cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Service principle Personal Access Token permissions

Go to solution
yit337
Contributor

โ€Ž02-12-2026 11:53 PM

Hello,

I'm using a generated PAT from Service Principal to access Databricks from other tools. 

Now I've extended the permissions of the Service Principal. Should I re-generate the PAT? Or is the PAT used only for authentication, and authorisation is decided in real time during access?

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
anshu_roy
Databricks Employee
Databricks Employee

โ€Ž02-13-2026 02:49 AM

Hello,

The PAT is an authentication credential for your service principal; authorization is evaluated at request time based on the current permissions of that principal (and token permissions, if enabled), not the moment the token was created.
So if you only extended the service principalโ€™s permissions (for example, more workspace / UC privileges), you do not need to reโ€‘generate the PAT. As long as the token is still valid and the SP still has permission to use tokens, the existing PAT will pick up the new permissions automatically.
The only time youโ€™d need a new token is if the old one was revoked, expired, or the principal temporarily lost โ€œCAN USEโ€ token permission (in which case tokens become unusable until that permission is restored).

View solution in original post

2 REPLIES 2

Go to solution
anshu_roy
Databricks Employee
Databricks Employee

โ€Ž02-13-2026 02:49 AM

Hello,

The PAT is an authentication credential for your service principal; authorization is evaluated at request time based on the current permissions of that principal (and token permissions, if enabled), not the moment the token was created.
So if you only extended the service principalโ€™s permissions (for example, more workspace / UC privileges), you do not need to reโ€‘generate the PAT. As long as the token is still valid and the SP still has permission to use tokens, the existing PAT will pick up the new permissions automatically.
The only time youโ€™d need a new token is if the old one was revoked, expired, or the principal temporarily lost โ€œCAN USEโ€ token permission (in which case tokens become unusable until that permission is restored).

Go to solution
yit337
Contributor

โ€Ž02-13-2026 03:11 AM

Thanks for the great answer @anshu_roy 
Where can I check the token permissions?

0 Kudos
Announcements