MCP Connectors¶

Overview¶

An MCP connector in Snowflake connects Snowflake Intelligence and Cortex Agents to a remote Model Context Protocol (MCP) server, letting the Agent discover and invoke tools hosted by providers such as Atlassian Jira, Salesforce, or your own custom applications.

How MCP connectors work¶

You create an external MCP server object that references an API integration, which contains OAuth credentials. Snowflake supports Standard OAuth with credentials (client ID, client secret), as well as Dynamic Client Registration (DCR). You can select from a set of available MCP connectors or build your custom connector. After the MCP connector is added to the agent, users can authenticate with the third-party service and use the tools directly with Cortex Agents and in Snowflake Intelligence.

Setup flow¶

To create an MCP connector and use it in your Snowflake workflows, complete the following steps:

Provider setup: The account admin creates an MCP server on the provider’s dashboard (for example, Salesforce or Atlassian) and obtains OAuth credentials.
API integration: The account admin creates an API integration in Snowflake that stores the server URL, client ID, client secret, and OAuth endpoints.
External MCP server creation: The account admin creates an external MCP server object that references the API integration.
Agent configuration: The agent developer adds the external MCP server to a Cortex Agent’s specification.
User authentication: Snowflake Intelligence users connect to the MCP server through the Snowflake Intelligence interface, authenticating with the third-party service using OAuth.

Tool discovery and invocation¶

When an agent is invoked, it retrieves the list of available tools from each configured external MCP server using the tools/list method. During orchestration, the agent invokes specific tools using the tools/call method and passing the required arguments. Snowflake checks that both the MCP server and its underlying API integration are enabled before executing any tool call.

Access control¶

The following table describes the privileges required for external MCP server operations:


Privilege	Object	Required for
CREATE EXTERNAL MCP SERVER	Schema	Creating an external MCP server
OWNERSHIP	MCP Server	Dropping the MCP server
MODIFY	MCP Server	Updating, dropping, describing, showing, and using the MCP server
USAGE	MCP Server	Connecting to the MCP server and discovering tools
OWNERSHIP or MODIFY	API Integration	Enabling, disabling, or dropping the API integration

Set up supported MCP connectors¶

You can connect with the following MCP servers with minimal configuration:

Atlassian
GitHub
Glean
Linear
Salesforce

With these MCP providers, you complete the following workflow:

Specify the provider detail in the API_USER_AUTHENTICATION type field.
Set up the provider configuration, which is unique to each provider.
Reference this API integration in the external MCP server object creation.

Note

For OAuth authorization code flows, the client needs to supply a callback URL after consent is given to the external service provider. The external service provider will send the user to the callback URL to finish the flow. In general, two URLs need to be given to the OAuth app configuration:

For Cortex Code CLI: <account_url>/oauth/complete-secret
For Snowflake Intelligence and Snowsight UI: <snowsight_url>/oauth/complete-secret

The Snowsight URL can be retrieved from SYSTEM$ALLOWLIST or SYSTEM$ALLOWLIST_PRIVATELINK depending on whether PrivateLink is used. Pick the one of type SNOWSIGHT_DEPLOYMENT that starts with apps-api (for public access) or app.<region>.privatelink.snowflakecomputing (for PrivateLink).

Navigate to Admin.atlassian.com.
From the left navigation, select Apps > AI Settings > Rovo MCP Server.
Under Your domains, select Add Domain to add two callback URLs as described in the note above.
Select Add.
Sign in to Snowsight.
In the navigation menu, select AI & ML » Agents.
Select Settings.
Select Tools and Connectors.
Select Browse Connectors.
Select Atlassian.
Enter a name and description for the MCP Server.
For Server URL, enter https://mcp.atlassian.com/v1/mcp.
Select the database and schema where the MCP Server will be created.
Select Add.

