Skip to content

Databricks — workspace URL and personal access token

This guide walks you through how to find your Databricks workspace URL, generate a personal access token (PAT) with the appropriate API scopes, configure these values, and assign the necessary Assets and data permissions so your integrations can securely authenticate and interact with Genie and AI Agent resources.

Prerequisites

Requirement Notes
Databricks account You sign in at your workspace URL; an admin assigns workspace access to your user.
Network The client must reach the workspace hostname over HTTPS.
Permissions The user who creates the PAT needs the API scopes below. (see Assets permissions).

1. Workspace URL (DATABRICKS_HOST)

What it is: The base URL of your workspace — the same value you use in the browser to open Databricks.

Steps

  1. Sign in to Databricks (your organization’s workspace URL).
  2. Open the workspace in the browser.
  3. From the address bar:
    • Keep: https:// and the hostname only.
    • Drop: any path after the host (for example /browse, /?o=...).

Examples

  • AWS: https://dbc-xxxxxxxx.cloud.databricks.com or https://<workspace-name>.cloud.databricks.com
  • Azure: often https://adb-<digits>.<region>.azuredatabricks.net

Read more: Workspace instance names, URLs, and IDs.

2. Personal access token (DATABRICKS_TOKEN)

What it is: A personal access token (PAT). It lets the Databricks SDK or REST clients act as your user, with your workspace permissions.

Steps in the workspace UI

  1. While signed in, open the user menu (avatar, top right) → Settings.
  2. Go to Developer -> Access tokens -> Manage(wording can vary by deployment; see the PAT documentation for your cloud).
  3. Choose Generate new token.
  4. Optional: set a comment and lifetime (days until expiry).
  5. Under Scope selection, choose Other APIs (not BI Tools).

  6. In API scope(s), add all of the scopes below — they are required for Trust3 to integrate with Databricks correctly.

    API scope
    access-management
    apps
    custom-llms
    genie
    knowledge-assistants
    model-serving
    sql
    vector-search
    supervisor-agents

    Note

    If required scopes are not visible in the API scopes list, create the token using all APIs.

  7. Click Generate, then copy the token once when it is shown; it often starts with dapi.

Read more: Authenticate with personal access tokens
Azure deployments: Azure Databricks — PAT

3. Map values to configuration

What you have Typical environment variable
Workspace base URL (https://…, no path or query) DATABRICKS_HOST
Personal access token DATABRICKS_TOKEN
Databricks Environment Name DATABRICKS_ENVIRONMENT_NAME

Example:

Bash
1
2
3
DATABRICKS_HOST=https://your-workspace-hostname
DATABRICKS_TOKEN=dapixxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
DATABRICKS_ENVIRONMENT_NAME=(dev/test/prod/stage)

4. Assets permissions (minimum)

The user who creates the PAT (or the identity associated with the token) must have adequate access to the relevant Databricks assets. Ensure the required permissions are granted through the workspace Assets UI—for example, via each asset's Share or Permissions settings (labels may vary depending on the interface).

Genie space

Requirement Minimum for Trust3 Notes
Genie space (workspace asset) Can Manage Matches CAN MANAGE in Databricks Genie space ACLs. Needed to modify permissions, monitor, and fully administer the space alongside Trust3.
Data the Genie space uses Read access to those objects Databricks requires **SELECT** on the tables and views used in the space (Unity Catalog). You must also have CAN USE on the SQL warehouse configured for the space. See Required permissions in Set up and manage a Genie space.

Grant Unity Catalog access (for example SELECT on every table and view attached to the space) so the user can read the same data the Genie space is built on. Databricks notes that Genie may query additional tables permitted by UC, not only those explicitly added to the space — align grants with your security model. See Manage data objects.

AI Agent

Requirement Minimum for Trust3 Notes
AI Agent (workspace asset) Can Manage Ensures the integration identity can configure and use the agent asset as required. When agents run as Databricks Apps, Databricks documents minimum resource grants (for example Can Run on a Genie space used as a tool) in Authentication for AI agents; Trust3’s Can Manage on the AI Agent asset is the product minimum for the PAT user. Adding resources to an app may require Can Manage on those resources for the user performing setup — see Add resources to a Databricks app.

Summary

Do Don’t
Use the workspace URL with hostname only (no path after the host) Paste query strings or UI paths into DATABRICKS_HOST
Create the PAT under a user that can reach the APIs you need; include all required Other APIs scopes Share or commit the token in Git
Ensure Can Manage on Genie Space and AI Agent assets; grant SELECT / UC access on data those spaces use, plus CAN USE on the Genie SQL warehouse Rely on view-only Assets roles or omitting data / warehouse access
Store the token in a vault or restricted config Put long-lived tokens in tickets or chat
Topic Databricks docs
Workspace URL, instance names, deployment IDs Configure the Databricks client
Personal access tokens (PAT) Authenticate with personal access tokens
Azure Databricks — PAT Azure Databricks — personal access tokens
Genie space — setup, permissions, data & warehouse Set up and manage a Genie space
Genie space ACLs (CAN VIEW / RUN / EDIT / MANAGE) Access control lists — Genie space ACLs
Workspace entitlements (e.g. Databricks SQL for Genie) Manage entitlements
Unity Catalog — grant SELECT and other privileges Manage privileges in Unity Catalog
AI agents — authentication & resource permissions Authentication for AI agents
Databricks Apps — supported resources & permission levels Add resources to a Databricks app