Every Databricks connection requires a service account — either an OAuth app (M2M) or a personal access token. Delphina uses this for background operations like catalog refresh and knowledge extraction, and it serves as the default identity for user queries. Optionally, you can enable per-user OAuth so that interactive queries run under each user’s own Databricks identity, enforcing Unity Catalog permissions, row-level security, and column masking.Documentation Index
Fetch the complete documentation index at: https://docs.delphina.ai/llms.txt
Use this file to discover all available pages before exploring further.
Authentication overview
| Scenario | Without per-user OAuth | With per-user OAuth |
|---|---|---|
| Interactive queries (chat, data apps) | Service account | Per-user token |
| Scheduled workflows | Service account | Workflow owner’s token |
| Background jobs (catalog refresh, knowledge updates) | Service account | Service account |
Connecting Databricks
Step 1: Gather connection details
You’ll need the following from your Databricks workspace:| Field | Where to find it | Example |
|---|---|---|
| Hostname | Workspace URL (without https://) | dbc-abc123.cloud.databricks.com |
| HTTP Path | SQL Warehouse > Connection details | /sql/1.0/warehouses/abc123def |
| Catalog | Optional — defaults to workspace default | main |
| Schema | Optional — defaults to default | analytics |
Step 2: Choose a service account authentication method
Delphina supports two service account methods for Databricks:- OAuth (M2M)
- Personal Access Token
Use a Databricks OAuth application with machine-to-machine (M2M) credentials. This is the recommended approach.
- In your Databricks account console, go to Settings > App Connections.
- Click Add connection.
- Set the application name (e.g.,
Delphina Service). - Enable the Client credentials grant type.
- Generate a Client Secret.
- Note the Client ID and Client Secret.
Step 3: Create the connection in Delphina
- Go to Org Admin > Warehouse Connections.
- Click Add Connection on the target workspace.
- Set the Warehouse Type to Databricks.
- Fill in Hostname, HTTP Path, and optionally Catalog and Schema.
- Under Authentication, choose OAuth or Personal Access Token and enter the credentials from Step 2.
- Click Create Connection.
Step 4: Test the connection
After saving, click Test Connection in the dialog footer to verify Delphina can reach your warehouse, list tables, and access query history.Per-user OAuth (optional)
Per-user OAuth is an optional layer on top of the service account. When enabled, queries run under each user’s own Databricks identity instead of the shared service account. Scheduled workflows and data app refreshes run under the token of the user who created them. The service account is still used for catalog refresh and knowledge extraction.Why use per-user OAuth
- Unity Catalog enforcement — row-level security, column masking, and table ACLs apply per user.
- Audit trail — Databricks query logs show the actual user, not a shared service account.
- Least privilege — users only access data their Databricks role permits.
Setting up per-user OAuth
1. Create an OAuth application in Databricks
This is a separate OAuth application from the service account M2M app (if you’re using OAuth for the service account). The per-user app uses the authorization code grant type.
- In your Databricks account console, go to Settings > App Connections.
- Click Add connection.
- Set the application name (e.g.,
Delphina User Auth). - Set the redirect URI:
- Enable the Authorization code grant type.
- Set the required scope:
sql. - Generate a Client Secret.
- Note the Client ID and Client Secret.
2. Enable per-user OAuth in Delphina
- Go to Org Admin > Warehouse Connections.
- Edit your Databricks connection.
- Switch to the Authentication tab.
- Toggle Enable per-user OAuth.
- Enter the Client ID and Client Secret from the per-user OAuth application.
- Save the connection.
User experience
Once per-user OAuth is enabled:- A banner appears at the top of the workspace prompting users to connect their Databricks account.
- Clicking Connect opens a popup to the Databricks authorization page.
- After authorizing, the popup closes and a confirmation toast appears.
- The user’s token is stored securely and refreshed automatically.
Token validation
Delphina validates per-user OAuth tokens in the background. If a token becomes invalid (e.g., revoked in Databricks), the user’s connection status updates to Needs authentication and they are prompted to re-authorize.Revoking access
To revoke a user’s Delphina access to Databricks:- From Databricks — remove the user’s authorization from the OAuth application. Their refresh token will fail on the next validation check.
- From Delphina — the user can click Disconnect in User Settings > Data Sources.
Troubleshooting
| Problem | Fix |
|---|---|
| Test Connection fails | Verify the hostname and HTTP path are correct. Ensure the service account has access to the SQL warehouse. |
| ”Connect” banner doesn’t appear | Verify per-user OAuth is enabled on the connection and has a Client ID configured. |
| OAuth popup shows redirect error | Confirm the redirect URI in Databricks matches exactly: https://app.delphina.ai/api/oauth/databricks/callback |
| User gets “insufficient privileges” | Queries run under the user’s Databricks identity — check their permissions in Unity Catalog. |
| Scheduled workflow fails | The workflow owner must have completed the per-user OAuth flow. |
| Token shows “Needs authentication” after working | The refresh token may have been revoked in Databricks, or the OAuth app’s client secret was rotated. Have the user re-authorize. |
| Catalog refresh fails | Catalog refresh uses the service account, not per-user tokens. Check the service account credentials on the connection. |