Skip to content

RAI Accounts, User Profiles, and OAuth Clients

Learn how to manage RAI accounts, users, and OAuth clients when using the RAI Integration Services for Snowflake.

RAI Accounts

Every RAI customer has a RAI account, which is managed by RAI administrators. RAI accounts are created by RAI personnel. You cannot create them directly. Members of a RAI account are users and OAuth clients.


A RAI account usually contains multiple users and OAuth clients.

Each user profile belongs to one or more RAI accounts. By contrast, an OAuth client can only belong to one RAI account.

Managing Users

To set up or work with the RAI Integration Services for Snowflake, you don’t explicitly need a user profile. However, you do need a user profile to log into the RAI Console (opens in a new tab). You can create OAuth clients from the RAI Console after logging in with your user profile.

Once you have created an OAuth client with sufficient permissions, you can use it with the RAI Integration Services. You no longer need the user profile.

See more details on managing user profiles in the RAI Console in Managing Users.

Managing OAuth clients

A RAI integration is managed via the RAI CLI, which requires an OAuth client to communicate with the RAI Server.

OAuth clients can be created in the Settings tab using the RAI Console (opens in a new tab). See more on managing OAuth clients in the Console in Managing OAuth Clients.

Once you have created an OAuth client with the necessary privileges, you can manage other OAuth clients (or users) via the RAI CLI or the RelationalAI SDKs.

Creating an Admin OAuth Client

To manage the RAI Integration Services, you need an OAuth client for your RAI admin role so that the RAI integration can manage all the necessary RAI resources.

The admin OAuth client must have all transaction, engine, database, and OAuth client permissions.

These are required to create and manage the RAI resources required for the RAI Integration Services.


The admin OAuth client may have more privileges, but this set of permissions is sufficient for the RAI Integration Services.

RAI Config File

To use an OAuth client with the RAI CLI, you need to store its credentials in a RAI profile in your RAI config file located at <HOME_DIR>/.rai/config:

region = us-east
host =
port = 443
client_id = <your_client_id>
client_secret = <your_client_secret>

Replace <your_client_id> and <your_client_secret> with the actual values of your OAuth client.

It’s best practice to delete and recreate OAuth clients, instead of modifying their permissions, to avoid getting errors due to token caching issues.

See Also

For more information on configuring and managing the RAI integration for Snowflake, see the RAI Integration guide.

Was this doc helpful?