Skip to main content
This guide walks you through setting up Snowflake PAT (Programmatic Access Token) authentication for Gumloop. PAT provides an alternative authentication method to OAuth, using username and password-based authentication.
When to Use PAT vs OAuth: For most users, we recommend using Snowflake OAuth as the preferred authentication method. PAT is an alternative for users who cannot set up OAuth integrations or need a simpler authentication approach.

What This Guide Covers

This documentation will help you:
  1. Understand when PAT is appropriate - Learn when to use PAT vs OAuth
  2. Generate a Snowflake PAT - Create a programmatic access token in Snowflake
  3. Configure Gumloop - Add your PAT credentials to connect Gumloop to Snowflake
  4. Handle Network Policies - Understand and configure network policy requirements

OAuth vs PAT: Which Should You Use?

Use OAuth (Recommended)

  • Enhanced security with temporary tokens
  • Automatic token refresh
  • Centralized access control
  • Better audit trail
  • Set up OAuth →

Use PAT When

  • OAuth integration setup is not feasible
  • You need a simpler authentication method
  • Your organization restricts OAuth integrations
  • You need quick access for testing
Important: Snowflake OAuth and Snowflake PAT are either/or authentication methods. While you can technically have both configured, most users should choose one method.

Prerequisites

Before you begin, ensure you have:
  • Snowflake Account Access - A Snowflake user account with permissions to generate PATs
  • Account Identifier - Your Snowflake account identifier (e.g., myorg-account123)
  • Network Policy Considerations - Understanding of your organization’s network policies (see Network Policy Requirements below)

Step 1: Generate a Snowflake PAT

1.1 Access the PAT Settings

  1. Log in to your Snowflake account
  2. Click on your profile icon in the bottom-left corner
  3. Select My Profile
  4. Navigate to the Authentication section
  5. Find Programmatic access tokens

1.2 Generate a New Token

  1. Click Generate new token
  2. Enter a descriptive name for the token (e.g., “Gumloop”)
  3. Set an appropriate expiration date
  4. Click Generate
Save Your Token Immediately! The token value is only shown once. Copy and store it securely before closing the dialog.

1.3 Token Management Options

After creating your token, you can manage it through the menu (three dots):
  • Edit - Modify token settings
  • Rotate - Generate a new token value while keeping the same configuration
  • Bypass requirement for network policy - Temporarily bypass network restrictions (see below)
  • Delete - Remove the token

Step 2: Configure Gumloop

2.1 Add Snowflake PAT Credentials

  1. Navigate to Gumloop Personal Credentials Page
  2. Click Add Credential
  3. Search for “Snowflake PAT” in the Snowflake PAT tab
  1. Click Add credential on the Snowflake PAT option
  2. Enter the following information:
    • Username: Your Snowflake username
    • Password: The PAT token you generated in Step 1
    • Account Identifier: Your Snowflake account identifier (e.g., myorg-account123)
  3. Click Save to store your credentials

2.2 Verify Your Connection

To confirm your PAT connection is working:
  1. Create a new agent or workflow with a Snowflake Reader node or the Snowflake MCP integration
  2. Configure a simple query like SELECT CURRENT_USER()
  3. Run the agent or workflow to verify the connection succeeds

Network Policy Requirements

Snowflake network policies can restrict which IP addresses are allowed to connect. When using PAT authentication, you may encounter network policy restrictions that block connections from Gumloop’s servers.

Understanding Network Policies

Network policies in Snowflake control access based on IP addresses. If your organization has network policies configured, PAT connections from Gumloop may be blocked unless:
  1. Gumloop’s IP range is whitelisted in your network policy, OR
  2. You temporarily bypass the network policy requirement for your PAT
For production use, contact your Snowflake administrator and reach out to Gumloop to add Gumloop’s IP range to your network policy’s allowed list. This provides permanent access without requiring repeated bypasses.

Option 2: Temporary Network Policy Bypass (For Testing)

For testing purposes, you can temporarily bypass the network policy requirement:
  1. Go to your Snowflake profile → AuthenticationProgrammatic access tokens
  2. Click the menu (three dots) next to your token
  3. Select Bypass requirement for network policy
  4. Set the bypass duration (maximum 24 hours)
Temporary Bypass Limitations:
  • Maximum bypass duration is 24 hours
  • After the bypass expires, you’ll need to either renew it or whitelist Gumloop’s IP range
  • This option is intended for testing, not production use

When Network Policy Bypass is Needed

You may need to bypass or whitelist if:
  • Your Snowflake account has network policies restricting access to specific IP ranges
  • You receive connection errors mentioning “network policy” or “IP not allowed”
  • PAT authentication fails even with correct credentials

Troubleshooting

Connection Refused or Network Policy Error

Problem: Getting a network policy error when connecting Solution:
  • Use the temporary bypass option for testing (see Option 2 above)
  • For production, whitelist Gumloop’s IP range in your Snowflake network policy

Invalid Credentials Error

Problem: Authentication fails with invalid credentials Solution:
  • Verify your username is correct
  • Ensure you’re using the PAT token (not your regular password) in the Password field
  • Check that the Account Identifier matches your Snowflake account URL
  • Confirm the PAT hasn’t expired

Token Expired

Problem: Previously working connection now fails Solution:
  • Check if your PAT has expired in Snowflake
  • Generate a new token and update your Gumloop credentials
  • Consider setting a longer expiration when creating new tokens

Warehouse Access Issues

Problem: Connected but queries fail with warehouse errors Solution:
  • Ensure your user has USAGE privilege on the warehouse
  • Specify the warehouse explicitly in the Snowflake Reader node
  • Check if a default warehouse is configured for your user

Security Best Practices

Token Expiration

Set appropriate expiration dates for your PATs. Shorter durations are more secure but require more frequent rotation.

Least Privilege

Use a Snowflake user with only the minimum permissions needed for your workflows.

Regular Rotation

Periodically rotate your PAT tokens to maintain security, even before they expire.

Secure Storage

Never share PAT tokens in plain text. Gumloop encrypts your credentials securely.

Additional Resources

Need Help?

If you encounter issues not covered in this guide:
  1. Check the Snowflake PAT documentation for detailed technical information
  2. Contact your Snowflake administrator for account-specific issues
  3. Reach out to Gumloop Support for integration assistance