Hey ,
Since your JWT is generating properly and you can see the token with expiry, that means your key-pair setup is most likely correct. The generic error usually happens when the actual request to Snowflake fails after authentication, not during token generation.
I’d suggest turning the log level to TRACE for the Snowflake connector and REST calls, because sometimes a hidden 401 or 403 shows up there. Also double-check the account identifier format, as even a small mismatch in region or org name can cause this. It’s worth verifying that the public key is correctly attached to the Snowflake user and that the role and warehouse are valid.
In most cases like this, it turns out to be either the account format or a small mismatch in the JWT audience value.
Hope this helps
Hi,
If the JWT generation works but the “Connect to Snowflake” button still returns a generic internal error, the issue is usually not the JWT itself. In most cases the token is valid, but the connection validation fails because one of the Snowflake connection parameters does not match what Snowflake expects.
A few things that are worth checking:
First, make sure the account identifier is correct. The Snowflake REST endpoint expects the account in the format used by the Snowflake URL (for example xy12345.eu-central-1 or org-account.region). If the connector is using the wrong account format, the request will fail even if the JWT is valid.
Second, verify that the JWT subject and issuer values match the Snowflake user configuration. For key-pair authentication Snowflake expects the JWT subject to follow the pattern:
<ACCOUNT_IDENTIFIER>.<USER_NAME>
and the public key corresponding to your private key must already be registered for that user in Snowflake. If the subject does not match exactly, Snowflake will reject the request.
Third, check that the warehouse, role, and database parameters configured in the connector actually exist and that the user tied to the key pair has permission to use them. The connector’s “test connection” call attempts to open a session with those parameters, and if the role or warehouse is invalid the API returns an error that Mendix often surfaces as a generic internal error.
Another useful step is to temporarily increase the log level for the Snowflake connector or REST calls in Mendix. When the log level is set to Debug or Trace you should see the actual response returned by Snowflake, which usually reveals whether it is an authentication issue or a configuration mismatch.
In practice, when JWT creation works but the connection test fails, it almost always turns out to be one of these three things: incorrect account identifier, mismatch between JWT subject and Snowflake user configuration, or invalid role/warehouse settings. Once those values align with the Snowflake configuration, the connection test typically succeeds.
Check list:
1. Check module role
Make sure your user has the SnowflakeRESTSQL.Administrator module role. Without it, the connector may show a generic error.
2. Enable TRACE logging
Set SnowflakeRESTSQL log level to TRACE and test again. The real error (401, 403, JWT invalid, etc.) should appear in the logs or browser Network tab.
3. Verify account identifier & URL
Make sure the Account Identifier is correct (replace . with - if needed) and the Account URL is copied exactly from Snowflake.
4. Check key-pair setup
Ensure you are using a PKCS#8 .p8 private key and that the public key is correctly registered on the Snowflake user.
If this resolves the issue, please close the topic.
Sorry if I taking your time that much but the Error is:
HTTP/1.1
Code: 401
{
"code" : "390101",
"message" : "User access disabled. Contact your local system administrator."
}
and the account identifier cannnot be false cause I must use:
(Account Identifier <orgname>-<account_name>)
this type.
and my Private Key is also in .p8 Format.