The following example shows the SQL commands to create the API integration and MCP server for Atlassian:

-- Create the API integration using dynamic client registration (DCR)
CREATE API INTEGRATION jira_mcp_api_integration
  API_PROVIDER = external_mcp
  API_ALLOWED_PREFIXES = ('https://mcp.jira.atlassian.com')
  API_USER_AUTHENTICATION = (
    TYPE=OAUTH_DYNAMIC_CLIENT,
    OAUTH_RESOURCE_URL='https://mcp.atlassian.com/v1/mcp'
  )
  ENABLED = TRUE;

-- Create the external MCP server
CREATE EXTERNAL MCP SERVER atlassian_mcp_server
  WITH NAME = 'Atlassian (Jira & Confluence)'
  SERVER_URL='https://mcp.atlassian.com/v1/mcp'
  API_INTEGRATION = jira_mcp_api_integration;

Sign into GitHub.
Navigate to the top right avatar, and select Settings.
Select Developer Settings.
Select New GitHub App. Provide a name, homepage URL, and supply two callback URLs as described previously.
You can disable Webhook and set custom permissions (scopes).
Create the app. You should see the app appear in GitHub Apps in the Developer Settings.
Select Edit and Generate a new client secret. Write the client ID and secret down.
Sign in to Snowsight.
In the navigation menu, select AI & ML » Agents.
Select Settings.
Select Tools and Connectors.
Select Browse Connectors.
Select Github.
Enter a description for the MCP Server.
For Server URL, enter https://api.githubcopilot.com/mcp.
For the Token endpoint, enter https://github.com/login/oauth/access_token.
For the Authorization endpoint, enter https://github.com/login/oauth/authorize.
For the Client ID, enter the client ID you wrote down.
For the Client secret, enter the client secret you wrote down.
Select the database and schema where the MCP Server will be created.
Select Add.

Navigate to app.glean.com/settings/install.
Select Configure MCP Server.
In the Host application select Custom. For the MCP server select the desired server (can be default).
Copy the server URL.
Select Save.
Sign in to Snowsight.
In the navigation menu, select AI & ML » Agents.
Select Settings.
Select Tools and Connectors.
Select Browse Connectors.
Select Glean.
Enter a description for the MCP Server.
For the Server URL, enter the server URL you copied.
Select the database and schema where the MCP Server will be created.
Select Add.

Note

You must have Admin access to your Salesforce (sandbox) organization.

Navigate to your Salesforce organization.
Go to Setup from the gear icon.
Search for External Client App Manager in the search bar of the new page.
Select New External Client App and check Enable OAuth.
After the app is created, navigate to the OAuth Settings of the app.
Configure the scopes (ensure sfap_api is included) and the callback URI to be <snowsight_url>/oauth/complete-secret.
Note the Consumer Key and Secret, which are the OAuth client ID and client secret to be used in the Snowflake external API integration.
Sign in to Snowsight.
In the navigation menu, select AI & ML » Agents.
Select Settings.
Select Tools and Connectors.
Select Browse Connectors.
Select Salesforce.
Enter a description for the MCP Server.
Enter the MCP server URL. Salesforce exposes their MCP servers through individual URLs, and the user needs to know what server/tools to access. The OAuth tokens retrieved from the last step can be used for all servers and tools, as long as the scopes permit.

The base URL for each hosted MCP server is:
- https://api.salesforce.com/platform/mcp/v1-beta.2/sandbox/platform/<server_name> if your organization is a sandbox
- https://api.salesforce.com/platform/mcp/v1-beta.2/platform/<server_name> with no /sandbox suffix otherwise
Because the test organization is a sandbox, use test.salesforce.com as the domain of the OAuth endpoints, and https://api.salesforce.com/platform/mcp/v1-beta.2/sandbox/platform/<server_name> as the base URL in the EXTERNAL MCP SERVER object.

You can construct the desired MCP server URLs with the base. For example:
- https://api.salesforce.com/platform/mcp/v1-beta.2/sandbox/platform/sobject-all
- https://api.salesforce.com/platform/mcp/v1-beta.2/sandbox/platform/query
- https://api.salesforce.com/platform/mcp/v1-beta.2/sandbox/platform/search
Enter the token and authorization endpoints:
- For the Token endpoint, enter https://<domain>/services/oauth2/token.
- For the Authorization endpoint, enter https://<domain>/services/oauth2/authorize.
Note

<domain> can be one of test.salesforce.com if the Salesforce organization is a sandbox or login.salesforce.com otherwise.
Enter the client ID and client secret you noted.
Select the database and schema where the MCP Server will be created.
Select Add.

Custom MCP connectors¶

You can also manually configure custom connectors to connect to any MCP-compatible endpoint.

