Fix guide · critical · huggingface_token_old

Hugging Face legacy API token in client code

Why it matters

Same blast radius as the modern hf_* tokens — read/write access to models, datasets, spaces. Legacy tokens may not have granular scopes; treat as full-access.

How to fix it

1. Revoke at huggingface.co/settings/tokens.
2. Generate a new token with the minimum required scopes (read-only if you only consume models).
3. Move server-side.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.