[ISSUE] Workspace Client files.download fails in Databricks App

[charlielu05]

Description
When using the files.download method in the Workspace Client, this works locally with an injected user access token but failing with the downscoped user-authorisation x-forwarded-access-token.
When calling the GET API directly at <host>/api/2.0/fs/files this works fine for both local and deployed Databricks App.

Reproduction

@router.get("/get_image/{image_path:path}")
async def get_databricks_image(
    request: Request,
    image_path: str):
    from databricks.sdk.core import Config
    from Databricks.sdk import WorkspaceClient
    import jwt
    import databricks
    
    access_token = request.headers.get("x-forwarded-access-token")

    try:
        cfg = Config(host=<HOST>,
            token=access_token,
            auth_type="pat",
            )
       
        w = WorkspaceClient(config=cfg)
 
        logger.info(f"Fetching image from Databricks: {image_path}")
 
        resp: DownloadResponse = w.files.download(image_path)
        # Get binary image content
        image_bytes = resp.contents.read()
 
        # Convert binary image to base64 string
        image_base64 = base64.b64encode(image_bytes).decode('utf-8')
           
    except Exception as e:
        logger.error(f"Full traceback:\n{traceback.format_exc()}")
 
        return JSONResponse(
            status_code=500,
            content={"error": str(e)},
        )
   
    return JSONResponse(content={"image_data": image_base64, "path": image_path})

Expected behavior
This works when testing locally with a Workspace level Admin account by using Databricks auth login and then adding a middleware in FastAPI to inject the x-forwarded-access-token by reading the access_token from the local ~/.databricks/token-cache.json file.
When deployed to Databricks App, this errors out:
databricks.sdk.errors.platform.PermissionDenied: Provided OAuth token does not have required scopes

Is it a regression?
Not a regression AFAIK

Debug Logs

2026-02-18 04:26:46,783 [ERROR] Full traceback: Traceback (most recent call last):   File "/app/python/source_code/routes/v1/image_search.py", line 271, in get_databricks_image     resp: DownloadResponse = w.files.download(image_path)                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^   File "/app/python/source_code/.venv/lib/python3.11/site-packages/databricks/sdk/mixins/files.py", line 800, in download     return super().download(file_path)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^   File "/app/python/source_code/.venv/lib/python3.11/site-packages/databricks/sdk/service/files.py", line 881, in download     res = self._api.do(           ^^^^^^^^^^^^^   File "/app/python/source_code/.venv/lib/python3.11/site-packages/databricks/sdk/core.py", line 86, in do     return self._api_client.do(            ^^^^^^^^^^^^^^^^^^^^   File "/app/python/source_code/.venv/lib/python3.11/site-packages/databricks/sdk/_base_client.py", line 199, in do     response = call(                ^^^^^   File "/app/python/source_code/.venv/lib/python3.11/site-packages/databricks/sdk/retries.py", line 59, in wrapper     raise err   File "/app/python/source_code/.venv/lib/python3.11/site-packages/databricks/sdk/retries.py", line 38, in wrapper     return func(*args, **kwargs)            ^^^^^^^^^^^^^^^^^^^^^   File "/app/python/source_code/.venv/lib/python3.11/site-packages/databricks/sdk/_base_client.py", line 301, in _perform     raise error from None

Other Information
Databricks SDK version: 0.83.0

Additional context
Pair programming session done with Databricks engineer Naim on 13th of February 2026 to diagnose issue. Implementation changed to raw HTTP request instead of workspace client.