> ## Documentation Index
> Fetch the complete documentation index at: https://docs.omni.co/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://docs.omni.co/feedback

```json
{
  "path": "/connect-data/oauth/snowflake/index",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

# OAuth for Snowflake connections

> Authenticate individual users against your Snowflake database with OAuth, enforcing database-level permissions in Omni.

<Note>
  Reach out to Omni support to have database OAuth enabled.
</Note>

By default, Omni queries your Snowflake database using a shared service account. With OAuth, each user authenticates with their own credentials, and Omni enforces that user's Snowflake database-level permissions when they run queries. This lets you manage data access in Snowflake and have it filter down to Omni automatically.

## OAuth types

Omni supports two OAuth modes for Snowflake. Both enforce per-user database permissions, but they differ in how users authenticate.

<Warning>
  Before configuring OAuth, review the [limitations](/connect-data/oauth#limitations) that apply to both types.
</Warning>

### Native OAuth

With native OAuth, users authenticate directly with Snowflake's built-in OAuth server. When a user runs a query for the first time, they're prompted to sign in with their Snowflake credentials.

This is the simpler option — it doesn't require an external identity provider and can be configured entirely between Omni and Snowflake.

<Card title="Snowflake native OAuth" icon="snowflake" href="/connect-data/oauth/snowflake/native">
  Set up native OAuth for Snowflake
</Card>

### External OAuth

With External OAuth, users authenticate through an external identity provider (IdP) such as Okta, Entra ID (Azure AD), or Ping Identity. The IdP issues a token that Snowflake trusts, so users sign in with their existing corporate identity rather than separate database credentials.

This option is more complex to configure — it involves setup in the IdP, Snowflake, and Omni — but it centralizes authentication through the identity provider your organization already uses.

<Card title="Snowflake + Okta External OAuth" icon="snowflake" href="/connect-data/oauth/snowflake/external-okta">
  Set up federated OAuth for Snowflake connections using Okta
</Card>

**Looking for another IdP?** Guides for Microsoft Entra ID (Azure AD) and Ping Identity are coming soon.

## Limitations

Before enabling OAuth for Snowflake, review the [Limitations for OAuth](/connect-data/oauth#limitations). **These limitations apply to both Native and External OAuth**.

## Related

* [**Access grants**](/modeling/models/access-grants) — Control which fields and tables are visible to each user in the model and field browser
* [**Content permissions**](/administration/users/permissions) — Control which dashboards and documents users can access