topic Service principle Personal Access Token permissions in Data Engineering

Service principle Personal Access Token permissions

yit337 — Fri, 13 Feb 2026 07:53:56 GMT

Hello,

I'm using a generated PAT from Service Principal to access Databricks from other tools.

Now I've extended the permissions of the Service Principal. Should I re-generate the PAT? Or is the PAT used only for authentication, and authorisation is decided in real time during access?

Re: Service principle Personal Access Token permissions

anshu_roy — Fri, 13 Feb 2026 10:49:08 GMT

Hello,

The PAT is an authentication credential for your service principal; authorization is evaluated at request time based on the current permissions of that principal (and token permissions, if enabled), not the moment the token was created.
So if you only extended the service principal’s permissions (for example, more workspace / UC privileges), you do not need to re‑generate the PAT. As long as the token is still valid and the SP still has permission to use tokens, the existing PAT will pick up the new permissions automatically.
The only time you’d need a new token is if the old one was revoked, expired, or the principal temporarily lost “CAN USE” token permission (in which case tokens become unusable until that permission is restored).

Re: Service principle Personal Access Token permissions

yit337 — Fri, 13 Feb 2026 11:11:54 GMT

Thanks for the great answer @anshu_roy
Where can I check the token permissions?