Schema:: ACCOUNT_USAGE

CREDENTIALS view¶

This Account Usage view includes a row for each credential used as a first or second factor for authentication. This view includes rows for the following types of credentials:

Note

This view does not include information about Duo authenticators (Duo push and passcodes).

To determine if a user has configured Duo as a second factor for authentication, you can run the SHOW MFA METHODS command.

This view does not include credentials that have been deleted.

Columns¶

Column	Data type	Description
CREDENTIAL_ID	NUMBER	Internal/system-generated identifier for the credential.
NAME	VARCHAR	Name of the credential.
USER_NAME	VARCHAR	Name of the user associated with the credential.
TYPE	VARCHAR	Type of the credential. These types include: `PASSKEY`: Passkey. `PAT`: Programmatic access token. `TOTP`: Time-based one-time passcode.
DOMAIN	VARCHAR	Domain of the credential. The domains include: `MFA_METHOD`: The credential is used as a second factor of authentication. `PROGRAMMATIC_ACCESS_TOKEN`: Programmatic access token. A given domain can have one or more possible types (specified in the TYPE column).
COMMENT	VARCHAR	Comment about the credential.
STATUS	VARCHAR	Status of the credential. The status depends on the value in the TYPE column: For `TYPE = 'PAT'` (programmatic access tokens), the status can be one of the following: `ACTIVE`: The programmatic access token can be used to authenticate and has not expired yet. `EXPIRED`: The programmatic access token cannot be used to authenticate because the expiration date has passed. `DISABLED`: The programmatic access token is disabled because user login access is disabled or the user is locked out of logging in. For other types of credentials, the status can be one of the following: `PENDING`: The user started the enrollment process for an MFA method but has not completed the process. For example, the user started registering an authenticator but never finished the setup process for the authenticator. As a result, the MFA method is not considered to be valid yet. `ENROLLED`: The user has completed the enrollment process for the MFA method, and the MFA method can be used for second-factor authentication.
ADDITIONAL_DETAILS	OBJECT	Additional details about the credential. The additional details depend on the type of the credential (the value in the TYPE column): For `TYPE = 'PAT'` (programmatic access tokens), the column contains an OBJECT value with the following key-value pairs: For the `MINS_TO_BYPASS_NETWORK_POLICY_REQUIREMENT` key, the value is an integer representing the number of minutes during which the requirement of having a network policy is bypassed. You can specify this value when generating the token. For the `ROLE_RESTRICTION` key, the value is an array of the roles that are used for privilege evaluation and object creation during the session authenticated with this token. You can specify these roles when generating the token. For the `ROTATED_TO` key, the value is the name of the newer token that this token was replaced by during rotation. These key-value pairs are present only if the corresponding properties are set in the token. For example: { "MINS_TO_BYPASS_NETWORK_POLICY_REQUIREMENT": 60, "ROLE_RESTRICTION": [ "MY_ROLE" ], "ROTATED_TO": "MY_PAT_NAME" } Copy If none of these are specified for the token, the column contains an empty object (`{}`). For `TYPE = 'PASSKEY'` (passkey), the column contains an OBJECT value with the key-value pair `aaguid`. For example: { "aaguid": "a12345678-..." } Copy For `TYPE = 'TOTP'` (time-based one-time passcode), the column contains NULL.
CREATED_BY	VARCHAR	Name of the user who created the credential.
LAST_ALTERED_BY	VARCHAR	Name of the user who last modified the credential.
CREATED_ON	TIMESTAMP_LTZ	Date and time when the credential was created.
LAST_USED_ON	TIMESTAMP_LTZ	Date and time when the credential was last used for authentication.
LAST_ALTERED	TIMESTAMP_LTZ	Date and time when the credential was last modified.
EXPIRATION_DATE	TIMESTAMP_LTZ	Date and time when the credential expires.

Usage notes¶

Latency for the view might be up to two hours.
If a programmatic access token is generated soon after a user is created, the information about that user in this view might be incomplete. It might take some time for the user information to be included in the view.

Examples¶

The following example returns rows for programmatic access tokens:

SELECT * FROM SNOWFLAKE.ACCOUNT_USAGE.CREDENTIALS WHERE type = 'PAT';

Copy

+---------------+---------------+--------------+------+---------------------------+-------------------+--------+--------------------+--------------+-----------------+-------------------------+-------------------------+-------------------------+
| CREDENTIAL_ID | NAME          | USER_NAME    | TYPE | DOMAIN                    | COMMENT           | STATUS | ADDITIONAL_DETAILS | CREATED_BY   | LAST_ALTERED_BY | CREATED_ON              | LAST_USED_ON            | LAST_ALTERED            |
|---------------+---------------+--------------+------+---------------------------+-------------------+--------+--------------------+--------------+-----------------+-------------------------+-------------------------+-------------------------|
|      19464837 | EXAMPLE_TOKEN | EXAMPLE_USER | PAT  | PROGRAMMATIC_ACCESS_TOKEN | My token for APIs | ACTIVE | {}                 | EXAMPLE_USER | EXAMPLE_USER    | 2025-04-14 22:05:19.661 | 2025-04-14 22:05:19.661 | 2025-04-14 22:05:19.661 |
+---------------+---------------+--------------+------+---------------------------+-------------------+--------+--------------------+--------------+-----------------+-------------------------+-------------------------+-------------------------+