Support programmatic authentication for Snowflake MCP (PAT, External OAuth)

Resolved 💬 1 comment Opened Apr 19, 2026 by sfc-gh-methakkar Closed May 27, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

Today the Claude ↔ Snowflake MCP integration appears to support only interactive Snowflake OAuth (authorization code grant), which requires a user-facing browser flow. This makes it difficult or impossible to use Claude MCP against Snowflake in headless, automated, or server-to-server scenarios.

Current behavior: The Snowflake connector / MCP configuration in Claude currently expects Snowflake OAuth (authorization code) with a browser-based sign-in.

There is no documented way to:
Provide a Snowflake Programmatic Access Token, or
Use an External OAuth access token obtained from a third-party IdP (AzureAD/EntraID, Okta), and have Claude use those credentials to authenticate to Snowflake.

As a result, any Claude ↔ Snowflake MCP usage requires an interactive flow, even for machine-only workloads.

Proposed Solution

I’m requesting support for programmatic authentication options that Snowflake already exposes:
Programmatic Access Tokens (PAT)
External OAuth (e.g., client-credentials or other non-interactive grant types)

Please add first-class support in the Claude ↔ Snowflake MCP integration for programmatic authentication, for example:
1) Programmatic Access Tokens (PAT)
Allow configuration of:

  • Sowflake account identifier
  • PAT value (or reference to a secret store)

Claude would send:

  • Authorization: Bearer <PAT>
  • X-Snowflake-Authorization-Token-Type: PROGRAMMATIC_ACCESS_TOKEN

https://docs.snowflake.com/en/developer-guide/snowflake-rest-api/authentication#using-a-programmatic-access-token-pat

This aligns with Snowflake’s recommended service-to-service patterns for some workloads.

2) External OAuth
Allow users to:

  • Supply an access token issued by their IdP (External OAuth integration in Snowflake),
  • Optionally configure token refresh via client credentials or a pluggable token provider.

https://docs.snowflake.com/en/user-guide/oauth-ext-overview

This enables organizations already invested in an IdP to centralize auth while still using Claude MCP.

Ideally, the connector would support selecting the authentication mode (Interactive Snowflake OAuth vs PAT vs External OAuth) per connection, so existing flows continue to work unchanged.

Alternative Solutions

_No response_

Priority

High - Significant impact on productivity

Feature Category

MCP server integration

Use Case Example

Many real-world Snowflake + Claude use cases are non-interactive:
Scheduled or batch jobs driven by Claude tools/agents.
CI/CD pipelines and automated data workflows.
Backend services that call Claude, which in turn call Snowflake via MCP.

Service accounts that must not be tied to a human browser session. Requiring an interactive OAuth browser flow makes Claude MCP difficult to use in these recommended patterns.

Adding support for key-pair, PAT, and External OAuth would:

  • Enable fully headless Snowflake MCP usage (no browser interaction).
  • Align Claude with Snowflake’s recommended service-to-service authentication patterns.
  • Make it much easier to adopt Claude MCP in enterprise environments that depend on:

Service accounts,
Central IdPs,
Strict non-interactive security and compliance requirements.

Additional Context

_No response_

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