Authentication using Databricks personal access tokens

To authenticate to and access Databricks REST APIs, use Databricks personal access tokens.

Important

Tokens replace passwords in an authentication flow and should be protected like passwords. To protect tokens, Databricks recommends that you store tokens in:

• Secret management and retrieve tokens in notebooks using the Secrets utility (dbutils.secrets).

• A local key store and use the Python keyring package to retrieve tokens at runtime.

Requirements

Token-based authentication is enabled by default for all Databricks accounts. If token-based authentication is disabled, your administrator must enable it before you can perform the tasks described in Manage personal access tokens.

Generate a personal access token

This section describes how to generate a personal access token in the Databricks UI. You can also generate and revoke tokens using the Token API 2.0.

The number of personal access tokens per user is limited to 600 per workspace.

1. Click Settings in the lower left corner of your Databricks workspace.

2. Click User Settings.

3. Go to the Access Tokens tab.

4. Click the Generate New Token button.

5. Optionally enter a description (comment) and expiration period.

   

6. Click the Generate button.

7. Copy the generated token and store in a secure location.

Revoke a personal access token

This section describes how to revoke personal access tokens using the Databricks UI. You can also generate and revoke access tokens using the Token API 2.0.

1. Click Settings in the lower left corner of your Databricks workspace.

2. Click User Settings.

3. Go to the Access Tokens tab.

4. Click x for the token you want to revoke.

5. On the Revoke Token dialog, click the Revoke Token button.

Use a personal access token to access the Databricks REST API

You can store a personal access token in a .netrc file and use it in curl or pass it to the Authorization: Bearer header.

Store tokens in a .netrc file and use them in curl

Create a .netrc file with machine, login, and password properties:

machine <databricks-instance>
login token
password <token-value>

where:

• <databricks-instance> is the instance ID portion of the workspace URL for your Databricks deployment. For example, if the workspace URL is https://1234567890123456.7.gcp.databricks.com then <databricks-instance> is 1234567890123456.7.gcp.databricks.com.

• token is the literal string token.

• <token-value> is the value of your token, for example dapi1234567890ab1cde2f3ab456c7d89efa.

The result looks like this:

machine 1234567890123456.7.gcp.databricks.com
login token
password dapi1234567890ab1cde2f3ab456c7d89efa

For multiple machine/token entries, add one line per entry, with the machine, login and password properties for each machine/token matching pair on the same line. The result looks like this:

machine 1234567890123456.7.gcp.databricks.com login token password dapi1234567890ab1cde2f3ab456c7d89efa
machine 2345678901234567.8.gcp.databricks.com login token password dapi2345678901cd2efa3b4cd567e8f90abc
machine 3456789012345678.9.gcp.databricks.com login token password dapi3456789012de3fab4c5de678f9a01bcd

This example invokes the .netrc file by using --netrc (you can also use -n) in the curl command. It uses the specified workspace URL to find the matching machine entry in the .netrc file.

curl --netrc -X GET https://1234567890123456.7.gcp.databricks.com/api/2.0/clusters/list

Pass token to Bearer authentication

You can include the token in the header using Bearer authentication. You can use this approach with curl or any client that you build.

This example uses Bearer authentication to list all available clusters in the specified workspace.

export DATABRICKS_TOKEN=dapi1234567890ab1cde2f3ab456c7d89efa

curl -X GET --header "Authorization: Bearer $DATABRICKS_TOKEN" \
https://1234567890123456.7.gcp.databricks.com/api/2.0/clusters/list