AINode keeps credentials in a local Secrets store at ~/.ainode/secrets.json
(file mode 0600, values obfuscated at rest). Secrets never appear in API
responses — the UI only ever shows a masked value (last 4 characters). Set them in
Config → Secrets, where each credential has a Test button that reports the
detected scope without revealing the value.
Hugging Face: read vs write
There are two HF token slots, and the difference matters:
| Slot | Used for | Required scope |
|---|
| HuggingFace Token (read) | Download gated models (Llama, Gemma, …) | read is enough |
| HuggingFace Token (write) | Push quantized / fine-tuned models to the Hub | write (or a write-scoped fine-grained token) |
AINode prefers the write token for pushes and falls back to the read token
only if it has write scope. A read-only token is rejected up front — before
any multi-GB upload starts — so you never wait through a transfer that ends in a
403.
Keep your everyday downloads on a read token and add a separate write token
only when you intend to push models back to the Hub.
Setting the read token from the CLI
ainode config --hf-token hf_xxxxxxxxxxxxxxxx # set
ainode config --hf-token "" # clear
This populates the read slot and propagates automatically to gated-model
downloads and training jobs. The write token is set in the Secrets UI.
Other supported credentials
| Secret | Purpose |
|---|
| NVIDIA NGC API Key | Pull NGC-hosted models and containers |
| Weights & Biases API Key | Stream training metrics to W&B |
| OpenAI API Key | Benchmark comparisons against hosted OpenAI models |
Where pushes land
When you push a quantized or fine-tuned model, AINode creates a private repo
under the write token’s namespace (<your-namespace>/<repo-name>). See
Quantize a Model for the push workflow.