Provide the full OAuth configuration as part of the API integration creation:

 -- Create the API integration with full OAuth configuration
CREATE API INTEGRATION custom_mcp_api_integration
   API_PROVIDER = external_mcp
   API_ALLOWED_PREFIXES = ('https://internal.mycompany.com/mcp')
   API_USER_AUTHENTICATION = (
     TYPE = OAUTH
     OAUTH_CLIENT_ID = 'your_client_id'
     OAUTH_CLIENT_SECRET = 'your_client_secret'
     OAUTH_TOKEN_ENDPOINT = 'https://internal.mycompany.com/oauth/token'
     OAUTH_CLIENT_AUTH_METHOD = CLIENT_SECRET_BASIC
     OAUTH_AUTHORIZATION_ENDPOINT = 'https://internal.mycompany.com/oauth/authorize'
   )
   ENABLED = TRUE;

Alternatively, you can use API integration with DCR:

CREATE API INTEGRATION custom_mcp_api_integration
  API_PROVIDER = external_mcp
  API_ALLOWED_PREFIXES = ('https://internal.mycompany.com/mcp')
  API_USER_AUTHENTICATION = (
    TYPE = OAUTH_DYNAMIC_CLIENT
    OAUTH_RESOURCE_URL='https://internal.mycompany.com/mcp'
  )
  ENABLED = TRUE;

Create the MCP server object:

-- Create the external MCP server
CREATE EXTERNAL MCP SERVER mycompany_mcp_server
  WITH NAME = 'Mycompany MCP server'
  API_INTEGRATION = custom_mcp_api_integration;

Reference the MCP server in the Agent configuration:

-- Add MCP server to agent
ALTER AGENT my_support_agent
  ADD MCP_SERVER = 'db.schema.MCP server';

OAuth parameters for custom MCP servers¶

The following table describes the OAuth parameters for custom MCP servers:


Parameter	Type	Required	Default	Description
OAUTH_CLIENT_ID	STRING	Yes	None	Client ID from the MCP server provider
OAUTH_CLIENT_SECRET	STRING	Yes	None	Client secret from the MCP server provider
OAUTH_DISCOVERY_URL	STRING	No	None	OpenID Connect discovery URL for automatic endpoint resolution
OAUTH_TOKEN_ENDPOINT	STRING	Yes	None	Endpoint for exchanging authorization codes for access tokens
OAUTH_AUTHORIZATION_ENDPOINT	STRING	Yes	None	Endpoint where users authorize the connection
OAUTH_CLIENT_AUTH_METHOD	STRING	No	CLIENT_SECRET_BASIC	Authentication method: CLIENT_SECRET_BASIC or CLIENT_SECRET_POST

Add MCP connectors to the Cortex Agent¶

After MCP server object creation, the agent developer references it in the Cortex Agent config. MCP Connectors are available in the Agent Admin UI, where developers can browse and select from MCP connectors configured at the account level. You can also use SQL or API to add MCP connectors to your agents.

Sign in to Snowsight.
In the navigation menu, select AI & ML » Agents.
Select the agent name from the list of agents.
Select MCP Connectors.
From the list of Available Connectors, select the connector you want to add.
Review the connector details and select Add to agent.

ALTER AGENT [ IF EXISTS ] <name> MODIFY LIVE VERSION SET SPECIFICATION $$
    <previous_spec>
    mcp_servers:
      - server_spec:
         name: "db.schema.mcp_server1"
      - server_spec:
         name: "db.schema.mcp_server2"
$$;

Agent developers add external MCP servers to a Cortex Agent’s specification using the Agent object REST API:

PUT /api/v2/databases/{database}/schemas/{schema}/agents/{name}

{
    "comment": "An agent to answer questions about all my data",
    "profile": {
        "display_name": "My Agent"
    },
    "models": {
        "orchestration": "claude-4-sonnet"
    },
    "mcp_servers": [
        {"server_spec": "prod_db.integrations.jira_mcp_server"},
        {"server_spec": "prod_db.integrations.github_mcp_server"}
    ]
}

Cortex Agents that reference these MCP servers can access tools provided by the provider. For example, with Atlassian, tools include creating Jira issues, commenting on issues, creating Confluence pages, and updating existing pages.

When the agent is invoked, it retrieves the tool list from each MCP server and includes those tools in its orchestration. The agent selects and invokes tools based on the user’s query and the tool descriptions provided by the MCP server.

Use MCP connectors in Snowflake Intelligence¶

Snowflake Intelligence users connect to external MCP servers through the Snowflake Intelligence interface:

Navigate to the Snowflake Intelligence interface by following the instructions in Access the agent.
Open the sources panel and select Connectors.
Select Connect next to the connector of choice. You can also select Manage Connections and then select Connect.
The user is redirected to the third-party service’s authentication page to approve the connection.
After authentication, the connector appears as Connected in the sources list. You can now interact with the Agent to get information from the external MCP server.

