Skip to main content
Snowflake’s managed MCP server exposes Cortex Search, Cortex Analyst, and SQL execution as MCP tools. Portkey MCP Gateway adds centralized authentication, per-user access control, and observability on top of the Snowflake endpoint.

When should you use this server

  • Ask natural-language questions over governed Snowflake data via Cortex Analyst
  • Run semantic/Cortex Search over indexed documents and support content
  • Execute parameterized SQL from agents under guardrails and access control

Key features

  • Managed, cloud-hosted endpoint—no self-hosted binary to run
  • Role-scoped access: every request runs under a specific Snowflake role
  • OAuth 2.1 with an external identity provider (per-user attribution)

Authentication

  • Method: OAuth 2.1 with manual OAuth metadata (pre-registered client).
  • Why: Snowflake’s OAuth server does not support Dynamic Client Registration (DCR / RFC 7591). Portkey’s default OAuth flow auto-registers a client against the upstream server, which Snowflake rejects with:
  • The supported pattern: front Snowflake with an IdP it trusts (this guide uses Okta via Snowflake External OAuth), pre-register a confidential OAuth client there, and give Portkey those credentials in oauth_metadata. Portkey then skips DCR and uses the pre-registered client for the upstream token exchange.
With this pattern, Okta (not Snowflake) is the OAuth authorization server. Snowflake validates the resulting JWT and maps its scp claim to a Snowflake role.

Endpoint

A Snowflake managed MCP server URL looks like:

Connect via Portkey MCP Gateway

The setup has three parts: Snowflake (trust the IdP, map roles), Okta (issue tokens with the role scope), and Portkey (register the server with oauth_metadata).
The token scope selects the Snowflake role. It must be session:role:<role>—defined in Okta, listed in the Okta access-policy rule, and mapped to a Snowflake role the user has been granted. Getting this scope right is the most common point of failure.

Step 1: Snowflake — role, user, and External OAuth integration

Run as ACCOUNTADMIN in a Snowsight worksheet.

Step 2: Okta — authorization server, scope, and confidential app

  1. Security → API → Authorization Servers → Add. Set Audience to the Snowflake account URL (https://<account>.<region>.snowflakecomputing.com). Note the Issuer URI—feed it into Step 1 and Step 3.
  2. Scopes → Add Scope: create session:role:<role> (literal, colons and all; lowercase as Snowflake expects). Check Include in public metadata.
  3. Access Policies → Add Policy + Rule: grant type Authorization Code (+ Refresh Token), and list the session:role:<role> scope and the allowed users.
  4. Applications → Create App Integration → OIDC → Web Application (gives a client_secret). Set the Sign-in redirect URI to:
  5. Copy the Client ID, Client Secret, and from <issuer>/.well-known/oauth-authorization-server the authorization_endpoint and token_endpoint.
If the session:role:<role> scope isn’t listed in the Okta access-policy rule, Okta silently won’t issue it → the token has no role → Snowflake rejects the request.

Step 3: Register the integration in Portkey

  1. In Portkey, go to MCP RegistryAdd MCP Integration.
  2. Set:
  1. Expand Advanced Configuration and paste (replace placeholders):
Use oauth_metadata (upstream auth), not external_auth_config. With client_id and client_secret present, Portkey skips DCR and uses your pre-registered Okta client. See OAuth Client Metadata.
  1. Configure workspace access as needed, then save.

Step 4: Connect from an agent

Gateway URL pattern: https://mcp.portkey.ai/{slug}/mcp.
Claude Desktop / Cursor
On first tool use, the client opens the Okta authorization screen. After consent, Portkey exchanges the code, calls Snowflake with the resulting JWT, and stores/refreshes tokens per user.

Troubleshooting

For broader gateway issues, see MCP Gateway: Common issues and resolutions.

Tools provided

Tools depend on what the Snowflake MCP server exposes (Cortex Search services, Cortex Analyst semantic views, and SQL execution). Use the client’s tool inspector or tools/list on the gateway URL as the source of truth.
  • Cortex Analyst — natural-language questions answered against a configured semantic view/model.
  • Cortex Search — semantic search over an indexed service (documents, tickets, etc.).
  • SQL execution — run SQL under the mapped Snowflake role.
For self-hosted gateways, replace mcp.portkey.ai with your gateway host (and use that host in the Okta redirect URI and redirect_uri).
Last modified on June 24, 2026