The private key is in the wrong PEM format — missing headers or using an unsupported encryption cipher. Clock skew between the client machine and Snowflake exceeds the JWT validity window. The public key assigned to the Snowflake user does not match the private key being used. The private key was rotated but the new public key was not updated in Snowflake with ALTER USER

Step 1: Verify the private key begins with -----BEGIN PRIVATE KEY----- (PKCS8 unencrypted format, which is preferred by Snowflake).. Step 2: Check system clock synchronization on the client machine — any drift over 60 seconds can invalidate the JWT.. Step 3: Regenerate a new key pair and assign the public key: ALTER USER SET RSA_PUBLIC_KEY=' ';. Step 4: Test with the Snowflake Python connector using the new key and confirm the fingerprint matches: SELECT SYSTEM$GET_LOGIN_FAILURE_DETAILS();. Step 5: If using an encrypted private key, convert to unencrypted PKCS8: openssl pkcs8 -topk8 -nocrypt -in rsa_key.p8 -out rsa_key_unencrypted.p8

High severityauthentication

Power BI Refresh Error:
390144

What does this error mean?

Snowflake rejected a key pair authentication attempt because the JWT token generated from the private key is invalid, typically due to key format issues, clock skew, or a public key mismatch.

Common causes

1The private key is in the wrong PEM format — missing headers or using an unsupported encryption cipher
2Clock skew between the client machine and Snowflake exceeds the JWT validity window
3The public key assigned to the Snowflake user does not match the private key being used
4The private key was rotated but the new public key was not updated in Snowflake with ALTER USER

How to fix it

1Step 1: Verify the private key begins with -----BEGIN PRIVATE KEY----- (PKCS8 unencrypted format, which is preferred by Snowflake).
2Step 2: Check system clock synchronization on the client machine — any drift over 60 seconds can invalidate the JWT.
3Step 3: Regenerate a new key pair and assign the public key: ALTER USER <username> SET RSA_PUBLIC_KEY='<new_public_key>';
4Step 4: Test with the Snowflake Python connector using the new key and confirm the fingerprint matches: SELECT SYSTEM$GET_LOGIN_FAILURE_DETAILS();
5Step 5: If using an encrypted private key, convert to unencrypted PKCS8: openssl pkcs8 -topk8 -nocrypt -in rsa_key.p8 -out rsa_key_unencrypted.p8

Frequently asked questions

Can I have multiple public keys assigned to a Snowflake user?

Yes — Snowflake supports two concurrent public keys per user (RSA_PUBLIC_KEY and RSA_PUBLIC_KEY_2), enabling zero-downtime key rotation.

How do I confirm which public key fingerprint Snowflake has on file?

Run SELECT * FROM TABLE(INFORMATION_SCHEMA.LOGIN_HISTORY()) or use SYSTEM$GET_LOGIN_FAILURE_DETAILS() after a failed login to see the expected vs. actual key fingerprint.