3 October 2020

Key Based Authentication Failed with “JWT token is invalid” Error

By Eric Lin

Sometimes user can face “JWT token is invalid” error when trying to connect to Snowflake via SnowSQL using key based authentication. To capture this error, logging needs to be enabled for SnowSQL via command line. Use below sample command to redirect logs to a file with DEBUG level logging:

snowsql -a <account_name> -u <username> --private-key-path ~/.ssh/rsa_key.p8 \
  -o log_file=/tmp/snowsql.log -o log_level=DEBUG

And check the log file under /tmp/snowsql.log.

There are at least two possible causes that can lead SnowSQL to fail this way:

  • Client machine’s time is not synced with NTP server, and caused JWT Token to become invalid due to a token TTL timeout
  • The backend server only accepts tokens created 10 seconds from the current time, if there are network latency issues, it is possible that by the time the JWT token reaches the backend server, it can be > 10 seconds, and hence cause┬áthe invalid token error

To resolve the issue, make sure that the client machine that runs SnowSQLc client has correct time that is synced with NTP server. If you are unsure, check with your system administrator for help.

If NTP time has no syncing issue, then it is possible caused by network latency, which delays the token delivery time by more than 10 seconds. Again, check with your system administrator to see if there are indeed network latency issue that needs to be addressed.