Authentication
Learn how to authenticate with the Komodo SDK using either web login (user-based) or machine-to-machine credentials.
Accounts
Section titled “Accounts”A Komodo account is your organizational entity on the platform. Each account has its own data subscriptions and a dedicated Komodo-managed Snowflake warehouse. Every query and API operation is scoped to the account you select or pass in.
Account identifiers
Section titled “Account identifiers”- Account ID — UUID that uniquely identifies the account (for example
123e4567-e89b-12d3-a456-426614174000). - Account slug — Human-readable name (for example
my-organization).
Multiple accounts
Section titled “Multiple accounts”You can have access to more than one account. Data does not move between accounts; each account is isolated. Use komodo account set (or pass account_id in code) so the SDK knows which warehouse to use.
Authentication Types
Section titled “Authentication Types”The SDK supports two types of authentication:
1. Web Login (User-Based Authentication)
Section titled “1. Web Login (User-Based Authentication)”Web login uses a browser-based OAuth flow for interactive user authentication. This method:
- Opens your browser for authentication
- Is intended for individual users
- Provides JWT tokens for API access
- Best for interactive, manual use
Ways to use Web Login:
Section titled “Ways to use Web Login:”Via CLI (Persisted)
Section titled “Via CLI (Persisted)”When you use the CLI, credentials are stored in the [default] profile:
uv run komodo loginThis stores the JWT token in ~/.komodo/credentials under [default], which can be used by subsequent SDK calls.
Then use the SDK without passing credentials:
from komodo import get_snowflake_connection
# Uses credentials from [default] profileconn = get_snowflake_connection()If no credentials are found, the SDK will trigger a web login flow automatically, but credentials are not persisted to disk. They exist only for that session.
Via SDK (In-Memory Only)
Section titled “Via SDK (In-Memory Only)”Pass a JWT token directly with an account ID:
from komodo import get_snowflake_connection
jwt = "eyJ0eXAiOiJKV1QiLCJhbGc..." # From `komodo jwt`account_id = "123e4567-e89b-12d3-a456-426614174000" # From `komodo account get`
conn = get_snowflake_connection(jwt=jwt, account_id=account_id)2. Machine-to-Machine (Service Principal Authentication)
Section titled “2. Machine-to-Machine (Service Principal Authentication)”Machine-to-machine (M2M) authentication uses client credentials (client ID and client secret) for automated, non-interactive authentication. This method:
- Uses service principal credentials instead of browser login
- Is designed for automation, CI/CD, and services
- Requires a service principal to be set up in your Komodo account
- Does not require user interaction
Ways to use M2M Authentication:
Section titled “Ways to use M2M Authentication:”Via SDK (Explicit Credentials)
Section titled “Via SDK (Explicit Credentials)”Pass credentials directly when creating a connection:
from komodo import get_snowflake_connection
conn = get_snowflake_connection( client_id="your_client_id", client_secret="your_client_secret", account_id="your_account_id",)Via Profiles
Section titled “Via Profiles”Store credentials in ~/.komodo/credentials and reference them by profile name.
Setting up Named Profiles:
Create profiles in ~/.komodo/credentials with your service principal credentials:
[default] # Created by `komodo login` and `komodo account set`token = eyJ0eXAiOiJKV1QiLCJhbGc...token_expiration = 1234567890account_id = 123e4567-e89b-12d3-a456-426614174000account_slug = my-organization
[production]client_id = client_id_123456client_secret = client_secret_123456account_id = 123456789account_slug = prod-org
[development]client_id = client_id_234567client_secret = client_secret_234567account_id = 234567898account_slug = dev-orgUsing Named Profiles:
from komodo import get_snowflake_connection
# Use a named profileconn = get_snowflake_connection(profile="production")
# Or use a different profileconn = get_snowflake_connection(profile="development")Important Rules:
- You can only use one authentication method at a time
- JWT and explicit M2M credentials require an
account_idparameter - Profiles cannot be combined with
account_id- the profile contains the account ID - You cannot mix methods (e.g., cannot use both
jwtandclient_id) - Named profiles only support M2M credentials, not JWT tokens
Valid and Invalid Usage:
# ✅ Valid: Use a profileconn = get_snowflake_connection(profile="production")
# ✅ Valid: Use explicit credentialsconn = get_snowflake_connection( client_id="...", client_secret="...", account_id="...")
# ❌ Invalid: Cannot mix profile with explicit credentialsconn = get_snowflake_connection( profile="production", client_id="..." # Error!)
# ❌ Invalid: Cannot specify account_id with profileconn = get_snowflake_connection( profile="production", account_id="..." # Error! Profile contains account_id)Not directly passing to get_snowflake_connection()
Section titled “Not directly passing to get_snowflake_connection()”If you don’t pass any credentials to SDK functions, the SDK follows this fallback chain:
- Check
[default]profile: Looks for credentials in~/.komodo/credentialsunder the[default]section (created bykomodo loginCLI command) - Trigger web login: If
[default]is not present or contains invalid/expired credentials, initiates a browser-based login flow- Note: When web login is triggered by the SDK (not the CLI), credentials are not persisted to disk. They exist only in memory for that session.
Authentication Precedence
Section titled “Authentication Precedence”The SDK resolves credentials in the following order:
Precedence Summary:
- Highest: Explicit credentials passed to the function
jwt=+account_id=(Web Login)client_id=+client_secret=+account_id=(M2M)profile=(M2M via named profile)
- Medium:
[default]profile from~/.komodo/credentials(set bykomodo loginCLI) - Lowest: Web login flow (triggered if no valid credentials found)
- Note: Credentials from SDK-triggered web login are not persisted to disk
Credentials File Configuration
Section titled “Credentials File Configuration”By default, the Komodo SDK and CLI store and read credentials from ~/.komodo/credentials. You can customize this location by setting the KOMODO_CREDENTIALS_PATH environment variable.
Default Location
Section titled “Default Location”~/.komodo/credentialsCustomizing the Path
Section titled “Customizing the Path”Set KOMODO_CREDENTIALS_PATH to use a different file path:
export KOMODO_CREDENTIALS_PATH="/path/to/my/credentials"Once set, all CLI commands (komodo login, komodo account set, etc.) and SDK calls will use this path for reading and writing credentials.
Example: Using a Custom Credentials Path
Section titled “Example: Using a Custom Credentials Path”# Set a custom credentials pathexport KOMODO_CREDENTIALS_PATH="/opt/komodo/credentials"
# Login — credentials will be saved to /opt/komodo/credentialskomodo login
# SDK calls will also read from the custom pathpython -c "from komodo import get_snowflake_connection; conn = get_snowflake_connection()"Creating Service Principal Credentials
Section titled “Creating Service Principal Credentials”Create a service principal using the CLI:
uv run komodo service-principal create --name "my-service" --description "My service principal"You’ll receive a client_id and client_secret to use for authentication.