PHP PDO Driver for Snowflake release notes for 2026¶

This article contains the release notes for the PHP PDO Driver for Snowflake, including the following when applicable:

Snowflake uses semantic versioning for PHP PDO Driver for Snowflake updates.

Version 4.0.0 (Jun 16, 2026)¶

Added support for PHP 8.5.
Added support for forwarding the Snowpark Container Services session token in the login request. When the SNOWFLAKE_RUNNING_INSIDE_SPCS environment variable is set to true, the driver reads the token from /snowflake/session/spcs_token and attaches it as SPCS_TOKEN on the login payload.
Added the SF_SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION environment variable as the namespaced replacement for SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION when reading JSON token files. The unprefixed variable still works but is now logged as deprecated.
Changed AWS workload identity federation attestation from a base64-encoded signed STS GetCallerIdentity request to a JWT obtained from STS GetWebIdentityToken.
Updated Curl to v8.20.0.
Updated OpenSSL to v3.0.21.
Updated AWS SDK for C++ to v1.11.806.
Upgraded libsnowflakeclient to version 2.9.1.

Fixed an infinite JWT renewal loop during login when renew_timeout elapses repeatedly (for example, behind a bad proxy or slow network). Renewal is now bound by the configured login retry count and overall login timeout.
Fixed misleading error message when building the driver on Windows.

Added the log_query_text and log_query_parameters connection parameters to allow the logging of the SQL text and bound parameter values, respectively. Both parameters default to false.
Added the crl_download_max_size connection parameter to control the maximum size (in bytes) of a CRL file downloaded during TLS certificate revocation checks. The default value is 20 MB.
Updated Curl to v8.19.0.
Updated OpenSSL to v3.0.20.

Implemented richer client_environment telemetry information to include on which environment the driver runs (such as Lambda, EC2, GCP, Azure VM, and so on) and whether the managed identity is enabled.
Added support for workload identity federation authentication, including the following new connection parameters:
- workload_identity_provider - Platform of the workload identity provider. Possible values include: AWS, AZURE, GCP, and OIDC.
- workload_identity_azure_resource - If the AZURE workload_identity_provider is used, this parameter sets the resource that the driver should use to identify itself.
- workload_identity_impersonation_path - An array of strings that provides an identity chain to use when connecting to Snowflake. Array elements are either a full service account address or a service account’s unique ID.
  
  Impersonation works by following each array entry to obtain a token that allows authorization of the next service account. Each account in the identity chain needs permissions to impersonate the next account only. The final account in the list obtains your Snowflake connection token and uses it to connect to Snowflake.
  
  This parameter is supported for AWS and Google Cloud workloads and only applies when authenticator=WORKLOAD_IDENTITY.
Updated OpenSSL to 3.0.19.
Added support for multistatement queries.

Added support for Red Hat Enterprise Linux (RHEL) 9.
Deprecated CentOS 7 builds. Rocky 8/RHEL8 is now the minimum system version.
Added a warning for HTTP usage in OAuth authentication flows.
Set LOCAL_APPLICATION as a default for the client_id and client_secret for the OAuth Authorization code flow.
Updated Curl to 8.16.0.
Removed the workload identity federation (WIF) auto-detection mechanism.
Added auto-detection of the application path and included it in the CLIENT_ENVIRONMENT variable.
Updated OpenSSL to 3.0.18