Adding Qlik MCP to Snowflake Intelligence

This article explains how to connect the Qlik MCP (Model Context Protocol) server to Snowflake Intelligence, enabling Snowflake Cortex Agents to query and interact with Qlik Cloud resources, such as apps, data assets, and analytics, directly from the Snowflake AI interface.

Content

• Prerequisites
• Setup Steps
• Create an OAuth2 Client in Qlik Cloud
• Register the Qlik MCP Server in Snowflake
• Connect to Qlik MCP in Snowflake Intelligence
• Test with a Cortex Agent
• Troubleshooting
• Related Content

Prerequisites

• Qlik Cloud: Tenant Administrator access to create OAuth clients in the Administration activity center
• Snowflake: ACCOUNTADMIN role (or a role with CREATE INTEGRATION and CREATE MCP SERVER privileges)
• Snowflake Intelligence access (Cortex Agents) enabled on your Snowflake account
• Your Qlik Cloud tenant hostname (example: your-tenant.us.qlikcloud.com)

Setup Steps

Create an OAuth2 Client in Qlik Cloud

The OAuth2 client provides Snowflake with the credentials it needs to authenticate against the Qlik MCP server on behalf of users. For details on creating OAuth clients, see Creating and managing OAuth clients.

Copy the Client ID and Client Secret immediately after creation. The secret cannot be retrieved later — if lost, you must generate a new one.

1. Log in to your Qlik Cloud tenant and navigate to the Administration activity center, or go directly to https://<your-tenant>/console.
2. Go to OAuth 
3. Click Create New
4. Fill in the following fields:
   
   
   • Name: A descriptive name
   • Client type: Web
   • Authentication method: Client secret
   • Redirect URL: https://identity.snowflake.com/oauth2/callback
   • Allowed origins (optional): https://identity.snowflake.com
   • Scopes: user_default, mcp:execute

     The mcp:execute scope is required to allow Snowflake to invoke tools on the Qlik MCP server. The user_default scope grants access to resources the authenticated user can already access in Qlik Cloud.

5. Click Create.
6. A dialog will display the Client ID and Client Secret. 
   
   Copy both values immediately and store them securely. The Client Secret will not be shown again.
   
   

Register the Qlik MCP Server in Snowflake

For details on the Qlik MCP server endpoint and supported tools, see Connecting to the Qlik MCP server.

Using the OAuth client credentials previously retrieved, run the following Snowflake SQL script to:

• Create an API Integration with OAuth2, pointing to your Qlik tenant
• Register an External MCP Server using that integration
• Grant usage to the appropriate role
  

  -- ============================================================
  -- Parameters — update these values before running
  -- ============================================================
  SET TENANT        = '<your-tenant>.us.qlikcloud.com'; -- Do not include https://
  SET CLIENT_ID     = '<your-oauth-client-id>';
  SET CLIENT_SECRET = '<your-oauth-client-secret>';
  SET ALLOWED_ROLE  = 'PUBLIC'; -- The Snowflake role that should have access.
                                -- ⚠️ PUBLIC grants access to all users in the account.
                                -- For production, replace with a more restrictive role.
  
  -- ============================================================
  -- Derived values — no changes needed below this point
  -- ============================================================
  SET MCP_URL = 'https://' || $TENANT || '/api/ai/mcp';
  
  -- Create the API Integration with OAuth2 configuration
  DROP API INTEGRATION IF EXISTS qlik_mcp_integration;
  
  EXECUTE IMMEDIATE
  $$
  DECLARE
      v_tenant        VARCHAR;
      v_client_id     VARCHAR;
      v_client_secret VARCHAR;
      v_mcp_url       VARCHAR;
      sql_stmt        VARCHAR;
  BEGIN
      SELECT GETVARIABLE('TENANT')        INTO v_tenant;
      SELECT GETVARIABLE('CLIENT_ID')     INTO v_client_id;
      SELECT GETVARIABLE('CLIENT_SECRET') INTO v_client_secret;
      v_mcp_url := 'https://' || v_tenant || '/api/ai/mcp';
  
      sql_stmt :=
          'CREATE API INTEGRATION qlik_mcp_integration'
          || ' API_PROVIDER = external_mcp'
          || ' API_ALLOWED_PREFIXES = (''' || v_mcp_url || ''')'
          || ' API_USER_AUTHENTICATION = ('
          || '   TYPE = OAUTH2'
          || '   OAUTH_CLIENT_ID = ''' || v_client_id || ''''
          || '   OAUTH_CLIENT_SECRET = ''' || v_client_secret || ''''
          || '   OAUTH_TOKEN_ENDPOINT = ''https://' || v_tenant || '/oauth/token'''
          || '   OAUTH_CLIENT_AUTH_METHOD = CLIENT_SECRET_POST'
          || '   OAUTH_AUTHORIZATION_ENDPOINT = ''https://' || v_tenant || '/oauth/authorize'''
          || '   OAUTH_REFRESH_TOKEN_VALIDITY = 86400'
          || '   OAUTH_ALLOWED_SCOPES = (''user_default'', ''mcp:execute'')'
          || ' )'
          || ' ENABLED = TRUE';
  
