Authenticate with Databricks personal access tokens (legacy)

Databricks personal access tokens (PATs) let you authenticate to resources and APIs at the workspace level. You can store them in environment variables or Databricks configuration profiles. Each PAT is valid for only one workspace, and a user can create up to 600 PATs per workspace. Databricks automatically revokes PATs that haven’t been used for 90 days.

important

Username and password authentication (without tokens) reached end of life on July 10, 2024. Databricks strongly recommends using OAuth instead of PATs for user account authentication because OAuth provides stronger security. To learn how to authenticate with a Databricks user account using OAuth, see Authorize user access to Databricks with OAuth.

You can't use personal access tokens to automate Databricks account-level functionality. Instead, use either OAuth tokens for Databricks account admin users or service principals. For more information, see:

• Authorize service principal access to Databricks with OAuth
• Authorize user access to Databricks with OAuth

Create personal access tokens for workspace users

To create a personal access token for your Databricks workspace user, do the following:

1. In your Databricks workspace, click your username in the top bar and select Settings.

2. Click Developer.

3. Next to Access tokens, click Manage.

4. Click Generate new token.

5. Enter a comment that helps you to identify this token in the future.

6. Set the token's lifetime in days. See Set maximum lifetime of new personal access tokens.

7. Click Generate.

8. Copy the displayed token to a secure location, then click Done. Save the token securely and don't share it. If you lose it, you must create a new token.

If you can't create or use tokens, your workspace administrator might have disabled tokens or not granted you permission. See your workspace administrator or the following:

• Enable or disable personal access token authentication for the workspace
• Personal access token permissions

Create personal access tokens for service principals

A workspace admin creates the initial PAT for a service principal, then the service principal can create additional tokens for itself.

Step 1: Create a PAT for your service principal

As a workspace admin, create a Databricks personal access token on behalf of a service principal:

1. Set up authentication for the Databricks CLI if not already configured.

2. Get the application ID for the Databricks service principal:

   1. Click your username in the top bar, then click Settings.
   2. Under Workspace admin, click Identity and access > Manage (next to Service principals).
   3. Click the Databricks service principal name to open its settings page.
   4. On the Configurations tab, note the Application Id value.

3. Run the following command to generate the access token:

   Bash

   databricks token-management create-obo-token <application-id> --lifetime-seconds <lifetime-seconds> -p <profile-name>

   Replace the following values:

   • <application-id>: The Databricks service principal application ID.
   • <lifetime-seconds>: Token lifetime in seconds, such as 86400 for 1 day. Defaults to the workspace maximum (typically 730 days).
   • <profile-name>: Configuration profile with authentication information. Defaults to DEFAULT.

4. In the response, copy the token_value, which is the access token for your Databricks service principal. Save the token securely and don't share it. If you lose it, you must create a new token.

If you can't create or use tokens, your workspace administrator might have disabled tokens or not granted you permission. See your workspace administrator or the following:

• Enable or disable personal access token authentication for the workspace
• Personal access token permissions

Step 2: Create additional PATs for your service principal

Use the existing PAT to create additional tokens for the service principal.

1. Run the following command to generate an access token:

   Bash

   databricks tokens create --lifetime-seconds <lifetime-seconds> -p <profile-name>

   Replace the following values:

   • <lifetime-seconds>: Token lifetime in seconds, such as 86400 for 1 day. Defaults to the workspace maximum (typically 730 days).
   • <profile-name>: Configuration profile with authentication information. Defaults to DEFAULT.

2. Copy the token_value from the response, which is the access token for your Databricks service principal. Save the token securely and don't share it. If you lose it, you must create a new token.

If you can't create or use tokens, your workspace administrator might have disabled tokens or not granted you permission. See your workspace administrator or the following:

• Enable or disable personal access token authentication for the workspace
• Personal access token permissions

Perform personal access token authentication

To configure Databricks personal access token authentication, set the following associated environment variables, .databrickscfg fields, Terraform fields, or Config fields:

• The Databricks host, specified as the target Databricks workspace URL, for example https://dbc-a1b2345c-d6e7.cloud.databricks.com.
• The Databricks personal access token, for the Databricks user account or Databricks service principal.

To perform Databricks personal access token authentication, integrate the following within your code, based on the participating tool or SDK:

Environment

To use environment variables for a specific Databricks authentication type with a tool or SDK, see Authorize access to Databricks resources or the tool's or SDK's documentation. See also Environment variables and fields for unified authentication and the Authentication method priority.

Set the following environment variables:

• DATABRICKS_HOST, set to the Databricks workspace URL, for example https://dbc-a1b2345c-d6e7.cloud.databricks.com.
• DATABRICKS_TOKEN, set to the token string.

