Skip to main content
AINode keeps credentials in a local Secrets store at ~/.ainode/secrets.json (file mode 0600, values obfuscated at rest). Secrets never appear in API responses — the UI only ever shows a masked value (last 4 characters). Set them in Config → Secrets, where each credential has a Test button that reports the detected scope without revealing the value.

Hugging Face: read vs write

There are two HF token slots, and the difference matters:
SlotUsed forRequired scope
HuggingFace Token (read)Download gated models (Llama, Gemma, …)read is enough
HuggingFace Token (write)Push quantized / fine-tuned models to the Hubwrite (or a write-scoped fine-grained token)
AINode prefers the write token for pushes and falls back to the read token only if it has write scope. A read-only token is rejected up front — before any multi-GB upload starts — so you never wait through a transfer that ends in a 403.
Keep your everyday downloads on a read token and add a separate write token only when you intend to push models back to the Hub.

Setting the read token from the CLI

ainode config --hf-token hf_xxxxxxxxxxxxxxxx   # set
ainode config --hf-token ""                    # clear
This populates the read slot and propagates automatically to gated-model downloads and training jobs. The write token is set in the Secrets UI.

Other supported credentials

SecretPurpose
NVIDIA NGC API KeyPull NGC-hosted models and containers
Weights & Biases API KeyStream training metrics to W&B
OpenAI API KeyBenchmark comparisons against hosted OpenAI models

Where pushes land

When you push a quantized or fine-tuned model, AINode creates a private repo under the write token’s namespace (<your-namespace>/<repo-name>). See Quantize a Model for the push workflow.