You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current implementation uses a custom scheme url app callback that no longer works "huggingchat://“. Not sure if it ever did...
As we can surmise from the output below, the redirect_uri must match https://huggingface.co/chat/login/callback.
The HuggingChat backend (/chat/api) is a SvelteKit application that (seems to) acts as its own OAuth Client.
So while the HuggingChat interface API (/chat/api) is enabled via OAuth2, it requires another approach because it uses Session Cookies (hf-chat) derived from the OAuth flow, rather than standard Bearer tokens.
To access /chat/api endpoints (like /user etc.. ), we must "piggyback" on the official web session. We need to use a WKWebView to perform the login, allow the official callback to execute, and then extract the hf-chat cookies to use in our programmatic URLSession.
I have a fix and a new client that seems to work well I can develop and create a PR if there’s enough interest and this app is still live/relevant
NOTE: my current version of the app is
mlx-libraries:2.29.1
a custom version of WhisperKit compatible with swift-transformers 1.0.0, just to avoid version hell... (until the next update of mlx-libs argh!)
@cyrilzakka - bonjour!
redirect_urimust matchhttps://huggingface.co/chat/login/callback./chat/api) is a SvelteKit application that (seems to) acts as its own OAuth Client./chat/api) is enabled via OAuth2, it requires another approach because it uses Session Cookies (hf-chat) derived from the OAuth flow, rather than standard Bearer tokens./chat/apiendpoints (like /user etc.. ), we must "piggyback" on the official web session. We need to use aWKWebViewto perform the login, allow the official callback to execute, and then extract thehf-chatcookies to use in our programmaticURLSession.I have a fix and a new client that seems to work well
I can develop and create a PR if there’s enough interest and this app is still live/relevant
NOTE: my current version of the app is
debugging/tracing output below:
❯ curl -i "https://huggingface.co/chat/login?callback=huggingchat%3A%2F%2Flogin%2Fcallback" HTTP/2 302 location: https://huggingface.co/oauth/authorize?client_id=8f1a1d63-479b-46c8-84cb-521fe9f3222f&scope=openid%20profile%20inference-api%20read-mcp&response_type=code&redirect_uri=https%3A%2F%2Fhuggingface.co%2Fchat%2Flogin%2Fcallback&state=eyJkYXRhIjp7ImV4cGlyYXRpb24iOjE3NjM0NDIxMzYyODAsInJlZGlyZWN0VXJsIjoiaHR0cHM6Ly9odWdnaW5nZmFjZS5jby9jaGF0L2xvZ2luL2NhbGxiYWNrIiwibmV4dCI6Ii9jaGF0LyJ9LCJzaWduYXR1cmUiOiIzNWZjMGEzMTQxYzQ0YTI4Y2Y0MTM4NDgxOTI4MjJlMTg1NDA5NzQzYjM4YzYwZmI5OTZiNTY4N2VmMzM4Y2FlIn0%3D date: Tue, 18 Nov 2025 04:02:16 GMT set-cookie: hf-chat=eb6b6fdb-5783-4f02-810e-b0636742fe25; Path=/; Expires=Tue, 02 Dec 2025 04:02:16 GMT; HttpOnly; Secure; SameSite=Lax cache-control: no-store content-security-policy: frame-ancestors 'none'; x-cache: Miss from cloudfront via: 1.1 e3e31445c00bbce77f755b563c056d44.cloudfront.net (CloudFront) x-amz-cf-pop: JFK50-P9 x-amz-cf-id: 4Sd5ht-CXwVR6LzvMjChMzNwiSDvfkdS8LwpeLQXqJNwwSzDmdiWhw==