label studio authorization conflicts with private huggingface spaces

[fozziethebeat]

I tried cloning the template LabelStudio space on huggingface and making it private.

I tried connecting via the sdk in a jupyter notebook and wasn't able due to conflicting API key authorization. methods.

For example, I wanted the code below to work:

# Define the URL where Label Studio is accessible and the API key for your user account
LABEL_STUDIO_URL = 'https://my-org-labelstudio.hf.space'
API_KEY = MY_USER_ADMIN_TOKEN

# Import the SDK and the client module
from label_studio_sdk import Client

# Connect to the Label Studio API and check the connection
ls = Client(
    url=LABEL_STUDIO_URL, 
    api_key=API_KEY,
    extra_headers={
        "Authorization": f"Bearer {HF_TOKEN}",
    }
)
ls.check_connection()
ls.get_users()

This correctly connects and shows that the server is up but fails to get users due to authorization keys being wrong.

I'm pretty sure this is due to the following client header code in the sdk:

        self.headers = {"Authorization": f"Token {self.api_key}"}
        if oidc_token:
            self.headers.update({"Proxy-Authorization": f"Bearer {oidc_token}"})
        if extra_headers:
            self.headers.update(extra_headers)

Here Label Studio is authorizing the admin user with the Authorization Header, same as HuggingFace is using for gating access to private tokens.

Any other ways to handle this? To my knowledge Private spaces require the Auhotirzation header.

[fozziethebeat]

Is there anyway to configure the client and server to look for the user token in a different header? For example, I looked through what Argilla does and they use a custom header for API tokens (X-Argilla-Api-Key).