Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.dema.ai/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Once Snowflake is connected, the Dema Agent can query data, run Cortex AI tools, and execute SQL through your Snowflake-managed MCP server. Useful for bringing governed warehouse data into an analysis alongside Dema metrics.

Prerequisites

  • A Snowflake account with an active Cortex MCP server deployed.
  • A Snowflake role with permission to create security integrations (typically ACCOUNTADMIN or a role granted CREATE INTEGRATION).
  • The database, schema, and name of your Cortex MCP server, plus your Snowflake account identifier in the form {orgname}-{account}, so you can build the MCP server URL.

Connect Snowflake

1

Create an OAuth security integration in Snowflake

In a Snowflake worksheet, run the following. The OAUTH_REDIRECT_URI is the fixed Dema callback URL, which you will use again when you connect:
CREATE SECURITY INTEGRATION dema_agent
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = 'https://app.dema.ai/agents/oauth/callback'
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 7776000;
2

Fetch the client ID and client secret

Run:
SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('DEMA_AGENT');
Copy the OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET values from the result.
3

Paste the credentials into Dema

In Dema, go to Agents → Settings → Integrations, find Snowflake, and click Connect. Enter:
  • Client ID from the previous step
  • Client secret from the previous step
  • MCP URL in the form https://{orgname}-{account}.snowflakecomputing.com/api/v2/databases/{db}/schemas/{schema}/mcp-servers/{name}, using the database, schema, and name of your Cortex MCP server
Click Add. Sign in to Snowflake and approve the authorization. You are returned to Dema with the integration marked as Active.

Permissions

Dema does not request named OAuth scopes in Snowflake. The Snowflake session runs with the role and warehouse you sign in with, so grant your authorizing user only the access the agent should have. A typical setup creates a dedicated role such as DEMA_AGENT_ROLE with USAGE on the warehouse and SELECT on the intended databases and schemas.

Troubleshooting

Integration setup

  • Dema says the MCP URL is invalid. The MCP URL must be HTTPS and must be on .snowflakecomputing.com. Use the {orgname}-{account} format (not a deprecated region-specific URL) and double-check the database, schema, and MCP server name.
  • Authorization fails. Make sure the security integration is ENABLED = TRUE and that OAUTH_REDIRECT_URI is exactly https://app.dema.ai/agents/oauth/callback.

MCP server access errors

If the agent cannot connect to your MCP server (error message: “MCP server does not exist or not authorized”), verify the following in your Snowflake account: Confirm the MCP server exists List all MCP servers in your schema: 
SHOW MCP SERVERS IN SCHEMA YOUR_DATABASE.YOUR_SCHEMA;
Or describe the specific server to verify its configuration: 
DESCRIBE MCP SERVER YOUR_DATABASE.YOUR_SCHEMA.YOUR_MCP_SERVER;
If the server does not exist, you need to create an MCP server in Snowflake or update the database, schema, and name in your Dema integration settings. Verify role permissions The role you use to authorize the OAuth connection must have USAGE privilege on the MCP server, database, and schema. Check existing grants: 
SHOW GRANTS ON MCP SERVER YOUR_DATABASE.YOUR_SCHEMA.YOUR_MCP_SERVER;
If your role is missing the required privileges, grant them: 
GRANT USAGE ON MCP SERVER YOUR_DATABASE.YOUR_SCHEMA.YOUR_MCP_SERVER TO ROLE YOUR_ROLE;
GRANT USAGE ON DATABASE YOUR_DATABASE TO ROLE YOUR_ROLE;
GRANT USAGE ON SCHEMA YOUR_DATABASE.YOUR_SCHEMA TO ROLE YOUR_ROLE;
Note that USAGE on the MCP server does not automatically grant access to the tools configured within it. Each tool (Cortex Search, Cortex Analyst, etc.) requires its own permissions. See Snowflake MCP server access control for details. Check object name casing Snowflake converts unquoted identifiers to uppercase. If you created your database, schema, or MCP server with quoted names (for example "MyDatabase"), the MCP URL must match that casing exactly. Most setups use unquoted names, so the URL should use uppercase (for example YOUR_DATABASE.YOUR_SCHEMA.YOUR_MCP_SERVER).

Additional resources