{"id":"huggingface-hf-mcp-server","name":"hf-mcp-server","homepage":"https://huggingface.co/mcp","repo_url":"https://github.com/huggingface/hf-mcp-server","category":"ai-ml","subcategories":[],"tags":["mcp","hugging-face","agents","search","hub","integration","tooling","streamablehttp","stdio","typescript","web-ui","oauth"],"what_it_does":"Provides an MCP server for Hugging Face Hub and Search endpoints (plus Gradio tool integration via proxying) using multiple transports (STDIO, Streamable HTTP, Streamable HTTP JSON-RPC). Includes a management web UI for configuring/adding tools and supports optional authentication/tooling for OAuth-like flows.","use_cases":["Connect an MCP-capable agent/IDE/desktop app to Hugging Face Hub resources (Hub API/search)","Enable agents to discover and call Hugging Face-related tools via MCP","Proxy additional StreamableHTTP-based MCP tool servers through a configurable CSV loader","Local development/testing of MCP tool integrations via STDIO or HTTP transports"],"not_for":["Direct production-grade Hugging Face API access without MCP or without considering outbound network/security controls","Use cases requiring strict, published rate-limit guarantees (no rate limit details provided in README)","Environments where exposing OAuth/token flows or misconfigured token handling is unacceptable without additional security review"],"best_when":"You want an agent-friendly MCP interface to Hugging Face Hub/Search and/or you need HTTP-based MCP (SSE) for multi-client session use with configurable heartbeats/timeouts.","avoid_when":"You cannot securely manage and scope Hugging Face tokens, or you require comprehensive operational guarantees (SLA, documented rate limits, error-code conventions) beyond what is described here.","alternatives":["Hugging Face Hub REST API directly","Community/unofficial MCP servers for Hugging Face or generic search","Build a small MCP wrapper around Hugging Face Hub APIs (custom)"],"af_score":61.8,"security_score":52.0,"reliability_score":30.0,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T13:37:06.534476+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":"https://huggingface.co/mcp","has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["Authorization: Bearer <HF_TOKEN> via MCP client headers","Optional AUTHENTICATE_TOOL to issue an OAuth challenge (details not included in README)"],"oauth":true,"scopes":false,"notes":"README describes token-based header auth (HF token) and an optional Authenticate tool for OAuth-like flows, but does not describe fine-grained scopes or scope enforcement."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"No pricing or cost model described in provided content; likely depends on Hugging Face usage and any hosting choices for the MCP server."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":61.8,"security_score":52.0,"reliability_score":30.0,"mcp_server_quality":86.0,"documentation_accuracy":78.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":85.0,"rate_limit_clarity":10.0,"tls_enforcement":70.0,"auth_strength":65.0,"scope_granularity":20.0,"dependency_hygiene":45.0,"secret_handling":55.0,"security_notes":"Uses bearer-token auth patterns (HF_TOKEN) and runs over HTTPS when using the hosted endpoint (implied by https://huggingface.co/mcp and typical HTTP clients). No details are provided on TLS enforcement for self-hosted deployments, token storage/logging, rate limiting, or whether outbound checks are restricted beyond an ALLOW_INTERNAL_ADDRESS_HOSTS allowlist. Scope granularity is not documented; token permissions are likely delegated to Hugging Face token settings.","uptime_documented":0.0,"version_stability":45.0,"breaking_changes_history":40.0,"error_recovery":35.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["In StreamableHTTPJSON mode, tools may not be listed on subsequent tool-list requests (tool listing behavior differs from stateful JSON-RPC mode).","Proxy tool loading via PROXY_TOOLS_CSV fetches endpoints once at startup and silently skips failures/sources returning no tools (agent may not find expected tools).","DEFAULT_HF_TOKEN fallback behavior: requests are serviced with HF_TOKEN from the Authorization header when present; otherwise DEFAULT_HF_TOKEN is used (avoid misconfiguration in production).","Some behavior is controlled by flags like GRADIO_SKIP_INITIALIZE and MCP_STRICT_COMPLIANCE; incorrect settings may change handshake/tool availability."]}}