Skip to main content

Overview

Once Snowflake is connected, the Dema Agent can query data, run Cortex AI tools, and execute SQL through your Snowflake-managed MCP server. Useful for bringing governed warehouse data into an analysis alongside Dema metrics.

Prerequisites

  • A Snowflake account with an active Cortex MCP server deployed.
  • A Snowflake role with permission to create security integrations (typically ACCOUNTADMIN or a role granted CREATE INTEGRATION).
  • The database, schema, and name of your Cortex MCP server, plus your Snowflake account identifier in the form {orgname}-{account}, so you can build the MCP server URL.

Connect Snowflake

1

Create an OAuth security integration in Snowflake

In a Snowflake worksheet, run the following. The OAUTH_REDIRECT_URI is the fixed Dema callback URL, which you will use again when you connect:
CREATE SECURITY INTEGRATION dema_agent
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = 'https://app.dema.ai/agents/oauth/callback'
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 7776000;
2

Fetch the client ID and client secret

Run:
SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('DEMA_AGENT');
Copy the OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET values from the result.
3

Paste the credentials into Dema

In Dema, go to Agents → Settings → Integrations, find Snowflake, and click Connect. Enter:
  • Client ID from the previous step
  • Client secret from the previous step
  • MCP URL in the form https://{orgname}-{account}.snowflakecomputing.com/api/v2/databases/{db}/schemas/{schema}/mcp-servers/{name}, using the database, schema, and name of your Cortex MCP server
Click Add. Sign in to Snowflake and approve the authorization. You are returned to Dema with the integration marked as Active.

Permissions

Dema does not request named OAuth scopes in Snowflake. The Snowflake session runs with the role and warehouse you sign in with, so grant your authorizing user only the access the agent should have. A typical setup creates a dedicated role such as DEMA_AGENT_ROLE with USAGE on the warehouse and SELECT on the intended databases and schemas.

Troubleshooting

  • Dema says the MCP URL is invalid. The MCP URL must be HTTPS and must be on .snowflakecomputing.com. Use the {orgname}-{account} format (not a deprecated region-specific URL) and double-check the database, schema, and MCP server name.
  • Authorization fails. Make sure the security integration is ENABLED = TRUE and that OAUTH_REDIRECT_URI is exactly https://app.dema.ai/agents/oauth/callback.

Additional resources