What causes SCIM_TOKEN_EXPIRED?

Snowflake SCIM tokens expire after 6 months by default and were not rotated before expiry. The token was revoked during a security audit or admin cleanup. The identity provider's provisioning credentials were updated without regenerating the Snowflake SCIM token. The token was generated in the wrong Snowflake account (staging vs production)

How do I fix SCIM_TOKEN_EXPIRED?

Step 1: In Snowflake, run: SELECT SYSTEM$GENERATE_SCIM_ACCESS_TOKEN('OKTA_PROVISIONER'); (replace with your integration name) to generate a new token.. Step 2: Copy the new token into your identity provider's Snowflake provisioning configuration (Okta Admin > Provisioning > To App > API credentials).. Step 3: Test provisioning in the identity provider's UI to confirm the new token works.. Step 4: Set a calendar reminder to rotate the token before the 6-month mark to avoid future disruptions.. Step 5: Consider using OAuth-based SCIM integration where supported to eliminate manual token rotation.

High severityauthentication

Power BI Refresh Error:
SCIM_TOKEN_EXPIRED

What does this error mean?

The SCIM API token used by your identity provider (Okta, Azure AD, or a custom SCIM client) to provision Snowflake users and groups has expired, causing user sync to fail.

Common causes

1Snowflake SCIM tokens expire after 6 months by default and were not rotated before expiry
2The token was revoked during a security audit or admin cleanup
3The identity provider's provisioning credentials were updated without regenerating the Snowflake SCIM token
4The token was generated in the wrong Snowflake account (staging vs production)

How to fix it

1Step 1: In Snowflake, run: SELECT SYSTEM$GENERATE_SCIM_ACCESS_TOKEN('OKTA_PROVISIONER'); (replace with your integration name) to generate a new token.
2Step 2: Copy the new token into your identity provider's Snowflake provisioning configuration (Okta Admin > Provisioning > To App > API credentials).
3Step 3: Test provisioning in the identity provider's UI to confirm the new token works.
4Step 4: Set a calendar reminder to rotate the token before the 6-month mark to avoid future disruptions.
5Step 5: Consider using OAuth-based SCIM integration where supported to eliminate manual token rotation.

Frequently asked questions

How do I find when my current SCIM token was generated?

Query the Snowflake access history or use SHOW INTEGRATIONS to find the SCIM integration, then check the creation timestamp. SCIM tokens expire 6 months after generation.

Is there a way to set a longer SCIM token lifetime in Snowflake?

No — Snowflake enforces a fixed 6-month expiry for SCIM tokens. The only way to avoid manual rotation is to migrate to an OAuth-based provisioning integration if your identity provider supports it.