For automated access to Databricks (CI/CD pipelines, Airflow jobs, external applications), it is a program rather than a human user that authenticates. Personal Access Tokens (PAT) were the traditional choice, but since 2024 Databricks has positioned OAuth Machine-to-Machine (M2M) as the recommended method.
This article walks through how OAuth M2M works (Client Credentials Flow), concrete steps from creating a service principal to registering the OAuth app and fetching tokens, a comparison with PAT, and what the certification exam tests.
PATs have the following operational issues:
OAuth M2M structurally solves these problems by combining a service principal (a non-human identity entity) with the OAuth 2.0 Client Credentials Flow.
OAuth M2M uses the OAuth 2.0 Client Credentials Grant. With no user interaction at all, the client (program) directly obtains a token using its Client ID and Client Secret.
Unlike the Authorization Code Flow, there are no browser redirects or user consent screens. Because it is entirely a machine-to-machine exchange, it is called "Machine-to-Machine".
There are 3 steps to configure OAuth M2M authentication.
Create a service principal from the Account Console or via the databricks service-principals create CLI command.
# Create a service principal via the Databricks CLI
databricks service-principals create \
--application-id "<application-id>" \
--display-name "ci-cd-pipeline-sp"
# Or via the Account SCIM API
curl -X POST \
"https://accounts.cloud.databricks.com/api/2.0/accounts/<account-id>/scim/v2/ServicePrincipals" \
-H "Authorization: Bearer <admin-token>" \
-H "Content-Type: application/json" \
-d '{
"displayName": "ci-cd-pipeline-sp",
"entitlements": [
{ "value": "workspace-access" }
]
}'Generate an OAuth Secret for the service principal.
# Generate an OAuth Secret for the service principal
curl -X POST \
"https://accounts.cloud.databricks.com/api/2.0/accounts/<account-id>/servicePrincipals/<sp-id>/credentials/secrets" \
-H "Authorization: Bearer <admin-token>"
# Example response
{
"id": "secret-id-xxxx",
"secret": "dose...xxxx", // store this value securely
"status": "ACTIVE",
"create_time": "2026-03-26T10:00:00.000Z"
}Note: the Client Secret is returned only in the response at creation time. It cannot be retrieved later, so always store it in a secret manager (AWS Secrets Manager, Azure Key Vault, etc.).
Use the Client ID and Client Secret to obtain an access token.
# Acquire an access token
curl -X POST \
"https://<workspace-url>/oidc/v1/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=<service-principal-client-id>" \
-d "client_secret=<client-secret>" \
-d "scope=all-apis"
# Example response
{
"access_token": "eyJhbGciOiJSUzI1NiI...",
"token_type": "Bearer",
"expires_in": 3600
}Attach the obtained access token in the Authorization header to call Databricks APIs.
# Use the token to list jobs
curl -X GET \
"https://<workspace-url>/api/2.1/jobs/list" \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiI..."
| Aspect | Personal Access Token (PAT) | OAuth M2M (Client Credentials) |
|---|---|---|
| Bound to | Individual user | Service principal |
| Token lifetime | Configurable (can be never-expiring) | Short-lived (1 hour by default) |
| Auto-renewal | No (manual reissue) | Auto-fetched via Client Credentials |
| Permission scope | All permissions of the issuing user | Only what is granted to the service principal |
| Resilience to staff changes | Low (token must be revoked when user is deleted) | High (service principal is independent of people) |
| Auditability | Low (unclear which PAT is used by which system) | High (identifiable by service principal name) |
| Databricks recommendation | Legacy (minimize new usage) | Recommended (standard since 2024) |
Here is a typical pattern for integrating OAuth M2M into a CI/CD pipeline.
# GitHub Actions example
name: Deploy Databricks Jobs
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Databricks CLI
run: pip install databricks-cli
- name: Get OAuth Token
id: token
run: |
TOKEN=$(curl -s -X POST \
"${{ secrets.DATABRICKS_HOST }}/oidc/v1/token" \
-d "grant_type=client_credentials" \
-d "client_id=${{ secrets.DATABRICKS_CLIENT_ID }}" \
-d "client_secret=${{ secrets.DATABRICKS_CLIENT_SECRET }}" \
-d "scope=all-apis" | jq -r '.access_token')
echo "::add-mask::$TOKEN"
echo "token=$TOKEN" >> $GITHUB_OUTPUT
- name: Deploy with Databricks CLI
run: databricks bundle deploy --target production
env:
DATABRICKS_HOST: ${{ secrets.DATABRICKS_HOST }}
DATABRICKS_TOKEN: ${{ steps.token.outputs.token }}The key point is to store the Client ID and Client Secret in GitHub Secrets and never hard-code them in source.
Security & Governance
問題 1
A data platform team runs a pipeline that triggers Databricks jobs from Airflow. They currently authenticate with the team lead's PAT, but the lead is changing roles, so they need to revisit the auth method. Which approach meets security requirements while minimizing operational overhead?
正解: A
PATs are tied to individuals, so role changes or departures break authentication. Moving to a service principal + OAuth M2M removes the human dependency, and tokens are short-lived with automatic renewal, so operational overhead drops too. Swapping in another member's PAT just defers the same problem. Username/password auth is inappropriate for security, and SSO-only access prevents programmatic API calls.
Should I use OAuth M2M tokens or Personal Access Tokens (PAT)?
OAuth M2M is recommended for automation pipelines (CI/CD, Airflow, Prefect, etc.). PATs are tied to individual users, so tokens can be orphaned when someone leaves or changes roles, and lifetime management is manual. OAuth M2M is bound to a service principal, and tokens are short-lived (1 hour by default) with automatic renewal, which is superior on both security and lifecycle management. Since 2024 Databricks has also recommended OAuth M2M for automation use cases and advised minimizing new PAT usage.
How long do OAuth M2M tokens last?
The default access-token lifetime issued by OAuth M2M is 1 hour (3,600 seconds). Renewal is just re-running the Client Credentials Flow; refresh tokens are not used. CI/CD pipelines typically fetch a token at the start of each job run and reuse it within that job. For long-running batches, either finish all requests within the token lifetime or build in logic to re-acquire the token midway.
How is OAuth M2M tested on Databricks certification exams?
It shows up in the Security & Governance and Workload Management domains of the Data Engineer Professional exam. Typical patterns include: the most secure way to authenticate to Databricks from a CI/CD pipeline, the recommended replacement for PATs, and the purpose of service principals. Questions rarely ask for the OAuth 2.0 flow name (Client Credentials Grant) directly; the focus is on comparing PAT vs OAuth M2M and understanding the service-principal concept.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Databricks Certifications: All 7 Exams, Difficulty & Study Plan (2026)
Complete guide to all 7 Databricks certifications — Data Eng...
Databricks Exam Difficulty Ranking: All 7 Certs Compared (2026)
Every Databricks certification ranked by difficulty, with st...
Databricks Study Guide: Fastest Pass Route & Time Estimates (2026)
How to pass Databricks certifications efficiently. Official ...
Databricks Data Engineer Associate: Complete Guide (2026)
Domain-by-domain breakdown of the Databricks Certified Data ...
Databricks Data Engineer Professional: Complete Guide (2026)
Tactics for the Databricks Certified Data Engineer Professio...