      EXECUTE IMMEDIATE sql_stmt;
  END;
  $$;
  
  SHOW API INTEGRATIONS LIKE '%qlik%';
  
  SET DISPLAY = 'Qlik MCP server ' || $TENANT;
  DROP EXTERNAL MCP SERVER IF EXISTS qlik_mcp_server;
  
  CREATE EXTERNAL MCP SERVER qlik_mcp_server
      WITH DISPLAY_NAME = $DISPLAY
      API_INTEGRATION  = qlik_mcp_integration;
  
  ALTER EXTERNAL MCP SERVER qlik_mcp_server
      SET URL = $MCP_URL;
  
  -- Grant access to the specified role
  GRANT USAGE ON INTEGRATION  qlik_mcp_integration TO ROLE IDENTIFIER($ALLOWED_ROLE);
  GRANT USAGE ON MCP SERVER   qlik_mcp_server       TO ROLE IDENTIFIER($ALLOWED_ROLE);
  
  -- ============================================================
  -- Verification queries
  -- ============================================================
  SHOW EXTERNAL MCP SERVERS;
  DESCRIBE EXTERNAL MCP SERVER qlik_mcp_server;
  SHOW API INTEGRATIONS LIKE '%qlik%';
  
  -- Initiate the user OAuth flow
  SELECT SYSTEM$START_USER_OAUTH_FLOW('qlik_mcp_integration');
  ​

  The SYSTEM$START_USER_OAUTH_FLOW call at the end generates a URL you can open in a browser to validate the OAuth handshake with Qlik Cloud before proceeding to Snowflake Intelligence.

Connect to Qlik MCP in Snowflake Intelligence

Once the MCP server is registered in Snowflake, you can authorize and use it directly from the Snowflake Intelligence UI.

1. Open Snowflake Intelligence. The URL follows the pattern https://ai.snowflake.com/<orgname>/<accountname>.
   
   For example, https://ai.snowflake.com/myorg/myaccount. If you are unsure of your URL, contact your Snowflake account administrator.
   
   
2. Click your profile icon (bottom left corner) to open your personal settings.
3. Navigate to the Connectors section. You will see Qlik MCP Server listed, pointing to your configured Qlik Cloud tenant.
4. Click the Connect button next to the Qlik MCP entry.
5. You will be redirected to Qlik Cloud to complete the OAuth2 authorization flow. Log in with your Qlik Cloud credentials if prompted, then approve the requested permissions (user_default, mcp:execute).
6. After authorization, you are returned to Snowflake Intelligence. The Qlik MCP connector will show a Connected status.
7. You can now ask Snowflake Intelligence questions that involve Qlik Cloud resources. The Cortex Agent will automatically invoke the appropriate Qlik MCP tools to retrieve data, apps, or analytics content.
   
   

Test with a Cortex Agent

To validate the full integration, create a test Cortex Agent that uses the Qlik MCP server.

Before running: Replace CORTEX_APP.PUBLIC with the database and schema where you want to create the agent in your Snowflake environment. The database must already exist.

-- Replace <YOUR_DATABASE> and <YOUR_SCHEMA> with your target database and schema
CREATE OR REPLACE AGENT <YOUR_DATABASE>.<YOUR_SCHEMA>.qlik_mcp_test_agent
  FROM SPECIFICATION $$
models:
  orchestration: auto
instructions:
  response: >
    You are a test agent that verifies connectivity to the Qlik MCP server.
    Use the available Qlik tools to answer the user's question.
  orchestration: "Use the Qlik MCP tools to answer questions about Qlik Cloud."
mcp_servers:
  - server_spec:
      name: "<YOUR_DATABASE>.<YOUR_SCHEMA>.QLIK_MCP_SERVER"
$$;

Once created, invoke the agent with a test prompt such as: What Qlik apps are available in my tenant?

A successful response confirms end-to-end connectivity between Snowflake Cortex and the Qlik MCP server.

Troubleshooting

OAuth redirect fails

Typically caused by a Redirect URL mismatch. Verify https://identity.snowflake.com/oauth2/callback is set in the Qlik OAuth client

mcp:execute scope error

The scope not enabled on OAuth client. Edit the OAuth client in Qlik Cloud Administration activity center and add the mcp:execute scope

Client Secret rejected

Secret was rotated or lost. Generate a new client secret and update $CLIENT_SECRET in the script

MCP Server not visible in Snowflake Intelligence

The correct role was not granted. Confirm GRANT USAGE ON MCP SERVER was executed for the user's active role.

Agent returns no results

The OAuth flow was not completed. Complete the steps in Connect to Qlik MCP in Snowflake Intelligence.

Related Content

• Connecting to the Qlik MCP server | Qlik Cloud Help
• Creating and managing OAuth clients | Qlik Cloud Help
• Snowflake External MCP Server documentation

Environment

• Qlik MCP
• Qlik Cloud

The information in this article is provided as-is and to be used at your own discretion. Depending on the tools used, customizations, and/or other factors, ongoing support on the solution described may not be provided by Qlik Support.