From 3bdf98e66b768b616228164b302e8bcae66e34a9 Mon Sep 17 00:00:00 2001
From: Andrey Listopadov <andreyorst@gmail.com>
Date: Thu, 19 Mar 2026 19:30:23 +0300
Subject: [PATCH 1/3] add databricks lakebase postgress documentation

---
 .../run-aidbox-on-managed-postgresql.md       | 54 ++++++++++++++++++-
 1 file changed, 53 insertions(+), 1 deletion(-)
diff --git a/docs/deployment-and-maintenance/deploy-aidbox/run-aidbox-on-managed-postgresql.md b/docs/deployment-and-maintenance/deploy-aidbox/run-aidbox-on-managed-postgresql.md
index 575b2b658..436f6665d 100644
--- a/docs/deployment-and-maintenance/deploy-aidbox/run-aidbox-on-managed-postgresql.md
+++ b/docs/deployment-and-maintenance/deploy-aidbox/run-aidbox-on-managed-postgresql.md
@@ -1,5 +1,5 @@
 ---
-description: Run Aidbox on managed PostgreSQL services like AWS Aurora, Azure Database, and GCP Cloud SQL. Setup guide for extensions and user configuration.
+description: Run Aidbox on managed PostgreSQL services like AWS Aurora, Azure Database, GCP Cloud SQL, and Databricks Lakebase. Setup guide for extensions and user configuration.
 ---
 
