Snowflake Token
Detects Snowflake OAuth access and refresh tokens, which carry the recognizable ver:1-hint: / ver:2-hint: prefix used by Snowflake authentication. These tokens (and programmatic access tokens used in their place) grant query and data access to a Snowflake account.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: the literal ver:N-hint: structure is specific to Snowflake OAuth tokens and does not occur in ordinary text; corroborative Snowflake keywords further reduce false positives.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 9
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9])ver:[12]-hint:[0-9]{6,}(?:-did:[0-9]{1,6})?(?:-ET[A-Za-z0-9+/_-]{16,}={0,2})?Corroborative evidence keywords
snowflake, snowflakecomputing, programmatic access token, oauth, access token, refresh token, connection string
Proximity: 300 characters
Should match
ver:1-hint:836412345— Snowflake OAuth access token, ver:1-hint: prefixtoken=ver:2-hint:8001830917-did:1014-ETMsDgAAAYclXmkuAxABCDEFGHpsGXxUdaJKZlySzA==— Snowflake OAuth refresh token in a connection stringver:1-hint:8364123456789— Long hint segment access token
Should not match
ver:3-hint:836412345— Wrong version (only 1 or 2 are valid Snowflake token versions)ver:1-hint:1234— Hint segment too short to be a valid Snowflake tokensee the snowflake oauth token documentation for the connection string format— Prose mention without a token value
Known false positives
- Documentation or examples showing placeholder ver:1-hint: strings. Mitigation: Require corroborative Snowflake keywords and check for placeholder markers (example, xxxx).