Authentication overview
Connecting Databricks
Step 1: Gather connection details
You’ll need the following from your Databricks workspace:Step 2: Choose a service account authentication method
Delphina supports two service account methods for Databricks:- Service Principal — Recommended
- Personal Access Token
Use a Databricks service principal with OAuth machine-to-machine (M2M) credentials. Tokens are short-lived (1 hour) and refresh automatically — no manual rotation required.
Create a service principal
- In your Databricks account console, go to User management > Service principals.
- Click Add service principal and give it a name (e.g.,
Delphina). - Click on the service principal, then go to the Credentials & secrets tab.
- Click Generate secret. Copy the Client ID and Secret — the secret is only shown once.
Grant permissions
The service principal needs access to:- SQL warehouse — go to SQL Warehouses, click the kebab menu (⋮) on your warehouse row, select Permissions, and add the service principal with Can use access.
- Catalogs and schemas — in Unity Catalog, grant
USE CATALOG,USE SCHEMA, andSELECTon the tables Delphina should query: - Query history — Delphina reads from
system.query.historyto identify important tables and active users during onboarding. Grant access:
Step 3: Create the connection in Delphina
- Go to Org Admin > Warehouse Connections.
- Click Add Connection on the target workspace.
- Set the Warehouse Type to Databricks.
- Fill in Hostname, HTTP Path, and optionally Catalog and Schema.
- Under Authentication, choose Service Principal or Personal Access Token and enter the credentials from Step 2.
- Click Create Connection.
Step 4: Test the connection
After saving, click Test Connection in the dialog footer to verify Delphina can reach your warehouse, list tables, and access query history.Per-user OAuth (optional)
Per-user OAuth is an optional layer on top of the service account. When enabled, queries run under each user’s own Databricks identity instead of the shared service account. Scheduled workflows and data app refreshes run under the token of the user who created them. The service account is still used for catalog refresh and knowledge extraction.Why use per-user OAuth
- Unity Catalog enforcement — row-level security, column masking, and table ACLs apply per user.
- Audit trail — Databricks query logs show the actual user, not a shared service account.
- Least privilege — users only access data their Databricks role permits.
Setting up per-user OAuth
1. Create an OAuth application in Databricks
This is a separate OAuth application from the service principal (if you’re using that for the service account). The per-user app uses the authorization code grant type.
- In your Databricks account console, go to Settings > App Connections.
- Click Add connection.
- Set the application name (e.g.,
Delphina User Auth). - Set the redirect URI:
- Enable the Authorization code grant type.
- Set the required scope:
sql. - Generate a Client Secret.
- Note the Client ID and Client Secret.
2. Enable per-user OAuth in Delphina
- Go to Org Admin > Warehouse Connections.
- Edit your Databricks connection.
- Switch to the Authentication tab.
- Toggle Enable per-user OAuth.
- Enter the Client ID and Client Secret from the per-user OAuth application.
- Save the connection.
User experience
Once per-user OAuth is enabled:- A banner appears at the top of the workspace prompting users to connect their Databricks account.
- Clicking Connect opens a popup to the Databricks authorization page.
- After authorizing, the popup closes and a confirmation toast appears.
- The user’s token is stored securely and refreshed automatically.
Token validation
Delphina validates per-user OAuth tokens in the background. If a token becomes invalid (e.g., revoked in Databricks), the user’s connection status updates to Needs authentication and they are prompted to re-authorize.Revoking access
To revoke a user’s Delphina access to Databricks:- From Databricks — remove the user’s authorization from the OAuth application. Their refresh token will fail on the next validation check.
- From Delphina — the user can click Disconnect in User Settings > Data Sources.