<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: OBO Authentication with Unity AI Gateway and databricks.agents.deploy() in Generative AI</title>
    <link>https://community.databricks.com/t5/generative-ai/obo-authentication-with-unity-ai-gateway-and-databricks-agents/m-p/160985#M1907</link>
    <description>&lt;P&gt;Based on what's currently documented, here's where things stand:&lt;/P&gt;&lt;P&gt;1. Is OBO supported for the new standalone Unity AI Gateway (the Beta one in the left nav, distinct from classic "AI Gateway on a serving endpoint")?&lt;/P&gt;&lt;P&gt;Not yet, as far as the public documentation shows. The UserAuthPolicy.api_scopes list that databricks-agents/MLflow's AuthPolicy recognizes is built from a fixed enum of REST API scope strings (things like serving.serving-endpoints, vectorsearch.vector-search-endpoints, dashboards.genie, sql, etc.), and ai-gateway isn't one of them which is exactly the validation error you're hitting. The standalone Unity AI Gateway (the one that logs to system.ai_gateway.usage and lives under the "AI Gateway" left-nav item, as opposed to the classic per-serving-endpoint AI Gateway) is itself still Beta, and OBO/per-user identity propagation into it from a Mosaic Agent Framework deployment doesn't appear to be wired up yet in databricks-agents==1.11.0 / mlflow==3.12.0.&lt;/P&gt;&lt;P&gt;2. What scope string should you use?&lt;/P&gt;&lt;P&gt;There isn't a published one yet. ai-gateway is not valid (as you found), and there's no ai-gateway.*-style scope documented alongside the others in the agent-authentication scope table.&lt;/P&gt;&lt;P&gt;3. Is there an MLflow resource type for it?&lt;/P&gt;&lt;P&gt;No, mlflow.models.resources currently only exposes DatabricksServingEndpoint, DatabricksVectorSearchIndex, DatabricksSQLWarehouse, DatabricksFunction, DatabricksGenieSpace, DatabricksTable, and DatabricksUCConnection. There's no DatabricksAIGateway/equivalent resource type for SystemAuthPolicy or UserAuthPolicy yet.&lt;/P&gt;&lt;P&gt;4. Workarounds people are actually using right now:&lt;/P&gt;&lt;P&gt;- If what you're really trying to reach is a Foundation Model API / model serving endpoint that happens to have AI Gateway features turned on (rate limits, guardrails, usage tracking, inference tables), that's still just a serving endpoint under the hood query it with the serving.serving-endpoints scope and DatabricksServingEndpoint resource, same as any other Model Serving OBO call. The "AI Gateway" branding on that endpoint doesn't change the auth path.&lt;BR /&gt;- If you specifically need the standalone Unity AI Gateway product (the one governing MCP servers, external models, coding-agent routing, etc.), OBO from a deployed Agent Framework model isn't supported yet — the documented pattern (Databricks Apps with user_api_scopes in databricks.yml/UI, e.g. serving.serving-endpoints, dashboards.genie) is for Databricks Apps, not agents.deploy(). So today the practical option is to either (a) call it with system/service-principal auth instead of OBO, accepting that you lose per-user attribution, or (b) move that piece of the workflow into a Databricks App, which does support broader, more granular OAuth scopes including newer ones as they roll out.&lt;BR /&gt;- Since this is a Beta feature, scope support is actively changing worth filing this directly with your Databricks account team / support, since ai-gateway OBO scopes for Agent Framework deployments sound like exactly the kind of gap they'd want a paying-customer signal on.&lt;/P&gt;&lt;P&gt;I'd treat this as "not supported yet" rather than "you're missing a flag" nothing in the current docs shows a valid scope value for it. If you want, I can help you check via databricks api get or the SDK whether your workspace's scope enum has anything AI-Gateway-related that isn't yet in public docs.&lt;/P&gt;</description>
    <pubDate>Tue, 30 Jun 2026 16:24:56 GMT</pubDate>
    <dc:creator>aliyasingh</dc:creator>
    <dc:date>2026-06-30T16:24:56Z</dc:date>
    <item>
      <title>OBO Authentication with Unity AI Gateway and databricks.agents.deploy()</title>
      <link>https://community.databricks.com/t5/generative-ai/obo-authentication-with-unity-ai-gateway-and-databricks-agents/m-p/160960#M1905</link>
