— visibility changed"member.invite"— member invited"member.remove"— member removed"member.role_change"— member role changed"token.create"— API token created"token.revoke"— API token revoked"access_request.accept"— gated repo request accepted"access_request.reject"— gated repo request rejected
Example
{:ok, logs} = HuggingfaceClient.audit_logs("my-org",
limit: 50, action: "member.invite", access_token: token)@spec create_token(keyword()) :: {:ok, map()} | {:error, Exception.t()}
Creates a new API token for the authenticated user.
Options
:name— token name (required):role—"read"|"write"|"admin"(default:"read"):expires_at— ISO8601 expiry date (optional):access_token
Example
{:ok, new_token} = HuggingfaceClient.create_token(
name: "ci-token", role: "read", access_token: token
)
IO.puts("Token: #{new_token["token"]}")@spec get_sso_config( String.t(), keyword() ) :: {:ok, map()} | {:error, Exception.t()}
Gets SSO configuration for an organization.
Enterprise feature: Requires Enterprise Hub subscription with SSO enabled.
Example
{:ok, sso} = HuggingfaceClient.get_sso_config("my-enterprise-org", access_token: token)
IO.puts("Provider: #{sso["provider"]}")
IO.puts("Enabled: #{sso["enabled"]}")Checks if the authenticated user has at least the specified role in an org.
Roles (from lowest to highest): "read", "write", "admin".
Example
true = HuggingfaceClient.has_org_role?("my-org", "write", access_token: token)@spec list_tokens(keyword()) :: {:ok, [map()]} | {:error, Exception.t()}
Lists API tokens for the authenticated user.
Example
{:ok, tokens} = HuggingfaceClient.list_tokens(access_token: token)
Enum.each(tokens, fn t ->
IO.puts("#{t["name"]}: #{t["role"]} — last used: #{t["last_used"]}")
end)@spec my_org_role( String.t(), keyword() ) :: {:ok, String.t() | nil} | {:error, Exception.t()}
Returns the current user's role in an organization.
Example
{:ok, role} = HuggingfaceClient.my_org_role("huggingface", access_token: token)
# "admin" | "write" | "read" | "contributor" | nil (not a member)@spec revoke_token(keyword()) :: :ok | {:error, Exception.t()}
Revokes an API token.
Options
:token_name— name of the token to revoke (required):access_token
@spec set_repo_internal_visibility( String.t(), keyword() ) :: :ok | {:error, Exception.t()}
Moves a repo to a private or internal state (Enterprise feature).
Internal repos are accessible to all org members but not the public.
Options
:visibility—"public","private","internal"(required):access_token
@spec set_repo_visibility( String.t(), keyword() ) :: :ok | {:error, Exception.t()}
Sets the visibility of a repository (public/private).
This is a convenience wrapper around update_repo_settings/2.
Example
:ok = HuggingfaceClient.set_repo_visibility("my-org/my-model",
private: true, access_token: token)@spec stream_audit_logs( String.t(), keyword() ) :: Enumerable.t()
Streams all audit log entries, following pagination automatically.
Returns a lazy Stream of audit log entries.
Example
result = HuggingfaceClient.stream_audit_logs("my-org", access_token: token)
|> Stream.filter(fn e -> e["action"] == "repo.delete" end)
|> Enum.take(20)
|> Enum.each(fn e -> IO.puts("#{e["user"]} deleted #{e["resource"]}") end)@spec update_sso_config( String.t(), keyword() ) :: {:ok, map()} | {:error, Exception.t()}
Updates SSO/SAML configuration for an organization.
Enterprise feature: Requires Enterprise Hub subscription.
Options
:provider—"saml"|"oidc"(required):enabled— enable or disable SSO:sso_url— SAML SSO URL or OIDC issuer:certificate— SAML certificate (for SAML provider):client_id— OIDC client ID:client_secret— OIDC client secret:access_token