| → / Space | Next slide |
| ← | Previous slide |
| Home | First slide |
| End | Last slide |
| Swipe | Touch navigation |
You have agents that retrieve data, reason over it, and take action. You have natural language interfaces, document search, and tool integrations. Each of these needs to call models, access data, and invoke tools, all while preserving the caller's identity and enforcing access policies at every hop.
The orchestration layer is where identity meets infrastructure: serving endpoints, MCP servers, AI Gateway, and Databricks Apps each play a role. The question is how they compose, and how governance flows through the entire chain without gaps.
This deck maps the four pillars of AI orchestration and shows where governance is enforced at each layer.
Each solves a different problem. All governed by Unity Catalog.
Deploy agents, foundation models, and custom models. Three auth methods: automatic passthrough, OBO, and manual.
Standardized tool calling for agents. Managed (Genie, VS, Functions, SQL), External (via UC connections), or Custom (Databricks Apps).
Rate limiting, guardrails, inference tables, traffic splitting, and fallback routing for serving endpoints.
Managed hosting with automatic OAuth, UC integration, and user identity propagation. Streamlit, Dash, Gradio, React.
Unity Catalog is the common governance layer: permissions, row filters, column masks, audit logs, and connections. Same enforcement regardless of orchestration path.
Simplest. Databricks manages everything.
| How | Declare resource dependencies at log time |
| Identity | System-generated SP with least-privilege |
| Tokens | Short-lived M2M OAuth, auto-rotated |
| Best for | No per-user access needed |
Agent runs as the calling user.
| How | Initialize in predict() with user credentials |
| Identity | current_user() = human email |
| Tokens | Downscoped to declared API scopes |
| Best for | Per-user access control + audit |
Explicit credentials. Maximum flexibility.
| How | SP OAuth (recommended) or PAT via secrets |
| Identity | Service principal |
| Tokens | Manual rotation management |
| Best for | External resources, prompt registry, no passthrough |
Mix and match: Use automatic for Vector Search, OBO for Genie, and manual for external APIs, all in the same agent.
serving.serving-endpoints | Model Serving |
vectorsearch.* | Vector Search |
sql.warehouses | SQL Warehouses |
dashboards.genie | Genie spaces |
catalog.connections | UC connections |
Key constraint: OBO user identity is only known at query time. Resources must be initialized in predict(), not __init__().
x-forwarded-access-token with no login flows requireddatabricks apps deploy from Gitvs. External hosting: No token exchange, no VPN config, no separate infrastructure. Trade-off: less flexibility for simpler security.
Model Context Protocol standardizes tool calling for agents. Databricks supports three flavors.
Databricks-hosted, ready to use
| Genie | NL analytics |
| Vector Search | Retrieval |
| UC Functions | Deterministic tools |
| DBSQL | SQL execution |
Third-party servers via UC HTTP connections
| Pattern | uc://connections/{name} |
| Proxy | UC handles credential injection |
| Access | USE CONNECTION grant |
Your servers on Databricks Apps
| Hosting | Databricks Apps |
| Auth | OAuth only (PAT not supported) |
| Use case | Org-specific tools, custom logic |
DatabricksMCPClientDeclare MCP URLs and scopes when logging your agent for verification at deploy time.
mcp.genie | Genie spaces |
mcp.functions | UC functions |
mcp.vectorsearch | Vector Search |
mcp.sql + sql.* | DBSQL |
mcp.external | External MCP via UC connections |
Minimize scopes: only request what your agent actually needs.
External clients: Claude, Cursor, ChatGPT, and MCP Inspector can connect to Databricks MCP servers via OAuth or PAT (managed/external only).
Bring your own IdP. No Databricks secrets required.
For users. Configure at account level. Maps IdP users to Databricks users via SCIM sync. Corporate IdPs like Okta, Entra.
For automation. Configure on service principal. Maps workload identity (GitHub Actions, GitLab CI, Azure DevOps) to SP. Zero secrets in code.
