cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Get Started Discussions
Start your journey with Databricks by joining discussions on getting started guides, tutorials, and introductory topics. Connect with beginners and experts alike to kickstart your Databricks experience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Is the databricks token expired?

pikachu89
New Contributor

Sunday

Hi all,

I set up a serverless endpoint for my agent via an S-account. This S-account is also granted access to another serverless endpoint. During the inference of my endpoint, I use the Databricks SDK to connect to the other endpoint without explicitly declaring the BEARER TOKEN:
```

workspace_client = WorkspaceClient()
client = workspace_client.serving_endpoints.get_open_ai_client()
response = client.responses.create(
    model=tool_config['endpoint_name'],
    input=request.get("input", []),
    stream=False,
    extra_body={
        "user": request.get("user", []),
        "databricks_options": dict(return_trace=False),
    },
)

```
I noticed that after more than 13 days without any updates of both endpoints. I got the access deny from the other endpoint. If I stop and then start my endpoint, it works again. May someone explain the token lifetime to me? Or on how does this happen? Thank you very much.

4 REPLIES 4

Ashwin_DSA
Databricks Employee
Databricks Employee

yesterday

Hi @pikachu89,

From what I can see, this does not appear to be the expected 13-day bearer token lifetime. In Model Serving, the SDK is designed to resolve auth on each request, and in the serving runtime, the injected token is read from the mounted credentials file and only cached for 300 seconds before being reread. Given that restarting the endpoint restores functionality, this points more to stale runtime auth state than to an intended token expiry.

As a practical mitigation, I’d suggest creating the WorkspaceClient inside the inference path rather than at model load time, and if possible moving to the newer databricks-openai client since get_open_ai_client() is now deprecated.

If this answer resolves your question, could you mark it as “Accept as Solution”? That helps other users quickly find the correct fix.

Regards,
Ashwin | Delivery Solution Architect @ Databricks
Helping you build and scale the Data Intelligence Platform.
***Opinions are my own***
0 Kudos

pikachu89
New Contributor
In response to Ashwin_DSA

yesterday

As I described earlier, the client is loaded only during inference time, not at model loading. Still I got the auth denied problem.

0 Kudos

Ashwin_DSA
Databricks Employee
Databricks Employee
In response to pikachu89

12 hours ago

Hi @pikachu89,

Thanks for the clarification. If the client is already being created during inference, then the usual stale-client explanation does not apply. Even then... this still does not look like an expected 13-day token lifetime. In Model Serving, the SDK resolves auth per request, and the serving runtime rereads the injected token source at a short cadence rather than holding a single token for days.

Given that a stop/start immediately fixes it, this points more to a server-side token refresh or a runtime auth issue than to something obviously wrong in your code. The best path is to raise a support ticket and submit the exact timestamp of the failure, the HTTP status and response body, request IDs, and confirmation that the downstream endpoint permissions for the service account did not change. 

It is also worth moving off get_open_ai_client(), since that path is deprecated in favour of the newer Databricks OpenAI client.

If this answer resolves your question, could you mark it as “Accept as Solution”? That helps other users quickly find the correct fix.

Regards,
Ashwin | Delivery Solution Architect @ Databricks
Helping you build and scale the Data Intelligence Platform.
***Opinions are my own***
0 Kudos

amirabedhiafi
New Contributor III

yesterday

Hello !

Yes ! it seems so 😄

WorkspaceClient() is not anonymous and your get_open_ai_client() uses the DBKS auth attached to that WorkspaceClient to query serving endpoints.  OpenAI client must be preconfigured with DBKS auth for the workspace client.

So if your endpoint process is long lived and the SDK/OpenAI client is created once and reused it may be holding a stale credential. 

For SP or oauth , DBKS oauth access tokens are valid for 1 hour and unified authentication should request new tokens automatically when configured correctly. If you manually generate tokens, you must refresh them yourself.

If this answer resolves your question, could you please mark it as “Accept as Solution”? It will help other users quickly find the correct fix.

Senior BI/Data Engineer | Microsoft MVP Data Platform | Microsoft MVP Power BI | Power BI Super User | C# Corner MVP
0 Kudos
Announcements