 # Run Aidbox on managed PostgreSQL
@@ -39,6 +39,58 @@ Follow [Azure Documentation](https://learn.microsoft.com/en-us/azure/postgresql/
 CREATE USER aidbox WITH CREATEDB ENCRYPTED PASSWORD 'aidboxpass';
 ```
 
+### Databricks Lakebase
+
+#### Prerequisites
+
+* A Databricks workspace with [Lakebase Postgres](https://docs.databricks.com/aws/en/oltp/) enabled
+* A [service principal](https://docs.databricks.com/aws/en/admin/users-groups/service-principals) with a generated OAuth secret, [added to the workspace](https://docs.databricks.com/aws/en/admin/users-groups/service-principals#add-a-service-principal-to-a-workspace)
+* Follow [Databricks documentation](https://docs.databricks.com/aws/en/oltp/instances/pg-roles?language=PostgreSQL) to create a PostgreSQL role for the service principal.
+
+#### Configure Aidbox
+
+Lakebase uses OAuth token-based authentication. Aidbox supports both **Provisioned** and **Autoscaling** deployment modes.
+
+{% tabs %}
+{% tab title="Provisioned" %}
+```shell
+BOX_DB_HOST=<instance-id>.database.cloud.databricks.com
+BOX_DB_PORT=5432
+BOX_DB_DATABASE=databricks_postgres
+BOX_DB_USER=<client-id>
+BOX_DB_PASSWORD=placeholder
+
+BOX_DB_AUTH_METHOD=databricks-provisioned
+BOX_DB_DATABRICKS_HOST=https://your-workspace.cloud.databricks.com
+BOX_DB_DATABRICKS_PROVISIONED_INSTANCE_NAME=<instance-name>
+BOX_DB_DATABRICKS_CLIENT_ID=<client-id>
+BOX_DB_DATABRICKS_CLIENT_SECRET=<client-secret>
+```
+{% endtab %}
+{% tab title="Autoscaling" %}
+```shell
+BOX_DB_HOST=<project-id>.database.cloud.databricks.com
+BOX_DB_PORT=5432
+BOX_DB_DATABASE=databricks_postgres
+BOX_DB_USER=<client-id>
+BOX_DB_PASSWORD=placeholder
+
+BOX_DB_AUTH_METHOD=databricks-autoscale
+BOX_DB_DATABRICKS_HOST=https://your-workspace.cloud.databricks.com
+BOX_DB_DATABRICKS_AUTOSCALE_ENDPOINT=projects/<project-id>/branches/<branch-id>/endpoints/<endpoint-id>
+BOX_DB_DATABRICKS_CLIENT_ID=<client-id>
+BOX_DB_DATABRICKS_CLIENT_SECRET=<client-secret>
+```
+{% endtab %}
+{% endtabs %}
+
+{% hint style="info" %}
+`BOX_DB_USER` and `BOX_DB_DATABRICKS_CLIENT_ID` are both the service principal's application ID.
+`BOX_DB_PASSWORD` is a placeholder — the credentials provider overrides it.
+`BOX_DB_DATABRICKS_HOST` is the workspace URL (from your browser), not the database hostname.
+The same auth settings are available for read-only replica with the `BOX_DB_RO_REPLICA_*` prefix.
+{% endhint %}
+
 ### Disable installation of PostgreSQL extensions on Aidbox startup&#x20;
 
 If your PostgreSQL user used by Aidbox does not have sufficient privileges to install extensions, you can disable the installation of extensions on startup of Aidbox by setting the environment variable `AIDBOX_INSTALL_PG_EXTENSIONS` to `false`.&#x20;

From 91f2a517aaeffef7db613facaaec2ba73a8794f7 Mon Sep 17 00:00:00 2001
From: Andrey Listopadov <andreyorst@gmail.com>
Date: Fri, 20 Mar 2026 12:17:47 +0300
Subject: [PATCH 2/3] address review comments

---
 .../run-aidbox-on-managed-postgresql.md       |   9 +-
 docs/reference/all-settings.md                | 160 ++++++++++++++++++
 2 files changed, 167 insertions(+), 2 deletions(-)

diff --git a/docs/deployment-and-maintenance/deploy-aidbox/run-aidbox-on-managed-postgresql.md b/docs/deployment-and-maintenance/deploy-aidbox/run-aidbox-on-managed-postgresql.md
index 436f6665d..d356fea38 100644
--- a/docs/deployment-and-maintenance/deploy-aidbox/run-aidbox-on-managed-postgresql.md
+++ b/docs/deployment-and-maintenance/deploy-aidbox/run-aidbox-on-managed-postgresql.md
@@ -45,12 +45,15 @@ CREATE USER aidbox WITH CREATEDB ENCRYPTED PASSWORD 'aidboxpass';
 
 * A Databricks workspace with [Lakebase Postgres](https://docs.databricks.com/aws/en/oltp/) enabled
 * A [service principal](https://docs.databricks.com/aws/en/admin/users-groups/service-principals) with a generated OAuth secret, [added to the workspace](https://docs.databricks.com/aws/en/admin/users-groups/service-principals#add-a-service-principal-to-a-workspace)
-* Follow [Databricks documentation](https://docs.databricks.com/aws/en/oltp/instances/pg-roles?language=PostgreSQL) to create a PostgreSQL role for the service principal.
+* Follow [Databricks documentation](https://docs.databricks.com/aws/en/oltp/instances/pg-roles?language=PostgreSQL) to create a PostgreSQL role for the service principal
+* The database must already exist before starting Aidbox — Aidbox will not create it automatically when using Databricks authentication
 
 #### Configure Aidbox
 
 Lakebase uses OAuth token-based authentication. Aidbox supports both **Provisioned** and **Autoscaling** deployment modes.
 
+Aidbox fetches short-lived tokens (1 hour expiry) from Databricks and caches them for 45 minutes (configurable via `BOX_DB_CREDENTIAL_REFRESH_INTERVAL`). When the cache expires, a fresh token is fetched on the next connection. HikariCP `max-lifetime` is set to match the cache TTL so existing connections rotate before tokens expire. SSL is enforced automatically.
+
 {% tabs %}
 {% tab title="Provisioned" %}
 ```shell
@@ -88,7 +91,9 @@ BOX_DB_DATABRICKS_CLIENT_SECRET=<client-secret>
 `BOX_DB_USER` and `BOX_DB_DATABRICKS_CLIENT_ID` are both the service principal's application ID.
 `BOX_DB_PASSWORD` is a placeholder — the credentials provider overrides it.
 `BOX_DB_DATABRICKS_HOST` is the workspace URL (from your browser), not the database hostname.
-The same auth settings are available for read-only replica with the `BOX_DB_RO_REPLICA_*` prefix.
+`BOX_DB_DATABRICKS_SCOPE` defaults to `all-apis`. Do not change unless you know your workspace requires a different scope.
+`BOX_DB_CREDENTIAL_REFRESH_INTERVAL` controls the token cache TTL in milliseconds (default: `2700000`, i.e. 45 minutes). Should be less than the Databricks token expiry (60 minutes).
+The same auth settings are available for read-only replica with the `BOX_DB_RO_REPLICA_*` prefix (e.g. `BOX_DB_RO_REPLICA_AUTH_METHOD`, `BOX_DB_RO_REPLICA_DATABRICKS_HOST`, etc.).
 {% endhint %}
 
 ### Disable installation of PostgreSQL extensions on Aidbox startup&#x20;
diff --git a/docs/reference/all-settings.md b/docs/reference/all-settings.md
index 930b4f252..c46210587 100644
--- a/docs/reference/all-settings.md
+++ b/docs/reference/all-settings.md
@@ -1716,6 +1716,86 @@ If enabled, the health status of the database will be reflected in the overall h
 
