The JWT has expired — Snowpipe JWTs are valid for a maximum of 60 minutes. The RSA key pair used to sign the JWT does not match the public key stored in Snowflake (ALTER USER ... SET RSA_PUBLIC_KEY). The JWT issuer (iss) or subject (sub) claim does not match the expected format: account.username. The private key file has been rotated or regenerated without updating the corresponding public key in Snowflake. Clock skew between the client machine and Snowflake servers exceeds the allowed tolerance

Generate a fresh JWT immediately before each Snowpipe API call — never cache JWTs across requests. Verify the public key in Snowflake matches the private key used to sign: DESCRIBE USER my_user. Check the iss claim format: it must be ACCOUNT_IDENTIFIER.USERNAME (uppercase, no domain suffix). Ensure the client machine's system clock is synchronized (NTP) — JWT validation is time-sensitive. If keys have been rotated, re-register the new public key: ALTER USER my_user SET RSA_PUBLIC_KEY = '...'. Test JWT validity using Snowflake's key pair authentication test before wiring it into production

High severityauthentication

Power BI Refresh Error:
390144

What does this error mean?

The JWT (JSON Web Token) used to authenticate with Snowpipe's REST API is invalid, expired, or signed with a key that does not match the public key registered with Snowflake.

Common causes

1The JWT has expired — Snowpipe JWTs are valid for a maximum of 60 minutes
2The RSA key pair used to sign the JWT does not match the public key stored in Snowflake (ALTER USER ... SET RSA_PUBLIC_KEY)
3The JWT issuer (iss) or subject (sub) claim does not match the expected format: account.username
4The private key file has been rotated or regenerated without updating the corresponding public key in Snowflake
5Clock skew between the client machine and Snowflake servers exceeds the allowed tolerance

How to fix it

1Generate a fresh JWT immediately before each Snowpipe API call — never cache JWTs across requests
2Verify the public key in Snowflake matches the private key used to sign: DESCRIBE USER my_user
3Check the iss claim format: it must be ACCOUNT_IDENTIFIER.USERNAME (uppercase, no domain suffix)
4Ensure the client machine's system clock is synchronized (NTP) — JWT validation is time-sensitive
5If keys have been rotated, re-register the new public key: ALTER USER my_user SET RSA_PUBLIC_KEY = '...'
6Test JWT validity using Snowflake's key pair authentication test before wiring it into production

Frequently asked questions

Can I use a long-lived JWT for Snowpipe?

No — Snowflake enforces a maximum JWT lifetime of 60 minutes. Design your Snowpipe client to generate a fresh JWT for each API call or session.

How do I rotate RSA keys without downtime?

Snowflake supports RSA_PUBLIC_KEY and RSA_PUBLIC_KEY_2 on a user object, allowing you to register a second key before revoking the first. Switch clients to the new key, then remove RSA_PUBLIC_KEY once migration is complete.