To disconnect the server, the user can complete the following:

Select Manage Connections.
Select MCP Server and then select Disconnect.

Users can connect and disconnect connectors in the sources dropdown to include or exclude them from the agent’s orchestration. Connectors that aren’t in the Connected state aren’t included in orchestration.

When a user’s authentication token expires, Snowflake Intelligence prompts the user to re-authenticate.

Use MCP connectors in Agent:run API¶

Agent:run API connect to MCP servers through the client interface. Use the following functions to authenticate users with the third-party service authentication:

Function to start OAuth flow:

-- Returns authorization URI to authenticate through the third-party service
SELECT SYSTEM$START_USER_OAUTH_FLOW('<API_INTEGRATION_NAME>');

Function to finish OAuth flow:
```
SYSTEM$FINISH_OAUTH_FLOW( '<query_string>' )
```

For additional information, see SYSTEM$START_USER_OAUTH_FLOW and SYSTEM$FINISH_OAUTH_FLOW.

Manage MCP servers¶

List and describe MCP servers¶

List all external MCP servers at different scopes:

-- List all MCP servers in the account
SHOW EXTERNAL MCP SERVERS IN ACCOUNT;

-- List MCP servers in a specific database or schema
SHOW EXTERNAL MCP SERVERS IN DATABASE prod_db;
SHOW EXTERNAL MCP SERVERS IN SCHEMA prod_db.integrations;

The output includes the server name, database, schema, owner, type (pre-built or custom), MCP server URL, state (enabled or disabled), and associated API integration.

To view the full configuration of a specific server:

DESCRIBE EXTERNAL MCP SERVER mycompany_mcp_server;

Disable and enable MCP servers¶

Disable an MCP server by altering its underlying API integration. Disabling immediately invalidates all user tokens and triggers a call to the MCP server’s revocation endpoint. Secrets aren’t deleted when you disable an integration. They expire naturally if the integration remains disabled long enough.

-- Disable the MCP server
ALTER API INTEGRATION mycompany_mcp_integration SET ENABLED = FALSE;

-- Re-enable the MCP server
ALTER API INTEGRATION mycompany_mcp_integration SET ENABLED = TRUE;

Warning

When you disable an API integration, all agents using that MCP server lose access to its tools immediately. Snowflake Intelligence surfaces an alert to users when a connector is disabled. Re-enabling requires users to re-authenticate as if connecting for the first time.

You can’t create a new MCP server that references a disabled API integration. During agent execution, Snowflake checks both the MCP server and API integration states and only uses enabled servers.

Drop an MCP server¶

Drop the MCP server first, then drop the API integration. Only roles with the OWNERSHIP privilege can issue drops.

-- Drop the MCP server
DROP EXTERNAL MCP SERVER mycompany_mcp_server;

-- Drop the API integration (permanently deletes OAuth configuration and secrets)
DROP API INTEGRATION mycompany_mcp_integration;

Warning

Dropping an API integration permanently deletes all OAuth configuration and stored secrets. Ensure no agents are currently using the MCP server before dropping it. You must recreate both objects from scratch if you need them again.

Key considerations and best practices¶

Custom MCP servers: Use custom servers when connecting to MCP endpoints not in the available MCP connectors list. Snowflake supports user authentication types for Atlassian, GitHub, Glean, Linear, and Salesforce in the API integration.
Least-privilege access: Grant only the minimum required privileges for each role. Access to an MCP server doesn’t automatically grant access to its tools, you must grant permissions separately for each tool.
OAuth authentication: Snowflake only supports using OAuth for all MCP server connections.
Disabling or dropping: Disabling an API integration preserves its configuration, but immediately invalidates all user tokens and blocks tool invocations. Dropping an API integration permanently deletes it along with all stored secrets. Disable the integration when performing maintenance. Drop the integration when decommissioning.
Hostname formatting: Use hyphens (-) instead of underscores (_) in hostnames when configuring MCP server connections. Hostnames containing underscores cause connection issues.

Limitations¶

The following limitations apply to MCP connectors:

Monitoring: MCP tool calls are not logged to the monitoring table.
MCP protocol scope: External MCP servers support tool capabilities only. Resources, prompts, roots, notifications, version negotiations, lifecycle phases, and sampling are not supported.
Disabled integrations: You can’t create an MCP server that references a disabled API integration.
Hostname format: Hostnames must use hyphens, not underscores.