 <details><summary>Details</summary><table data-header-hidden="true"><thead><tr><th width="200"></th><th></th></tr></thead><tbody><tr><td>ID</td><td><code>db.propagate-db-health-status-to-box</code></td></tr><tr><td>Type</td><td>Bool</td></tr><tr><td>Default value</td><td><code>false</code></td></tr><tr><td>Environment variable</td><td><code>BOX_PROPAGATE_DB_HEALTH_STATUS_TO_BOX</code></td></tr><tr><td>Available from</td><td><code>2509</code></td></tr><tr><td>Sensitive</td><td><code>false</code> — value will be visible in plaintext in Admin UI</td></tr><tr><td>Set via</td><td>Admin UI → Settings<br />Environment variables</td></tr><tr><td>Hot reload</td><td><code>true</code> — setting can be changed at runtime</td></tr></tbody></table></details>
 
+#### Database authentication method<a href="#db.auth-method" id="db.auth-method"></a>
+
+```yaml
+BOX_DB_AUTH_METHOD: "password"
+```
+
+Authentication method for the database connection. `password` — static password. `databricks-provisioned` — Databricks Lakebase Provisioned OAuth token (BYOT). `databricks-autoscale` — Databricks Lakebase Autoscaling OAuth token.
+
+<details><summary>Details</summary><table data-header-hidden="true"><thead><tr><th width="200"></th><th></th></tr></thead><tbody><tr><td>ID</td><td><code>db.auth-method</code></td></tr><tr><td>Type</td><td>String (enum: password, databricks-provisioned, databricks-autoscale)</td></tr><tr><td>Default value</td><td><code>password</code></td></tr><tr><td>Environment variable</td><td><code>BOX_DB_AUTH_METHOD</code></td></tr><tr><td>Available from</td><td><code>2603</code></td></tr><tr><td>Sensitive</td><td><code>false</code> — value will be visible in plaintext in Admin UI</td></tr><tr><td>Set via</td><td>Environment variables</td></tr><tr><td>Hot reload</td><td><code>false</code> — setting requires system restart</td></tr></tbody></table></details>
+
+#### Databricks workspace host<a href="#db.databricks-host" id="db.databricks-host"></a>
+
+```yaml
+BOX_DB_DATABRICKS_HOST: "https://your-workspace.cloud.databricks.com"
+```
+
+Databricks workspace URL. Required when `auth-method` is `databricks-provisioned` or `databricks-autoscale`.
+
+<details><summary>Details</summary><table data-header-hidden="true"><thead><tr><th width="200"></th><th></th></tr></thead><tbody><tr><td>ID</td><td><code>db.databricks-host</code></td></tr><tr><td>Type</td><td>String</td></tr><tr><td>Default value</td><td>(no default)</td></tr><tr><td>Environment variable</td><td><code>BOX_DB_DATABRICKS_HOST</code></td></tr><tr><td>Available from</td><td><code>2603</code></td></tr><tr><td>Sensitive</td><td><code>false</code> — value will be visible in plaintext in Admin UI</td></tr><tr><td>Set via</td><td>Environment variables</td></tr><tr><td>Hot reload</td><td><code>false</code> — setting requires system restart</td></tr></tbody></table></details>
+
+#### Databricks Provisioned instance name<a href="#db.databricks-provisioned-instance-name" id="db.databricks-provisioned-instance-name"></a>
+
+```yaml
+BOX_DB_DATABRICKS_PROVISIONED_INSTANCE_NAME: "<instance-name>"
+```
+
+Name of the Databricks Lakebase Provisioned instance. Required when `auth-method` is `databricks-provisioned`.
+
+<details><summary>Details</summary><table data-header-hidden="true"><thead><tr><th width="200"></th><th></th></tr></thead><tbody><tr><td>ID</td><td><code>db.databricks-provisioned-instance-name</code></td></tr><tr><td>Type</td><td>String</td></tr><tr><td>Default value</td><td>(no default)</td></tr><tr><td>Environment variable</td><td><code>BOX_DB_DATABRICKS_PROVISIONED_INSTANCE_NAME</code></td></tr><tr><td>Available from</td><td><code>2603</code></td></tr><tr><td>Sensitive</td><td><code>false</code> — value will be visible in plaintext in Admin UI</td></tr><tr><td>Set via</td><td>Environment variables</td></tr><tr><td>Hot reload</td><td><code>false</code> — setting requires system restart</td></tr></tbody></table></details>
+
+#### Databricks client ID<a href="#db.databricks-client-id" id="db.databricks-client-id"></a>
+
+```yaml
+BOX_DB_DATABRICKS_CLIENT_ID: "<client-id>"
+```
+
+Databricks service principal client ID. Required when `auth-method` is `databricks-provisioned` or `databricks-autoscale`.
+
