For using private/gated models, we should add functionality to pass the HF_TOKEN from the client side as well. Currently Transformer.js only provides ways to access private/gated models from the node js servers only i.e. backend (check here). But there are relevant use cases where passing the HF_TOKEN from the Frontend also makes sense.
Motivation
Usecases
One usecase I can think of is when the application developer wants the user to enter their own HF_TOKEN from the Frontend to access the model and use the application locally in their browser. This a a valid usecase that is being implemented in many AI applications coming up that expect the user to input the API key to use the application.
Security Considerations
I understand that it is a dangerous feature as it makes it possible for a developer to expose their token to the web. But I think not having functionality to support this is not the optimum way to handle the situation, instead, we should add an explicit warning regarding the pitfalls of accidentally exposing the token.
Your contribution
I can work on this, but I'm not very confident as I haven't gone through the codebase. But happy to have a stab at it if okay with maintainers.
Feature request
For using private/gated models, we should add functionality to pass the
HF_TOKENfrom the client side as well. CurrentlyTransformer.jsonly provides ways to access private/gated models from the node js servers only i.e. backend (check here). But there are relevant use cases where passing theHF_TOKENfrom the Frontend also makes sense.Motivation
Usecases
One usecase I can think of is when the application developer wants the user to enter their own
HF_TOKENfrom the Frontend to access the model and use the application locally in their browser. This a a valid usecase that is being implemented in many AI applications coming up that expect the user to input theAPI keyto use the application.Security Considerations
I understand that it is a dangerous feature as it makes it possible for a developer to expose their token to the web. But I think not having functionality to support this is not the optimum way to handle the situation, instead, we should add an explicit warning regarding the pitfalls of accidentally exposing the token.
Your contribution
I can work on this, but I'm not very confident as I haven't gone through the codebase. But happy to have a stab at it if okay with maintainers.