      <description>&lt;P&gt;Hi everyone,&lt;/P&gt;&lt;P&gt;I'm trying to use the new Unity AI Gateway v2 (beta) endpoint from an agent deployed with the Mosaic AI Agent Framework and I'm running into what looks like a scope mismatch.&lt;/P&gt;&lt;H5&gt;Library versions&lt;/H5&gt;&lt;PRE&gt;databricks-agents==1.11.0&lt;BR /&gt;mlflow==3.12.0&lt;BR /&gt;python~3.12&lt;/PRE&gt;&lt;H5&gt;Setup&lt;/H5&gt;&lt;P&gt;I deploy my agent using:&lt;/P&gt;&lt;PRE&gt;&lt;SPAN&gt;databricks.agents.deploy(...)&lt;/SPAN&gt;&lt;/PRE&gt;&lt;DIV&gt;and I configure OBO authentication through:&lt;PRE&gt;&lt;SPAN&gt;AuthPolicy(&lt;BR /&gt;&lt;SPAN&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; system_auth_policy=SystemAuthPolicy(...),&lt;BR /&gt;&lt;SPAN&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; user_auth_policy=UserAuthPolicy(&lt;BR /&gt;&lt;SPAN&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; api_scopes=[&lt;BR /&gt;&lt;SPAN&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "sql",&lt;BR /&gt;&lt;SPAN&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "unity-catalog",&lt;BR /&gt;&lt;SPAN&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "vector-search",&lt;BR /&gt;&lt;SPAN&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "model-serving",&lt;BR /&gt;&lt;SPAN&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; ]&lt;BR /&gt;&lt;SPAN&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; ),&lt;BR /&gt;&lt;SPAN&gt;)&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/PRE&gt;&lt;DIV&gt;The agent is able to successfully use OBO authentication for other Databricks services.&lt;H5&gt;Goal&lt;/H5&gt;&lt;DIV&gt;I want the agent to call a &lt;STRONG&gt;&lt;STRONG&gt;Unity AI Gateway endpoint (the new AI Gateway visible in the left navigation menu), using the end user's identity.&lt;/STRONG&gt;&lt;/STRONG&gt;&lt;H5&gt;Problem&lt;/H5&gt;&lt;DIV&gt;When the agent calls the AI Gateway endpoint, the request reaches the service but fails with an error similar to:&lt;PRE&gt;&lt;SPAN&gt;missing scope: ai-gateway&lt;/SPAN&gt;&lt;/PRE&gt;&lt;DIV&gt;&lt;P&gt;This suggests that the OBO token provided to the agent does not contain an ai-gateway scope.&lt;/P&gt;&lt;P&gt;However, when I try to add:&lt;/P&gt;&lt;PRE&gt;&lt;SPAN&gt;UserAuthPolicy(&lt;BR /&gt;&lt;SPAN&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; api_scopes=[&lt;BR /&gt;&lt;SPAN&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; "ai-gateway"&lt;BR /&gt;&lt;SPAN&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; ]&lt;BR /&gt;&lt;SPAN&gt;)&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/PRE&gt;&lt;DIV&gt;the deployment fails because ai-gateway is not recognized as a valid API scope.&lt;H5&gt;Questions&lt;/H5&gt;&lt;DIV&gt;&lt;OL&gt;&lt;LI&gt;Is OBO authentication currently supported for the new Unity AI Gateway endpoints when deploying with databricks.agents.deploy()?&lt;/LI&gt;&lt;LI&gt;If yes, what value should be added to UserAuthPolicy.api_scopes?&lt;/LI&gt;&lt;LI&gt;Is there currently a supported MLflow resource type or AuthPolicy configuration for AI Gateway endpoints?&lt;/LI&gt;&lt;LI&gt;If this is not yet supported, what is the recommended approach?&lt;P&gt;Has anyone managed to successfully invoke a Unity AI Gateway endpoint from an OBO-authenticated Mosaic AI Agent?&lt;/P&gt;&lt;P&gt;Thanks!&lt;/P&gt;&lt;/LI&gt;&lt;/OL&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;/DIV&gt;</description>
      <pubDate>Tue, 30 Jun 2026 13:36:25 GMT</pubDate>
      <guid>https://community.databricks.com/t5/generative-ai/obo-authentication-with-unity-ai-gateway-and-databricks-agents/m-p/160960#M1905</guid>
      <dc:creator>Froffri</dc:creator>
      <dc:date>2026-06-30T13:36:25Z</dc:date>
    </item>
    <item>
      <title>Re: OBO Authentication with Unity AI Gateway and databricks.agents.deploy()</title>
      <link>https://community.databricks.com/t5/generative-ai/obo-authentication-with-unity-ai-gateway-and-databricks-agents/m-p/160962#M1906</link>
      <description>&lt;P&gt;I just want to add that I had the same exact issue when trying to use the VectorSearchClient class. However, instead of "ai-gateway", it requested "all-apis" as scope, which isn't in the allowed list when deploying the chatbot.&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 30 Jun 2026 13:43:10 GMT</pubDate>