+<details><summary>Details</summary><table data-header-hidden="true"><thead><tr><th width="200"></th><th></th></tr></thead><tbody><tr><td>ID</td><td><code>db.databricks-client-id</code></td></tr><tr><td>Type</td><td>String</td></tr><tr><td>Default value</td><td>(no default)</td></tr><tr><td>Environment variable</td><td><code>BOX_DB_DATABRICKS_CLIENT_ID</code></td></tr><tr><td>Available from</td><td><code>2603</code></td></tr><tr><td>Sensitive</td><td><code>true</code> — value will be masked in Admin UI</td></tr><tr><td>Set via</td><td>Environment variables</td></tr><tr><td>Hot reload</td><td><code>false</code> — setting requires system restart</td></tr></tbody></table></details>
+
+#### Databricks client secret<a href="#db.databricks-client-secret" id="db.databricks-client-secret"></a>
+
+```yaml
+BOX_DB_DATABRICKS_CLIENT_SECRET: "<client-secret>"
+```
+
+Databricks service principal client secret. Required when `auth-method` is `databricks-provisioned` or `databricks-autoscale`.
+
+<details><summary>Details</summary><table data-header-hidden="true"><thead><tr><th width="200"></th><th></th></tr></thead><tbody><tr><td>ID</td><td><code>db.databricks-client-secret</code></td></tr><tr><td>Type</td><td>String</td></tr><tr><td>Default value</td><td>(no default)</td></tr><tr><td>Environment variable</td><td><code>BOX_DB_DATABRICKS_CLIENT_SECRET</code></td></tr><tr><td>Available from</td><td><code>2603</code></td></tr><tr><td>Sensitive</td><td><code>true</code> — value will be masked in Admin UI</td></tr><tr><td>Set via</td><td>Environment variables</td></tr><tr><td>Hot reload</td><td><code>false</code> — setting requires system restart</td></tr></tbody></table></details>
+
+#### Databricks OAuth scope<a href="#db.databricks-scope" id="db.databricks-scope"></a>
+
+```yaml
+BOX_DB_DATABRICKS_SCOPE: "all-apis"
+```
+
+OAuth scope for the Databricks token request.
+
+<details><summary>Details</summary><table data-header-hidden="true"><thead><tr><th width="200"></th><th></th></tr></thead><tbody><tr><td>ID</td><td><code>db.databricks-scope</code></td></tr><tr><td>Type</td><td>String</td></tr><tr><td>Default value</td><td><code>all-apis</code></td></tr><tr><td>Environment variable</td><td><code>BOX_DB_DATABRICKS_SCOPE</code></td></tr><tr><td>Available from</td><td><code>2603</code></td></tr><tr><td>Sensitive</td><td><code>false</code> — value will be visible in plaintext in Admin UI</td></tr><tr><td>Set via</td><td>Environment variables</td></tr><tr><td>Hot reload</td><td><code>false</code> — setting requires system restart</td></tr></tbody></table></details>
+
+#### Databricks Autoscaling endpoint<a href="#db.databricks-autoscale-endpoint" id="db.databricks-autoscale-endpoint"></a>
+
+```yaml
+BOX_DB_DATABRICKS_AUTOSCALE_ENDPOINT: "projects/<project-id>/branches/<branch-id>/endpoints/<endpoint-id>"
+```
+
+Lakebase Autoscaling endpoint path. Required when `auth-method` is `databricks-autoscale`.
+
+<details><summary>Details</summary><table data-header-hidden="true"><thead><tr><th width="200"></th><th></th></tr></thead><tbody><tr><td>ID</td><td><code>db.databricks-autoscale-endpoint</code></td></tr><tr><td>Type</td><td>String</td></tr><tr><td>Default value</td><td>(no default)</td></tr><tr><td>Environment variable</td><td><code>BOX_DB_DATABRICKS_AUTOSCALE_ENDPOINT</code></td></tr><tr><td>Available from</td><td><code>2603</code></td></tr><tr><td>Sensitive</td><td><code>false</code> — value will be visible in plaintext in Admin UI</td></tr><tr><td>Set via</td><td>Environment variables</td></tr><tr><td>Hot reload</td><td><code>false</code> — setting requires system restart</td></tr></tbody></table></details>
+
+#### Credential refresh interval<a href="#db.credential-refresh-interval" id="db.credential-refresh-interval"></a>
+
+```yaml
+BOX_DB_CREDENTIAL_REFRESH_INTERVAL: 2700000
+```
+
+Token cache TTL in milliseconds. Controls how often Aidbox fetches a fresh database credential token. Also sets HikariCP `max-lifetime` so existing connections rotate before tokens expire. Default is 45 minutes (2700000 ms), which is less than the Databricks token expiry of 60 minutes.
+
+<details><summary>Details</summary><table data-header-hidden="true"><thead><tr><th width="200"></th><th></th></tr></thead><tbody><tr><td>ID</td><td><code>db.credential-refresh-interval</code></td></tr><tr><td>Type</td><td>Int (milliseconds)</td></tr><tr><td>Default value</td><td><code>2700000</code></td></tr><tr><td>Environment variable</td><td><code>BOX_DB_CREDENTIAL_REFRESH_INTERVAL</code></td></tr><tr><td>Available from</td><td><code>2603</code></td></tr><tr><td>Sensitive</td><td><code>false</code> — value will be visible in plaintext in Admin UI</td></tr><tr><td>Set via</td><td>Environment variables</td></tr><tr><td>Hot reload</td><td><code>false</code> — setting requires system restart</td></tr></tbody></table></details>
+
 ### Read-only replica
 
