Skip to content

Fix cross-workspace auth for M2M app-to-app flow#183

Merged
calreynolds merged 1 commit intomainfrom
feat/m2m-app-fix
Feb 25, 2026
Merged

Fix cross-workspace auth for M2M app-to-app flow#183
calreynolds merged 1 commit intomainfrom
feat/m2m-app-fix

Conversation

@calreynolds
Copy link
Collaborator

@calreynolds calreynolds commented Feb 25, 2026
edited
Loading

Summary

  • Fixes two bugs that prevented the M2M cross-workspace flow from working:

    1. FMAPI (Claude API) was pointed at the target workspace instead of the Builder App's workspace where the model serving endpoint lives
    2. get_workspace_client() ignored the target workspace token — always used the Builder App's own SP env credentials, even when explicit cross-workspace credentials were set via set_databricks_auth()

  • Adds a force_token flag to set_databricks_auth() that makes get_workspace_client() use the explicit token instead of env OAuth. Only set when cross-workspace params are provided — normal Builder App behavior is unchanged.

  • Splits FMAPI and tools auth: FMAPI always stays on the Builder App's workspace, tools target the caller-specified workspace.

Changes

File Change
databricks-tools-core/.../auth.py force_token context var + kwarg on set_databricks_auth(). get_workspace_client() checks it first.
databricks-builder-app/.../routers/agent.py target_databricks_host/target_databricks_token on request model. Split FMAPI vs tools creds.
databricks-builder-app/.../services/agent.py fmapi_host/fmapi_token/is_cross_workspace params. FMAPI env uses fmapi_*, tools use databricks_* with force_token.

Test plan

  • Deploy Builder App on workspace A, verify normal (single-workspace) behavior is unchanged
  • Deploy client app on workspace B with SP credentials for workspace C (e2-demo-field-eng)
  • Send a request through the client app and verify resources are created on workspace C, not workspace A
  • Verify Claude API calls (FMAPI) still route through workspace A's model serving endpoint

Made with Cursor

@calreynolds @cursoragent
Fix cross-workspace auth for M2M app-to-app flow
b253942 
Two bugs prevented the M2M cross-workspace flow from working:

1. FMAPI (Claude API) was pointed at the target workspace instead of
   staying on the Builder App's workspace where the model serving
   endpoint lives.

2. get_workspace_client() always used env OAuth credentials (the Builder
   App's own SP), ignoring the explicit target workspace token set via
   set_databricks_auth().

Fix:
- Add force_token flag to set_databricks_auth() that makes
  get_workspace_client() use the explicit token instead of env OAuth.
  Only set when cross-workspace params are provided — normal Builder
  App behavior is unchanged.
- Split FMAPI and tools auth in the router: FMAPI always uses the
  Builder App's own workspace, tools use the target workspace.
- Add fmapi_host/fmapi_token params to stream_agent_response to keep
  the two auth contexts separate.

Co-authored-by: Cursor <cursoragent@cursor.com>
@calreynolds calreynolds merged commit 09e2d2e into main Feb 25, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@calreynolds