SHOW USER PROGRAMMATIC ACCESS TOKENS¶

Lists the programmatic access tokens associated with a user.

See also:

ALTER USER … ADD PROGRAMMATIC ACCESS TOKEN (PAT) , ALTER USER … MODIFY PROGRAMMATIC ACCESS TOKEN (PAT) , ALTER USER … ROTATE PROGRAMMATIC ACCESS TOKEN (PAT) , ALTER USER … REMOVE PROGRAMMATIC ACCESS TOKEN (PAT)

Syntax¶

SHOW USER { PROGRAMMATIC ACCESS TOKENS | PATS } [ FOR USER <username> ]
Copy

You can use the keyword PATS as a shorter way of specifying the keywords PROGRAMMATIC ACCESS TOKENS.

Parameters¶

FOR USER username

Lists the programmatic access tokens for the specified user.

Default: Lists the programmatic access tokens for the current user.

Output¶

The output of the command includes the following columns, which describe the properties and metadata of the object:

The command output includes the following columns, which provide properties and metadata for each programmatic access token:

Column

Description

name

The name of the programmatic access token.

user_name

The username associated with the programmatic access token.

If the user associated with the programmatic access token was removed from the account, then Snowflake returns the user ID instead of the username. You can find information about a removed user by using the USERS view in the ACCOUNT_USAGE schema.

role_restriction

The name of the role that the programmatic access token inherits privileges from.

expires_at

The timestamp when the programmatic access token expires.

status

The expiration status of the programmatic access token. This column can be one of the following values:

  • ACTIVE: The programmatic access token can be used to authenticate, and the expires_at column value is greater than the current date.

  • EXPIRED: The programmatic access token cannot be used to authenticate, and the expires_at column value is less than or equal to the current date.

    Expired programmatic access tokens remain visible for 30 days. After 30 days, you can view expired programmatic access tokens in the Account Usage schema.

  • DISABLED: The programmatic access token is disabled because user login access was disabled or the user is locked out of logging in.

comment

A user-provided comment about the programmatic access token.

created_on

The date when the programmatic access token was created.

created_by

The username or user ID of the user who created the programmatic access token.

mins_to_bypass_required_network_policy

The number of minutes during which a user can use this token to access Snowflake without being subject to an active network policy.

Access control requirements¶

A role used to execute this operation must have the following privileges at a minimum:

Privilege

Object

Notes

MODIFY

User

Required only when displaying programmatic access tokens for a user other than yourself.

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

Usage notes¶

  • The command lists all programmatic access tokens for a given user, not all programmatic access tokens for an account.

  • The programmatic access token secret is never returned after creation.

  • After seven days, expired programmatic access tokens are deleted and no longer appear in the output of the command.

Examples¶

Show information about programmatic access tokens associated with the user example_user:

SHOW USER PROGRAMMATIC ACCESS TOKENS FOR USER example_user;
Copy
Language: English