 Read-only database replica settings
@@ -1878,6 +1958,86 @@ The pool connection initialization SQL statement.
 
 <details><summary>Details</summary><table data-header-hidden="true"><thead><tr><th width="200"></th><th></th></tr></thead><tbody><tr><td>ID</td><td><code>db.ro-replica.pool.connection-init-sql</code></td></tr><tr><td>Type</td><td>String</td></tr><tr><td>Default value</td><td><code>select 1</code></td></tr><tr><td>Environment variable</td><td><code>BOX_DB_RO_REPLICA_POOL_CONNECTION_INIT_SQL</code></td></tr><tr><td>Available from</td><td><code>2507</code></td></tr><tr><td>Sensitive</td><td><code>false</code> — value will be visible in plaintext in Admin UI</td></tr><tr><td>Set via</td><td>Admin UI → Settings<br />Environment variables</td></tr><tr><td>Hot reload</td><td><code>false</code> — setting requires system restart</td></tr></tbody></table></details>
 
+#### RO replica authentication method<a href="#db.ro-replica.auth-method" id="db.ro-replica.auth-method"></a>
+
+```yaml
+BOX_DB_RO_REPLICA_AUTH_METHOD: "password"
+```
+
+Authentication method for the read-only replica connection.
+
+<details><summary>Details</summary><table data-header-hidden="true"><thead><tr><th width="200"></th><th></th></tr></thead><tbody><tr><td>ID</td><td><code>db.ro-replica.auth-method</code></td></tr><tr><td>Type</td><td>String (enum: password, databricks-provisioned, databricks-autoscale)</td></tr><tr><td>Default value</td><td><code>password</code></td></tr><tr><td>Environment variable</td><td><code>BOX_DB_RO_REPLICA_AUTH_METHOD</code></td></tr><tr><td>Available from</td><td><code>2603</code></td></tr><tr><td>Sensitive</td><td><code>false</code> — value will be visible in plaintext in Admin UI</td></tr><tr><td>Set via</td><td>Admin UI → Settings<br />Environment variables</td></tr><tr><td>Hot reload</td><td><code>false</code> — setting requires system restart</td></tr></tbody></table></details>
+
+#### RO replica Databricks workspace host<a href="#db.ro-replica.databricks-host" id="db.ro-replica.databricks-host"></a>
+
+```yaml
+BOX_DB_RO_REPLICA_DATABRICKS_HOST: "https://your-workspace.cloud.databricks.com"
+```
+
+Databricks workspace URL for the read-only replica.
+
+<details><summary>Details</summary><table data-header-hidden="true"><thead><tr><th width="200"></th><th></th></tr></thead><tbody><tr><td>ID</td><td><code>db.ro-replica.databricks-host</code></td></tr><tr><td>Type</td><td>String</td></tr><tr><td>Default value</td><td>(no default)</td></tr><tr><td>Environment variable</td><td><code>BOX_DB_RO_REPLICA_DATABRICKS_HOST</code></td></tr><tr><td>Available from</td><td><code>2603</code></td></tr><tr><td>Sensitive</td><td><code>false</code> — value will be visible in plaintext in Admin UI</td></tr><tr><td>Set via</td><td>Admin UI → Settings<br />Environment variables</td></tr><tr><td>Hot reload</td><td><code>false</code> — setting requires system restart</td></tr></tbody></table></details>
+
+#### RO replica Databricks Provisioned instance name<a href="#db.ro-replica.databricks-provisioned-instance-name" id="db.ro-replica.databricks-provisioned-instance-name"></a>
+
+```yaml
+BOX_DB_RO_REPLICA_DATABRICKS_PROVISIONED_INSTANCE_NAME: "<instance-name>"
+```
+
+Lakebase Provisioned instance name for the read-only replica.
+
+<details><summary>Details</summary><table data-header-hidden="true"><thead><tr><th width="200"></th><th></th></tr></thead><tbody><tr><td>ID</td><td><code>db.ro-replica.databricks-provisioned-instance-name</code></td></tr><tr><td>Type</td><td>String</td></tr><tr><td>Default value</td><td>(no default)</td></tr><tr><td>Environment variable</td><td><code>BOX_DB_RO_REPLICA_DATABRICKS_PROVISIONED_INSTANCE_NAME</code></td></tr><tr><td>Available from</td><td><code>2603</code></td></tr><tr><td>Sensitive</td><td><code>false</code> — value will be visible in plaintext in Admin UI</td></tr><tr><td>Set via</td><td>Admin UI → Settings<br />Environment variables</td></tr><tr><td>Hot reload</td><td><code>false</code> — setting requires system restart</td></tr></tbody></table></details>
+
+#### RO replica Databricks client ID<a href="#db.ro-replica.databricks-client-id" id="db.ro-replica.databricks-client-id"></a>
+
+```yaml
+BOX_DB_RO_REPLICA_DATABRICKS_CLIENT_ID: "<client-id>"
+```
+
+Databricks service principal client ID for the read-only replica.
+