Azure special case: Entra tokens work directly with Azure Databricks, with no exchange needed. Use MSAL with scope 2ff814a6-.../.default.
| 1 | App authenticates with your IdP, receives a JWT |
| 2 | POST JWT to /oidc/v1/token with grant_type urn:ietf:params:oauth:grant-type:token-exchange |
| 3 | Databricks validates JWT against federation policy, returns scoped OAuth token |
| 4 | Use Databricks token to call APIs: Authorization: Bearer <token> |
Corporate: Okta, Entra, Ping, Auth0
CI/CD: GitHub Actions, Azure DevOps, GitLab CI, CircleCI
Cloud: AWS IAM, GCP Workload Identity, Kubernetes
Any OIDC-compliant provider that issues JWTs with iss, aud, and sub claims.
Security: Handle tokens server-side only. Never expose IdP or Databricks tokens to the browser. Tokens are short-lived; re-exchange when needed.
Configured directly on Model Serving endpoints. Governs LLM traffic at the point of consumption.
QPM or TPM at four levels: endpoint-wide, per-user default, custom user/SP overrides, and user groups. Max 20 rate limits per endpoint.
Safety filtering via Llama Guard 2 (violence, hate speech). PII detection for credit cards, SSN, emails, phone numbers. Options: Block, Mask, or None.
Auto-log all requests/responses to UC Delta tables. Columns: request, response, status_code, execution_duration_ms, requester.
Route percentages to different models for A/B testing. Fallbacks auto-redirect on 429/5XX errors. Max 2 fallback models. Set 0% traffic for fallback-only.
system.serving.endpoint_usage for token counts and costs. usage_context parameter for per-project or per-user chargeback attribution.
| Feature | External Models | Foundation (PT) | Foundation (PPT) | Agents | Custom |
|---|---|---|---|---|---|
| Rate Limiting | ✓ | ✓ | ✓ | — | ✓ |
| Payload Logging | ✓ | ✓ | ✓ | ✓ | ✓ |
| Usage Tracking | ✓ | ✓ | ✓ | — | ✓ |
| AI Guardrails | ✓ | ✓ | ✓ | — | — |
| Fallbacks | ✓ | — | — | — | — |
| Traffic Split | ✓ | ✓ | — | — | ✓ |
External models get the most complete support: OpenAI, Anthropic, Cohere, Bedrock, Vertex AI, Azure OpenAI, and any OpenAI-compatible endpoint.
Paid features: Payload logging, usage tracking. Free: Permissions, rate limiting, fallbacks, traffic splitting.
Patterns 2 + 4 are additive: External API gateway handles the boundary. Databricks AI Gateway governs LLM consumption. UC governs the data. Each layer has its own job.
User → App → Gateway → Genie → UC
Gateway has two bad options:
current_user() = gateway-svc. Row filters fire as the gateway, not the user. Silent data leakage.UC enforcement happens at the data plane. A gateway can observe HTTP traffic but cannot see which rows were filtered.
User → App → Genie → UC
User token arrives at Genie unchanged.
current_user() = reviewer@company.comDatabricks Apps already has a platform-managed proxy that handles OAuth validation and identity injection. An external gateway creates a redundant, conflicting auth layer.
Application code never calls external services directly. UC proxies the call, checks authorization, injects credentials.
| Network (SNP) | Workspace-level FQDN allowlist. Defines the approved destination universe. Anything not listed is unreachable at network layer. |
| Credential (UC) | Per-app authorization. USE CONNECTION grant controls which SP can authenticate to which service. Enforced before any network traffic. |
-- Grant access GRANT USE CONNECTION ON CONNECTION github_api TO `sp-appeals`; -- Instant revocation REVOKE USE CONNECTION ON CONNECTION github_api FROM `sp-billing`;
No redeploy, no code change. Credential stored encrypted in UC; app code never receives the raw value.
