databricks · janniklasrose · May 8, 2026
diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
@@ -4,6 +4,8 @@
 
 ### CLI
 
+* `databricks auth profiles` now distinguishes "validation failed" from "couldn't validate". The JSON output adds a `status` field (`valid`, `invalid`, `unknown`, or `unvalidated`) and an `error` description for non-valid profiles. The legacy `valid` field is still emitted as `true` when validation succeeded and `false` when the profile is provably bad (auth/config error); it is omitted for transient/unknown cases that previously misreported as `valid: false`. Each profile is validated with a 10s timeout so a single dead host no longer stalls the listing.
+
 ### Bundles
 
 ### Dependency updates
diff --git a/acceptance/auth/host-metadata-cache/output.txt b/acceptance/auth/host-metadata-cache/output.txt
@@ -7,7 +7,7 @@
       "host": "[DATABRICKS_URL]",
       "cloud": "aws",
       "auth_type": "",
-      "valid": false
+      "status": "unvalidated"
     }
   ]
 }
@@ -20,7 +20,7 @@
       "host": "[DATABRICKS_URL]",
       "cloud": "aws",
       "auth_type": "",
-      "valid": false
+      "status": "unvalidated"
     }
   ]
 }

diff --git a/acceptance/cmd/auth/login/discovery/output.txt b/acceptance/cmd/auth/login/discovery/output.txt
@@ -5,7 +5,7 @@ Profile discovery-test was successfully saved
 
 >>> [CLI] auth profiles
 Name                      Host                    Valid
-discovery-test (Default)  [DATABRICKS_URL]  YES
+discovery-test (Default)  [DATABRICKS_URL]  valid
 
 >>> print_requests.py --get //tokens/introspect
 {

diff --git a/acceptance/cmd/auth/login/nominal/output.txt b/acceptance/cmd/auth/login/nominal/output.txt
@@ -4,4 +4,4 @@ Profile test was successfully saved
 
 >>> [CLI] auth profiles
 Name            Host                    Valid
-test (Default)  [DATABRICKS_URL]  YES
+test (Default)  [DATABRICKS_URL]  valid
diff --git a/acceptance/cmd/auth/logout/stale-account-id-workspace-host/output.txt b/acceptance/cmd/auth/logout/stale-account-id-workspace-host/output.txt
@@ -2,7 +2,7 @@
 === Profiles before logout — logfood should be valid
 >>> [CLI] auth profiles
 Name               Host                    Valid
-logfood (Default)  [DATABRICKS_URL]  YES
+logfood (Default)  [DATABRICKS_URL]  valid
 
 === Token cache keys before logout
 [
@@ -32,7 +32,7 @@ default_profile = logfood
 === Profiles after logout — logfood should be invalid
 >>> [CLI] auth profiles
 Name               Host                    Valid
-logfood (Default)  [DATABRICKS_URL]  NO
+logfood (Default)  [DATABRICKS_URL]  unknown
 
 === Logged out profile should no longer return a token
 >>> musterr [CLI] auth token --profile logfood