+<details><summary>Details</summary><table data-header-hidden="true"><thead><tr><th width="200"></th><th></th></tr></thead><tbody><tr><td>ID</td><td><code>db.ro-replica.databricks-client-id</code></td></tr><tr><td>Type</td><td>String</td></tr><tr><td>Default value</td><td>(no default)</td></tr><tr><td>Environment variable</td><td><code>BOX_DB_RO_REPLICA_DATABRICKS_CLIENT_ID</code></td></tr><tr><td>Available from</td><td><code>2603</code></td></tr><tr><td>Sensitive</td><td><code>true</code> — value will be masked in Admin UI</td></tr><tr><td>Set via</td><td>Admin UI → Settings<br />Environment variables</td></tr><tr><td>Hot reload</td><td><code>false</code> — setting requires system restart</td></tr></tbody></table></details>
+
+#### RO replica Databricks client secret<a href="#db.ro-replica.databricks-client-secret" id="db.ro-replica.databricks-client-secret"></a>
+
+```yaml
+BOX_DB_RO_REPLICA_DATABRICKS_CLIENT_SECRET: "<client-secret>"
+```
+
+Databricks service principal client secret for the read-only replica.
+
+<details><summary>Details</summary><table data-header-hidden="true"><thead><tr><th width="200"></th><th></th></tr></thead><tbody><tr><td>ID</td><td><code>db.ro-replica.databricks-client-secret</code></td></tr><tr><td>Type</td><td>String</td></tr><tr><td>Default value</td><td>(no default)</td></tr><tr><td>Environment variable</td><td><code>BOX_DB_RO_REPLICA_DATABRICKS_CLIENT_SECRET</code></td></tr><tr><td>Available from</td><td><code>2603</code></td></tr><tr><td>Sensitive</td><td><code>true</code> — value will be masked in Admin UI</td></tr><tr><td>Set via</td><td>Admin UI → Settings<br />Environment variables</td></tr><tr><td>Hot reload</td><td><code>false</code> — setting requires system restart</td></tr></tbody></table></details>
+
+#### RO replica Databricks OAuth scope<a href="#db.ro-replica.databricks-scope" id="db.ro-replica.databricks-scope"></a>
+
+```yaml
+BOX_DB_RO_REPLICA_DATABRICKS_SCOPE: "all-apis"
+```
+
+OAuth scope for the read-only replica token request.
+
+<details><summary>Details</summary><table data-header-hidden="true"><thead><tr><th width="200"></th><th></th></tr></thead><tbody><tr><td>ID</td><td><code>db.ro-replica.databricks-scope</code></td></tr><tr><td>Type</td><td>String</td></tr><tr><td>Default value</td><td><code>all-apis</code></td></tr><tr><td>Environment variable</td><td><code>BOX_DB_RO_REPLICA_DATABRICKS_SCOPE</code></td></tr><tr><td>Available from</td><td><code>2603</code></td></tr><tr><td>Sensitive</td><td><code>false</code> — value will be visible in plaintext in Admin UI</td></tr><tr><td>Set via</td><td>Admin UI → Settings<br />Environment variables</td></tr><tr><td>Hot reload</td><td><code>false</code> — setting requires system restart</td></tr></tbody></table></details>
+
+#### RO replica Databricks Autoscaling endpoint<a href="#db.ro-replica.databricks-autoscale-endpoint" id="db.ro-replica.databricks-autoscale-endpoint"></a>
+
+```yaml
+BOX_DB_RO_REPLICA_DATABRICKS_AUTOSCALE_ENDPOINT: "projects/<project-id>/branches/<branch-id>/endpoints/<endpoint-id>"
+```
+
+Lakebase Autoscaling endpoint for the read-only replica.
+
+<details><summary>Details</summary><table data-header-hidden="true"><thead><tr><th width="200"></th><th></th></tr></thead><tbody><tr><td>ID</td><td><code>db.ro-replica.databricks-autoscale-endpoint</code></td></tr><tr><td>Type</td><td>String</td></tr><tr><td>Default value</td><td>(no default)</td></tr><tr><td>Environment variable</td><td><code>BOX_DB_RO_REPLICA_DATABRICKS_AUTOSCALE_ENDPOINT</code></td></tr><tr><td>Available from</td><td><code>2603</code></td></tr><tr><td>Sensitive</td><td><code>false</code> — value will be visible in plaintext in Admin UI</td></tr><tr><td>Set via</td><td>Admin UI → Settings<br />Environment variables</td></tr><tr><td>Hot reload</td><td><code>false</code> — setting requires system restart</td></tr></tbody></table></details>
+
+#### RO replica credential refresh interval<a href="#db.ro-replica.credential-refresh-interval" id="db.ro-replica.credential-refresh-interval"></a>
+
+```yaml
+BOX_DB_RO_REPLICA_CREDENTIAL_REFRESH_INTERVAL: 2700000
+```
+
+Token cache TTL in milliseconds for the read-only replica.
+
+<details><summary>Details</summary><table data-header-hidden="true"><thead><tr><th width="200"></th><th></th></tr></thead><tbody><tr><td>ID</td><td><code>db.ro-replica.credential-refresh-interval</code></td></tr><tr><td>Type</td><td>Int (milliseconds)</td></tr><tr><td>Default value</td><td><code>2700000</code></td></tr><tr><td>Environment variable</td><td><code>BOX_DB_RO_REPLICA_CREDENTIAL_REFRESH_INTERVAL</code></td></tr><tr><td>Available from</td><td><code>2603</code></td></tr><tr><td>Sensitive</td><td><code>false</code> — value will be visible in plaintext in Admin UI</td></tr><tr><td>Set via</td><td>Admin UI → Settings<br />Environment variables</td></tr><tr><td>Hot reload</td><td><code>false</code> — setting requires system restart</td></tr></tbody></table></details>
+
 ## Web Server
 
