# Connect Snowflake

The Snowflake connector lets Treasure AI Studio agents explore and visualize data in your Snowflake warehouse during a chat. Setup has three parts: an administrator creates an OAuth security integration in Snowflake, configures the connector in Treasure AI, and then each user authorizes their own connection.

New to connections?
Read [Connections](/products/ai-studio/connections) first for the general model — the difference between a connector and a connection, and the administrator vs. user roles. This page covers the Snowflake-specific steps.

## Objective

Set up the Snowflake connector end to end: create the Snowflake OAuth security integration, configure and enable the connector in Treasure AI, and authorize a connection so the agent can query your warehouse.

## Prerequisites

- Account administrator privileges in Treasure AI Studio (for the connector configuration steps)
- A Snowflake account with the `ACCOUNTADMIN` role (or another role that can create a security integration)
- The account URL of the Snowflake account you want to connect


## Step 1 — Create a Security Integration in Snowflake (Administrator)

Treasure AI connects to Snowflake using an OAuth security integration that you create in your Snowflake account. The setup uses a confidential OAuth client with refresh tokens.

1. **Find your Account URL.** In Snowsight, click the account selector at the bottom-left, select your account, and copy the account URL. It has the form `https://ORGNAME-ACCOUNTNAME.snowflakecomputing.com`. You'll enter this as the **Account URL** in Treasure AI (Step 2).
2. **Create the integration.** Run the following SQL as `ACCOUNTADMIN`. Replace the redirect URI with the **callback URL** shown in the **Setup Guide** on the Treasure AI connector form (it ends in `/connections/callback` and is specific to your region):

```sql
CREATE SECURITY INTEGRATION TREASURE_AI_STUDIO_INTEGRATION
  TYPE = OAUTH
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = 'https://<your-region-host>/connections/callback'
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 7776000
  ENABLED = TRUE;
```
3. **Retrieve the client credentials.** Run:

```sql
SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('TREASURE_AI_STUDIO_INTEGRATION');
```
4. From the output, copy **`OAUTH_CLIENT_ID`** and **`OAUTH_CLIENT_SECRET`**. Ignore `OAUTH_CLIENT_SECRET_2` — you only need the first secret.


For more detail, see Snowflake's guide on [Configure Snowflake OAuth for custom clients](https://docs.snowflake.com/en/user-guide/oauth-custom).

The agent connects with the PUBLIC role
The connection authorizes the agent with Snowflake's `PUBLIC` role. The agent can only query objects that `PUBLIC` can access, so grant the `PUBLIC` role the privileges it needs: `USAGE` on a warehouse (required to run any query), `USAGE` on the databases and schemas, and `SELECT` on the tables you want the agent to explore. The role is fixed at authorization time and cannot be changed from within a chat.

Because `PUBLIC` is automatically granted to **every** user in the Snowflake account, any privilege you grant to `PUBLIC` for the agent also exposes that data to all other users. Grant only what the agent needs, and consider whether a more restricted setup is required for sensitive data.

## Step 2 — Configure the Connector in Treasure AI (Administrator)

1. In Treasure AI Studio, open **Settings → Connector Settings** (under **Organization**).
2. Click **Add Connector** and choose **Snowflake**.
3. Complete the form:


| Field | Value |
|  --- | --- |
| **Account URL** | Your account URL from Step 1, e.g. `https://myorg-myaccount.snowflakecomputing.com`. |
| **Client ID** | The `OAUTH_CLIENT_ID` from the security integration. |
| **Client Secret** | The `OAUTH_CLIENT_SECRET` from the security integration (entered as a masked field). |


1. Use the **Setup Guide** panel on this form as your reference — it contains the exact **redirect URL** to register in the security integration (Step 1) and the SQL to run.
2. Click **Save**. The Snowflake connector now appears in your configured list.
3. Make sure the connector is **enabled** so users can authorize connections to it.


The Select Connector screen with the Snowflake connector and an Add button
The Configure Snowflake form showing Account URL, Client ID, and Client Secret fields with the Setup Guide panel below
Allow the account domain in your network policy
If your account uses a network policy, allow the connector's **egress domain** (your Snowflake account host, e.g. `myorg-myaccount.snowflakecomputing.com`) so the agent's sandbox can reach it. The required domain is shown next to the configured connector in **Connector Settings**.

## Step 3 — Authorize Your Connection (User)

Each user who wants the agent to access Snowflake authorizes their own connection:

1. Open **Settings → Connections**.
2. Under **Available**, find **Snowflake** and click **Connect**.
3. Sign in to Snowflake in the popup and approve the requested access.
4. When the popup closes, **Snowflake** appears in your connected list with the date you connected it.


The Connections page with Snowflake listed under Available and a Connect button
To remove the connection later, click the delete (trash) icon next to it.

## Step 4 — Use Snowflake in a Chat

Once connected, ask the agent to work with your Snowflake data — for example, to explore a table or visualize a query result. The agent runs SQL against your warehouse and uses your connection automatically; no extra configuration is needed in the chat.

## Reference

| Item | Value |
|  --- | --- |
| Connector | Snowflake |
| Authentication | OAuth 2.0 (user-to-machine), confidential client with refresh tokens |
| OAuth scopes | `refresh_token`, `session:role:PUBLIC` |
| Agent role | `PUBLIC` (fixed by the OAuth scope) |
| Required configuration | Account URL, Client ID, Client Secret |
| Redirect URL | Shown in the connector form's **Setup Guide** (ends in `/connections/callback`) |


## Troubleshooting

| Issue | Solution |
|  --- | --- |
| Snowflake isn't listed on the Connections tab | An administrator must add the Snowflake connector in **Connector Settings** and enable it. |
| OAuth popup shows a redirect URL error | The `OAUTH_REDIRECT_URI` in the security integration must exactly match the callback URL shown in the connector form's Setup Guide. Re-run the `CREATE SECURITY INTEGRATION` (or `ALTER SECURITY INTEGRATION`) with the correct value. |
| The connection stops working after about 90 days | Refresh tokens are valid for 90 days (`OAUTH_REFRESH_TOKEN_VALIDITY = 7776000` seconds in Step 1). Reconnect from **Settings → Connections** to re-authorize. |
| The connection authorizes but the agent can't reach Snowflake | Allow your Snowflake account domain in your network policy (see the egress domain shown in Connector Settings). |
| The agent connects but can't see your tables | Grant the `PUBLIC` role privileges on the databases, schemas, and tables you want the agent to query. |
| "Account URL" is rejected | The URL must be your account host in the form `https://<orgname>-<accountname>.snowflakecomputing.com`. Use hyphens (not underscores) between the organization and account names. |
| Saving the connector fails on the client secret | Re-run `SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('TREASURE_AI_STUDIO_INTEGRATION');` and copy `OAUTH_CLIENT_SECRET` again — make sure you copied the first secret, not `OAUTH_CLIENT_SECRET_2`. |


## Next Steps

- [Connections](/products/ai-studio/connections) — The general connection model and administrator controls
- [Connect Databricks](/products/ai-studio/connections/databricks) — Configure and authorize a Databricks connection
- [Query Execution](/products/ai-studio/query/query-execution) — How the agent runs and returns query results
- [Charts & Data Visualization](/products/ai-studio/visualization/charts) — How the agent visualizes data