Governance assumption: Credentials must live exclusively in UC Connections (not env vars or secrets). Enforce via CI/CD secret scanning + system.access.audit.
| Resource | OAuth Scope | UC Grant | Enforcement |
|---|---|---|---|
| SQL Warehouse | sql | CAN USE | Token + UC |
| Genie Space | genie + dashboards.genie | Space access + tables | Token + UC |
| Model Serving | serving | CAN QUERY | Token + UC |
| Vector Search | sql | SELECT on index | Token + UC |
| UC Connection | sql | USE CONNECTION | Token + UC |
| UC Function | sql | EXECUTE | Token + UC |
| MCP Server | mcp.* | Per MCP type | Token + UC |
Key insight: Scopes limit what the token can do. Grants limit what the identity can access. Both enforce independently. Revoking either blocks access.
Configure only what your app needs. The list of available scopes grows as Databricks adds capabilities. Principle of least privilege at every layer.
All four enforce USE CONNECTION on the Databricks side. The difference: what identity does the external service see?
| Method | External Identity | Credential Lifecycle | Best For |
|---|---|---|---|
| Bearer Token | Shared (one static token) | Manual rotation | Simple APIs with static keys |
| OAuth M2M | Shared (service/app credentials) | Auto-refresh | Service-to-service, no user context |
| OAuth U2M Shared | Shared (one user's OAuth token) | Auto-refresh | OAuth services without M2M support |
| OAuth U2M Per User | Per user (individual OAuth token) | Auto-refresh per user | User-scoped data (Drive, Gmail, repos) |
U2M Per User is the only method with true end-to-end per-user identity. Each user completes OAuth consent once. Databricks stores their individual refresh token.
Supported for U2M Per User: Google (Drive, Docs, Gmail, Calendar), GitHub, Glean, SharePoint, and custom OAuth services with standard authorization code flow.
Each user authenticates separately. User-scoped data access at the external service.
1. User triggers action in Databricks App/Agent
2. App calls UC Connection proxy
3. USE CONNECTION check passes
4. First time? User redirected to OAuth consent
Redirect URI: <workspace>/login/oauth/http.html
5. User grants access at external provider
6. Databricks stores per-user refresh token
7. Subsequent calls: auto-refresh, no consent needed
| Databricks side | USE CONNECTION checks current_user() |
| External side | Individual user's OAuth token, user sees only their data |
| User leaves | Only their access breaks, not everyone's |
| Audit trail | Per-user at both Databricks and external service |
redirect_uri_mismatchThe redirect URI in the OAuth provider must exactly match what Databricks sends: <workspace-url>/login/oauth/http.html. No trailing slash, no extra spaces. Check the error details page for the exact URI.
admin_policy_enforcedOrganization admin blocks unauthorized third-party OAuth apps. The OAuth Client ID must be allowlisted in the admin console (e.g., Google Admin > Security > API Controls). No scope will work until this is resolved.
offline_access scopeRequired to obtain a refresh token. Without it, the connection works for ~1 hour (access token lifetime) then fails silently. Always include this scope for U2M connections.
Connection name cannot be changed after creation. It becomes part of the MCP proxy URL. Choose a stable, descriptive name.
Creator has irrevocable USE CONNECTION. Transfer ownership via ALTER CONNECTION ... SET OWNER TO ... if the creator should lose access.
isMcpConnection cannot be toggled after creation. Delete and recreate if you need to change it.
| 3 | Agent auth methods: Automatic Passthrough, OBO, Manual |
| 3 | MCP types: Managed, External, and Custom, all UC-governed |
| 4 | Gateway patterns: No Gateway, AI Gateway, UC Connections, External |
| 4 | UC connection auth methods: Bearer, M2M, U2M Shared, U2M Per User |
| 2 | Federation types: Account-wide (users) and Workload Identity (automation) |
| 1 | Governance model: UC scopes, grants, row filters, column masks, connections |
Unity Catalog is the common denominator.
Regardless of orchestration path (Apps, MCP, Gateway, or Federation), UC enforces governance at the data plane.