 Web Server settings

From f727d6e18e5dfb2139674c447a89a230a8fdc466 Mon Sep 17 00:00:00 2001
From: Andrey Listopadov <andreyorst@gmail.com>
Date: Fri, 20 Mar 2026 18:49:33 +0300
Subject: [PATCH 3/3] fix

---
 .../deploy-aidbox/run-aidbox-on-managed-postgresql.md         | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/deployment-and-maintenance/deploy-aidbox/run-aidbox-on-managed-postgresql.md b/docs/deployment-and-maintenance/deploy-aidbox/run-aidbox-on-managed-postgresql.md
index d356fea38..4bcfdf00e 100644
--- a/docs/deployment-and-maintenance/deploy-aidbox/run-aidbox-on-managed-postgresql.md
+++ b/docs/deployment-and-maintenance/deploy-aidbox/run-aidbox-on-managed-postgresql.md
@@ -50,7 +50,7 @@ CREATE USER aidbox WITH CREATEDB ENCRYPTED PASSWORD 'aidboxpass';
 
 #### Configure Aidbox
 
-Lakebase uses OAuth token-based authentication. Aidbox supports both **Provisioned** and **Autoscaling** deployment modes.
+Lakebase uses OAuth token-based authentication. Aidbox supports both Lakebase deployment modes: [Provisioned](https://docs.databricks.com/aws/en/oltp/instances/) (fixed-capacity instances) and [Autoscaling](https://docs.databricks.com/aws/en/oltp/projects/about) (scale-to-zero projects).
 
 Aidbox fetches short-lived tokens (1 hour expiry) from Databricks and caches them for 45 minutes (configurable via `BOX_DB_CREDENTIAL_REFRESH_INTERVAL`). When the cache expires, a fresh token is fetched on the next connection. HikariCP `max-lifetime` is set to match the cache TTL so existing connections rotate before tokens expire. SSL is enforced automatically.
 