diff --git a/acceptance/cmd/auth/profiles/expired-token/out.test.toml b/acceptance/cmd/auth/profiles/expired-token/out.test.toml
diff --git a/acceptance/cmd/auth/profiles/expired-token/output.txt b/acceptance/cmd/auth/profiles/expired-token/output.txt
@@ -0,0 +1,16 @@
+
+=== Expired token: profile is reported invalid with remediation hint
+>>> [CLI] auth profiles --output json
+{
+  "profiles": [
+    {
+      "name": "expired",
+      "host": "[DATABRICKS_URL]",
+      "cloud": "aws",
+      "auth_type": "pat",
+      "status": "invalid",
+      "error": "authentication failed (token may have expired — try 'databricks auth login -p expired')",
+      "valid": false
+    }
+  ]
+}
diff --git a/acceptance/cmd/auth/profiles/expired-token/script b/acceptance/cmd/auth/profiles/expired-token/script
@@ -0,0 +1,10 @@
+sethome "./home"
+
+cat > "./home/.databrickscfg" <<EOF
+[expired]
+host = ${DATABRICKS_HOST}
+token = test-token
+EOF
+
+title "Expired token: profile is reported invalid with remediation hint"
+trace $CLI auth profiles --output json
diff --git a/acceptance/cmd/auth/profiles/expired-token/test.toml b/acceptance/cmd/auth/profiles/expired-token/test.toml
@@ -0,0 +1,15 @@
+Ignore = [
+    "home"
+]
+
+# Validation calls /api/2.0/preview/scim/v2/Me for workspace-typed configs.
+# A 401 here mimics an expired or revoked PAT.
+[[Server]]
+Pattern = "GET /api/2.0/preview/scim/v2/Me"
+Response.StatusCode = 401
+Response.Body = '''
+{
+    "error_code": "UNAUTHENTICATED",
+    "message": "Token is invalid or expired."
+}
+'''
diff --git a/acceptance/cmd/auth/profiles/output.txt b/acceptance/cmd/auth/profiles/output.txt
@@ -8,15 +8,15 @@ Warn: [hostmetadata] failed to fetch host metadata for https://test.cloud.databr
       "host": "https://test.cloud.databricks.com",
       "cloud": "aws",
       "auth_type": "",
-      "valid": false
+      "status": "unvalidated"
     },
     {
       "name": "account-profile",
       "host": "https://accounts.cloud.databricks.com",
       "account_id": "test-account-123",
       "cloud": "aws",
       "auth_type": "",
-      "valid": false
+      "status": "unvalidated"
     },
     {
       "name": "unified-profile",
@@ -25,7 +25,7 @@ Warn: [hostmetadata] failed to fetch host metadata for https://test.cloud.databr
       "workspace_id": "[NUMID]",
       "cloud": "aws",
       "auth_type": "",
-      "valid": false
+      "status": "unvalidated"
     }
   ]
 }
diff --git a/acceptance/cmd/auth/profiles/server-error/out.test.toml b/acceptance/cmd/auth/profiles/server-error/out.test.toml
diff --git a/acceptance/cmd/auth/profiles/server-error/output.txt b/acceptance/cmd/auth/profiles/server-error/output.txt
@@ -0,0 +1,15 @@
+
+=== 5xx from validation endpoint: profile reported as unknown (transient)
+>>> [CLI] auth profiles --output json
+{
+  "profiles": [
+    {
+      "name": "transient",
+      "host": "[DATABRICKS_URL]",
+      "cloud": "aws",
+      "auth_type": "pat",
+      "status": "unknown",
+      "error": "server error: 500"
+    }
+  ]
+}
diff --git a/acceptance/cmd/auth/profiles/server-error/script b/acceptance/cmd/auth/profiles/server-error/script
@@ -0,0 +1,10 @@
+sethome "./home"
+
+cat > "./home/.databrickscfg" <<EOF
+[transient]
+host = ${DATABRICKS_HOST}
+token = test-token
+EOF
+
+title "5xx from validation endpoint: profile reported as unknown (transient)"
+trace $CLI auth profiles --output json
diff --git a/acceptance/cmd/auth/profiles/server-error/test.toml b/acceptance/cmd/auth/profiles/server-error/test.toml
@@ -0,0 +1,16 @@
+Ignore = [
+    "home"
+]
+
+# A 500 from the validation endpoint says nothing about the profile itself —
+# the platform is broken. The status should be "unknown", not "invalid",
+# so users don't think their credentials are bad.
+[[Server]]
+Pattern = "GET /api/2.0/preview/scim/v2/Me"
+Response.StatusCode = 500
+Response.Body = '''
+{
+    "error_code": "INTERNAL_ERROR",
+    "message": "Internal server error"
+}
+'''
diff --git a/acceptance/cmd/auth/profiles/spog-account/output.txt b/acceptance/cmd/auth/profiles/spog-account/output.txt
@@ -10,6 +10,7 @@
       "workspace_id": "none",
       "cloud": "aws",
       "auth_type": "pat",
+      "status": "valid",
       "valid": true
     }
   ]

diff --git a/acceptance/cmd/auth/switch/nominal/output.txt b/acceptance/cmd/auth/switch/nominal/output.txt
@@ -12,8 +12,8 @@ default_profile = profile-a
 
 >>> [CLI] auth profiles --skip-validate
 Name                 Host                    Valid
-profile-a (Default)  [DATABRICKS_URL]  NO
-profile-b            [DATABRICKS_URL]  NO
+profile-a (Default)  [DATABRICKS_URL]  -
+profile-b            [DATABRICKS_URL]  -
 
 === Switch to profile-b
 
@@ -28,5 +28,5 @@ default_profile = profile-b
 
 >>> [CLI] auth profiles --skip-validate
 Name                 Host                    Valid
-profile-a            [DATABRICKS_URL]  NO
-profile-b (Default)  [DATABRICKS_URL]  NO
+profile-a            [DATABRICKS_URL]  -
+profile-b (Default)  [DATABRICKS_URL]  -