      <guid>https://community.databricks.com/t5/generative-ai/obo-authentication-with-unity-ai-gateway-and-databricks-agents/m-p/160962#M1906</guid>
      <dc:creator>Froffri</dc:creator>
      <dc:date>2026-06-30T13:43:10Z</dc:date>
    </item>
    <item>
      <title>Re: OBO Authentication with Unity AI Gateway and databricks.agents.deploy()</title>
      <link>https://community.databricks.com/t5/generative-ai/obo-authentication-with-unity-ai-gateway-and-databricks-agents/m-p/160985#M1907</link>
      <description>&lt;P&gt;Based on what's currently documented, here's where things stand:&lt;/P&gt;&lt;P&gt;1. Is OBO supported for the new standalone Unity AI Gateway (the Beta one in the left nav, distinct from classic "AI Gateway on a serving endpoint")?&lt;/P&gt;&lt;P&gt;Not yet, as far as the public documentation shows. The UserAuthPolicy.api_scopes list that databricks-agents/MLflow's AuthPolicy recognizes is built from a fixed enum of REST API scope strings (things like serving.serving-endpoints, vectorsearch.vector-search-endpoints, dashboards.genie, sql, etc.), and ai-gateway isn't one of them which is exactly the validation error you're hitting. The standalone Unity AI Gateway (the one that logs to system.ai_gateway.usage and lives under the "AI Gateway" left-nav item, as opposed to the classic per-serving-endpoint AI Gateway) is itself still Beta, and OBO/per-user identity propagation into it from a Mosaic Agent Framework deployment doesn't appear to be wired up yet in databricks-agents==1.11.0 / mlflow==3.12.0.&lt;/P&gt;&lt;P&gt;2. What scope string should you use?&lt;/P&gt;&lt;P&gt;There isn't a published one yet. ai-gateway is not valid (as you found), and there's no ai-gateway.*-style scope documented alongside the others in the agent-authentication scope table.&lt;/P&gt;&lt;P&gt;3. Is there an MLflow resource type for it?&lt;/P&gt;&lt;P&gt;No, mlflow.models.resources currently only exposes DatabricksServingEndpoint, DatabricksVectorSearchIndex, DatabricksSQLWarehouse, DatabricksFunction, DatabricksGenieSpace, DatabricksTable, and DatabricksUCConnection. There's no DatabricksAIGateway/equivalent resource type for SystemAuthPolicy or UserAuthPolicy yet.&lt;/P&gt;&lt;P&gt;4. Workarounds people are actually using right now:&lt;/P&gt;&lt;P&gt;- If what you're really trying to reach is a Foundation Model API / model serving endpoint that happens to have AI Gateway features turned on (rate limits, guardrails, usage tracking, inference tables), that's still just a serving endpoint under the hood query it with the serving.serving-endpoints scope and DatabricksServingEndpoint resource, same as any other Model Serving OBO call. The "AI Gateway" branding on that endpoint doesn't change the auth path.&lt;BR /&gt;- If you specifically need the standalone Unity AI Gateway product (the one governing MCP servers, external models, coding-agent routing, etc.), OBO from a deployed Agent Framework model isn't supported yet — the documented pattern (Databricks Apps with user_api_scopes in databricks.yml/UI, e.g. serving.serving-endpoints, dashboards.genie) is for Databricks Apps, not agents.deploy(). So today the practical option is to either (a) call it with system/service-principal auth instead of OBO, accepting that you lose per-user attribution, or (b) move that piece of the workflow into a Databricks App, which does support broader, more granular OAuth scopes including newer ones as they roll out.&lt;BR /&gt;- Since this is a Beta feature, scope support is actively changing worth filing this directly with your Databricks account team / support, since ai-gateway OBO scopes for Agent Framework deployments sound like exactly the kind of gap they'd want a paying-customer signal on.&lt;/P&gt;&lt;P&gt;I'd treat this as "not supported yet" rather than "you're missing a flag" nothing in the current docs shows a valid scope value for it. If you want, I can help you check via databricks api get or the SDK whether your workspace's scope enum has anything AI-Gateway-related that isn't yet in public docs.&lt;/P&gt;</description>
      <pubDate>Tue, 30 Jun 2026 16:24:56 GMT</pubDate>
      <guid>https://community.databricks.com/t5/generative-ai/obo-authentication-with-unity-ai-gateway-and-databricks-agents/m-p/160985#M1907</guid>
      <dc:creator>aliyasingh</dc:creator>
      <dc:date>2026-06-30T16:24:56Z</dc:date>
    </item>
  </channel>
</rss>