@@ -68,6 +68,7 @@ BOX_DB_DATABRICKS_HOST=https://your-workspace.cloud.databricks.com
 BOX_DB_DATABRICKS_PROVISIONED_INSTANCE_NAME=<instance-name>
 BOX_DB_DATABRICKS_CLIENT_ID=<client-id>
 BOX_DB_DATABRICKS_CLIENT_SECRET=<client-secret>
+BOX_DB_DATABRICKS_SCOPE=all-apis
 ```
 {% endtab %}
 {% tab title="Autoscaling" %}
@@ -83,6 +84,7 @@ BOX_DB_DATABRICKS_HOST=https://your-workspace.cloud.databricks.com
 BOX_DB_DATABRICKS_AUTOSCALE_ENDPOINT=projects/<project-id>/branches/<branch-id>/endpoints/<endpoint-id>
 BOX_DB_DATABRICKS_CLIENT_ID=<client-id>
 BOX_DB_DATABRICKS_CLIENT_SECRET=<client-secret>
+BOX_DB_DATABRICKS_SCOPE=all-apis
 ```
 {% endtab %}
 {% endtabs %}


ID	`db.propagate-db-health-status-to-box`
Type	Bool
Default value	`false`
Environment variable	`BOX_PROPAGATE_DB_HEALTH_STATUS_TO_BOX`
Available from	`2509`
Sensitive	`false` — value will be visible in plaintext in Admin UI
Set via	Admin UI → Settings Environment variables
Hot reload	`true` — setting can be changed at runtime

ID	`db.auth-method`
Type	String (enum: password, databricks-provisioned, databricks-autoscale)
Default value	`password`
Environment variable	`BOX_DB_AUTH_METHOD`
Available from	`2603`
Sensitive	`false` — value will be visible in plaintext in Admin UI
Set via	Environment variables
Hot reload	`false` — setting requires system restart

ID	`db.databricks-host`
Type	String
Default value	(no default)
Environment variable	`BOX_DB_DATABRICKS_HOST`
Available from	`2603`
Sensitive	`false` — value will be visible in plaintext in Admin UI
Set via	Environment variables
Hot reload	`false` — setting requires system restart

ID	`db.databricks-provisioned-instance-name`
Type	String
Default value	(no default)
Environment variable	`BOX_DB_DATABRICKS_PROVISIONED_INSTANCE_NAME`
Available from	`2603`
Sensitive	`false` — value will be visible in plaintext in Admin UI
Set via	Environment variables
Hot reload	`false` — setting requires system restart

ID	`db.databricks-client-id`
Type	String
Default value	(no default)
Environment variable	`BOX_DB_DATABRICKS_CLIENT_ID`
Available from	`2603`
Sensitive	`true` — value will be masked in Admin UI
Set via	Environment variables
Hot reload	`false` — setting requires system restart

ID	`db.databricks-client-secret`
Type	String
Default value	(no default)
Environment variable	`BOX_DB_DATABRICKS_CLIENT_SECRET`
Available from	`2603`
Sensitive	`true` — value will be masked in Admin UI
Set via	Environment variables
Hot reload	`false` — setting requires system restart

ID	`db.databricks-scope`
Type	String
Default value	`all-apis`
Environment variable	`BOX_DB_DATABRICKS_SCOPE`
Available from	`2603`
Sensitive	`false` — value will be visible in plaintext in Admin UI
Set via	Environment variables
Hot reload	`false` — setting requires system restart

ID	`db.databricks-autoscale-endpoint`
Type	String
Default value	(no default)
Environment variable	`BOX_DB_DATABRICKS_AUTOSCALE_ENDPOINT`
Available from	`2603`
Sensitive	`false` — value will be visible in plaintext in Admin UI
Set via	Environment variables
Hot reload	`false` — setting requires system restart

ID	`db.credential-refresh-interval`
Type	Int (milliseconds)
Default value	`2700000`
Environment variable	`BOX_DB_CREDENTIAL_REFRESH_INTERVAL`
Available from	`2603`
Sensitive	`false` — value will be visible in plaintext in Admin UI
Set via	Environment variables
Hot reload	`false` — setting requires system restart

ID	`db.ro-replica.pool.connection-init-sql`
Type	String
Default value	`select 1`
Environment variable	`BOX_DB_RO_REPLICA_POOL_CONNECTION_INIT_SQL`
Available from	`2507`
Sensitive	`false` — value will be visible in plaintext in Admin UI
Set via	Admin UI → Settings Environment variables
Hot reload	`false` — setting requires system restart