Profile

Create or identify a Databricks configuration profile with the following fields in your .databrickscfg file. If you create the profile, replace the placeholders with the appropriate values. To use the profile with a tool or SDK, see Authorize access to Databricks resources or the tool's or SDK's documentation. See also Environment variables and fields for unified authentication and the Authentication method priority.

Set the following values in your .databrickscfg file. In this case, the host is the Databricks workspace URL, for example https://dbc-a1b2345c-d6e7.cloud.databricks.com:

[<some-unique-configuration-profile-name>]
host  = <workspace-url>
token = <token>

Instead of manually setting the values, you can use the Databricks CLI to set these values instead:

note

The following procedure uses the Databricks CLI to create a Databricks configuration profile with the name DEFAULT. If you already have a DEFAULT configuration profile, this procedure overwrites your existing DEFAULT configuration profile.

To check whether you already have a DEFAULT configuration profile, and to view this profile's settings if it exists, use the Databricks CLI to run the command databricks auth env --profile DEFAULT.

To create a configuration profile with a name other than DEFAULT, replace the DEFAULT part of --profile DEFAULT in the following databricks configure command with a different name for the configuration profile.

1. Use the Databricks CLI to create a Databricks configuration profile named DEFAULT that uses Databricks personal access token authentication. To do this, run the following command:

   Bash

   databricks configure --profile DEFAULT

2. For the prompt Databricks Host, enter your Databricks workspace instance URL, for example https://dbc-a1b2345c-d6e7.cloud.databricks.com.

3. For the prompt Personal Access Token, enter the Databricks personal access token for your workspace.

CLI

For the Databricks CLI, run the databricks configure command. At the prompts, enter the following settings:

• The Databricks host, specified as the target Databricks workspace URL, for example https://dbc-a1b2345c-d6e7.cloud.databricks.com.
• The Databricks personal access token, for the Databricks user account or Databricks service principal.

For more information, see Personal access token authentication (deprecated).

Connect

note

Databricks personal access token authentication is supported on the following Databricks Connect versions:

• For Python, Databricks Connect for Databricks Runtime 13.3 LTS and above.
• For Scala, Databricks Connect for Databricks Runtime 13.3 LTS and above.

For Databricks Connect, use the Databricks CLI to set the values in your .databrickscfg file, for Databricks workspace-level operations as specified in the Profile section.

The following procedure creates a Databricks configuration profile named DEFAULT, which overwrites any existing DEFAULT profile. To check if a DEFAULT profile exists, run databricks auth env --profile DEFAULT. If it exists, use a different profile name.

1. Run the following command to create a Databricks configuration profile named DEFAULT that uses personal access token authentication.

   Bash

   databricks configure --configure-cluster --profile DEFAULT

2. For the prompt Databricks Host, enter your Databricks workspace instance URL, for example https://dbc-a1b2345c-d6e7.cloud.databricks.com.

3. For the prompt Personal Access Token, enter the personal access token for your workspace.

4. In the list of available clusters, select the target Databricks cluster in your workspace. You can type any part of the cluster's display name to filter the list of available clusters.

Use the Databricks REST API to issue personal access tokens

Databricks provides a REST endpoint /api/2.0/token/create to issue PATs. See Create a user token for API details.

In the following example, set these values:

• <databricks-instance>: Your Databricks workspace URL. For example, dbc-abcd1234-5678.cloud.databricks.com.
• <your-existing-access-token>: An existing valid PAT (string) that has permissions to create new tokens.
• <lifetime-seconds>: The token's lifetime in seconds.

Bash

curl -X POST https://<databricks-instance>/api/2.0/token/create \
-H "Authorization: Bearer <your-existing-access-token>" \
-H "Content-Type: application/json" \
-d '{
  "lifetime_seconds": <lifetime-seconds>
}'

If successful, this results in a response payload similar to:

{
  "access_token": "<your-newly-issued-pat>",
  "token_type": "Bearer",
  "expires_in": <the-duration-of-the-new-pat>
}

Provide the new token from the response in the Authorization header of subsequent calls to Databricks REST APIs. For example:

Bash

# This example uses a simple GET. For POST or other REST verbs, you may need to provide additional parameters.
curl -X GET "https://<databricks-instance>/api/2.0/<path-to-endpoint>" \
     -H "Authorization: Bearer <your-new-pat>"

Python

import requests

headers = {
    'Authorization': 'Bearer <your-new-pat>'
}
# This example is for an HTTP GET operation.
response = requests.get('https://<databricks-instance>/api/2.0/<path-to-endpoint>', headers=headers)