Skip to main content

Before you start

Before connecting, review security to see whether DataFrey fits your requirements, how to scope access, and how we protect credentials and data.
  • Privileges: run setup as ACCOUNTADMIN or SYSADMIN. DataFrey itself runs SELECT only.
  • Auth: Programmatic Access Token (PAT).
  • Scope: the generated SQL grants read on the whole database. Narrow it via Restrict access.

Setup

datafrey runs setup on first launch. To re-run it later: 
datafrey db connect
Pick Snowflake. The CLI walks you through:
1

Database & warehouse

Enter the target database and the warehouse DataFrey should run queries on. The CLI collects both upfront to template the setup SQL.
To list your databases: SHOW DATABASES;
Database name: <MY_DATABASE>

To list your warehouses: SHOW WAREHOUSES;
Warehouse name: <MY_WAREHOUSE>
Every query issued through the MCP server runs on this warehouse, so size it for your expected MCP query load and complexity.
2

Run setup SQL

The CLI fills in the SQL below. Edit the grants now if you’re scoping to specific schemas or tables (see Restrict access).
CREATE ROLE IF NOT EXISTS DATAFREY_ROLE;

GRANT USAGE ON WAREHOUSE <MY_WAREHOUSE> TO ROLE DATAFREY_ROLE;
GRANT USAGE ON DATABASE <MY_DATABASE> TO ROLE DATAFREY_ROLE;

-- Existing objects
GRANT USAGE ON ALL SCHEMAS IN DATABASE <MY_DATABASE> TO ROLE DATAFREY_ROLE;
GRANT SELECT ON ALL TABLES IN DATABASE <MY_DATABASE> TO ROLE DATAFREY_ROLE;
GRANT SELECT ON ALL VIEWS IN DATABASE <MY_DATABASE> TO ROLE DATAFREY_ROLE;

-- Future objects
GRANT USAGE ON FUTURE SCHEMAS IN DATABASE <MY_DATABASE> TO ROLE DATAFREY_ROLE;
GRANT SELECT ON FUTURE TABLES IN DATABASE <MY_DATABASE> TO ROLE DATAFREY_ROLE;
GRANT SELECT ON FUTURE VIEWS IN DATABASE <MY_DATABASE> TO ROLE DATAFREY_ROLE;

CREATE USER IF NOT EXISTS DATAFREY_USER
  DEFAULT_ROLE = DATAFREY_ROLE
  DEFAULT_WAREHOUSE = <MY_WAREHOUSE>;
GRANT ROLE DATAFREY_ROLE TO USER DATAFREY_USER;

CREATE OR REPLACE NETWORK POLICY DATAFREY_NETWORK_POLICY
  ALLOWED_IP_LIST = ('3.229.236.29');
ALTER USER DATAFREY_USER SET NETWORK_POLICY = DATAFREY_NETWORK_POLICY;

-- Run this last. Copy the PAT from the result — it won't be shown again.
ALTER USER DATAFREY_USER ADD PROGRAMMATIC ACCESS TOKEN DATAFREY_PAT
  ROLE_RESTRICTION = 'DATAFREY_ROLE'
  DAYS_TO_EXPIRY = 180;
Snowflake returns the PAT once, in the result set of the final statement. Copy it before closing the worksheet.
3

Paste credentials

Back in the CLI, paste:
FieldValue
Access tokenThe PAT from the last SQL result
Account identifierorgname-accountname (see below)
UsernameDATAFREY_USER (default)
RoleDATAFREY_ROLE (default)
To get the account identifier, run in Snowflake:
SELECT CURRENT_ORGANIZATION_NAME() || '-' || CURRENT_ACCOUNT_NAME();
4

Verify

DataFrey verifies the connection after you paste credentials. Confirm the result:
datafrey db list
Expect connected. On error, run datafrey db drop and restart datafrey db connect.
5

Index

The CLI then offers to index your database — it explores your data to power the plan tool. Check the security page to see what the index holds and whether that’s acceptable for you.

Troubleshooting

Confirm the network policy is attached: SHOW PARAMETERS LIKE 'NETWORK_POLICY' FOR USER DATAFREY_USER; should return DATAFREY_NETWORK_POLICY, and that policy must include 3.229.236.29 in its ALLOWED_IP_LIST.
Format: orgname-accountname, lowercase, no .snowflakecomputing.com suffix. To get it:
SELECT CURRENT_ORGANIZATION_NAME() || '-' || CURRENT_ACCOUNT_NAME();
PATs expire after 180 days. Rotate in Snowflake, then reconnect the CLI:
ALTER USER DATAFREY_USER REMOVE PROGRAMMATIC ACCESS TOKEN DATAFREY_PAT;
ALTER USER DATAFREY_USER ADD PROGRAMMATIC ACCESS TOKEN DATAFREY_PAT
  ROLE_RESTRICTION = 'DATAFREY_ROLE'
  DAYS_TO_EXPIRY = 180;

datafrey db drop
datafrey db connect

Next steps

Connect Claude Code

Install DataFrey as a Claude Code plugin.

Connect another AI client

Install DataFrey for Cursor or another MCP client.