How key pair authentication works
Key pair authentication is asymmetric — you generate the RSA key pair yourself, register the public key on your Snowflake user, and provide the private key to StackOne. StackOne signs and rotates short-lived JWTs from the private key automatically, so you never generate or paste a token.
- Private key (
rsa_key.p8) — generated locally with OpenSSL. StackOne uses it server-side to sign JWTs and never logs or returns it. If you lose it, it cannot be recovered from Snowflake or the public key, so generate a new key pair and re-register the public key. - Public key (
rsa_key.pub) — registered on your Snowflake user viaALTER USER. Snowflake uses it to verify the JWTs StackOne signs.
Find Your Account Identifier
Your Account Identifier uniquely identifies your Snowflake account and routes API requests to it.
Open account details in Snowsight
Sign in to your Snowflake account and click your user profile (showing your username and role) in the bottom-left corner of the sidebar.
- In the menu that opens, click your account entry (e.g., Account: AB12345) to expand the account submenu.
- Select View account details.
- Copy the Account Identifier shown in the dialog.
- Format:
orgname-accountname(e.g.,myorg-account123) - Alternative — run
SELECT CURRENT_ORGANIZATION_NAME() || '-' || CURRENT_ACCOUNT_NAME();in any worksheet
Find your username
Your Username is the Snowflake user the public key will be assigned to. API requests run as this user.
- Run
SELECT CURRENT_USER();in any worksheet to see the user you are signed in as - Or navigate to Governance & security > Users & roles in Snowsight to pick a dedicated service user.
- Casing does not matter — the connector uppercases the username automatically.
Generate an RSA key pair
Snowflake key-pair authentication uses a 2048-bit RSA key pair that you generate yourself with OpenSSL. Run these commands in your terminal.
Generate the private key
Run the following command to generate an unencrypted private key in PKCS8 format.
- This creates
rsa_key.p8— the value for the RSA Private Key (PKCS8 PEM) field. Paste its entire contents, including the BEGIN and END marker lines. - Caution: keep
rsa_key.p8secure — it is your private key and must never be shared. - The connector mints and refreshes short-lived JWTs from this key automatically — you never generate or paste a token yourself.
Assign the public key to your Snowflake user
Snowflake verifies the JWTs minted from your private key against the public key registered on your user.
Copy the public key body
Open rsa_key.pub and copy the content between (but not including) the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines.
Assign the key to your user
In a Snowflake worksheet, switch to a role with permission to alter the user, then run the ALTER USER statement, replacing <username> with your Username and <public_key_body> with the value you copied.
- The key body is the long base64 block from
rsa_key.pub, pasted as a single quoted string (line breaks within it are allowed).
Linking the Account from the Hub
Navigate to the Hub
Fill out the fields
- Account Identifier
- Username
- RSA Private Key (PKCS8 PEM)
If the account linking is successful, you will see the newly linked account in your Accounts page.