Configure Snowflake authentication

Configure Snowflake authentication so PyRel can create a Snowpark session from the connection settings you provide. This guide helps you choose an authentication method, configure it in raiconfig.yaml or Python, and verify that the connection works.

You have access to a Snowflake account with the RelationalAI Native App installed. If you are unsure, contact your Snowflake administrator.
You have a working PyRel installation. See Set Up Your Environment for instructions.

What Snowflake authentication covers

This guide applies to the Load and validate configuration step in the PyRel execution workflow:

You configure Snowflake authentication inside a named connection. In raiconfig.yaml, that means an entry under connections. In Python, that means the value you pass to create_config(connections=...).

Select the tab for your config method to see the basic connection structure.

raiconfig.yaml
Programmatic

default_connection: sf

connections:
  sf:
    type: snowflake
    authenticator: username_password
    account: my_account
    warehouse: my_warehouse
    user: my_user
    password: "{{ env_var('SNOWFLAKE_PASSWORD') }}"

import os

from relationalai.config import create_config

cfg = create_config(
    default_connection="sf",
    connections={
        "sf": {
            "type": "snowflake",
            "authenticator": "username_password",
            "account": "my_account",
            "warehouse": "my_warehouse",
            "user": "my_user",
            "password": os.environ["SNOWFLAKE_PASSWORD"],
        },
    },
)

These options matter most:

Config option	What it does
`connections`	Defines one or more named connections that PyRel can use.
`sf`	The connection name. You choose this label and reference it from `default_connection` or other config that points to a connection.
`authenticator`	Selects the Snowflake sign-in method for this connection, such as `username_password`, `oauth`, `jwt`, or `externalbrowser`.

The remaining connection fields depend on the authenticator value you choose. For example, some authenticators need password, while others need token or key-pair settings. The rest of this guide walks through each authenticator option and the fields it requires.

Enable Direct Access

Typically, PyRel communicates with the RAI Native App in your Snowflake account by executing Snowflake SQL commands. When you enable Direct Access, PyRel can bypass the SQL layer for certain operations and call Snowflake APIs directly.

To use direct access, you must:

Set the direct_access config option to true.
Configure your Snowflake connection with a supported authentication method.

Select the tab for your config method to see how to enable Direct Access and configure the connection for it.

raiconfig.yaml
Programmatic

default_connection: sf
direct_access: true

# This example uses programmatic access tokens, but you can use any supported authenticator.
connections:
  sf:
    type: snowflake
    authenticator: programmatic_access_token
    account: my_account
    warehouse: my_warehouse
    user: my_user
    token: "{{ env_var('SNOWFLAKE_TOKEN') }}"

direct_access belongs at the top level of the config, not inside a connection.

import os

from relationalai.config import create_config

cfg = create_config(
    default_connection="sf",
    direct_access=True,
    connections={
        "sf": {
            "type": "snowflake",
            "authenticator": "programmatic_access_token",
            "account": "my_account",
            "warehouse": "my_warehouse",
            "user": "my_user",
            "token": os.environ["SNOWFLAKE_TOKEN"],
        },
    },
)

Set direct_access=True at the top level of the config, not inside a connection.
Use os.environ["..."] to fail fast if the token is missing.

Choose an authentication method

Choose the Snowflake authentication method for the connection PyRel will use. Pick the one that matches how you sign in and whether your workflow needs non-interactive authentication. If you enable direct access, choose one of the methods that supports it and complete any required Snowflake admin setup for that method.

Use this table to decide before you start filling in connection fields:

What to use	When to use it	Supports Direct Access?
Username/password	Use when you sign in to Snowflake with a username and password and your workflow can manage that password securely.	No
Username/password MFA	Use when your Snowflake account requires MFA together with your username and password.	No
OAuth token	Use when another step in your workflow already gives you an OAuth access token and you want PyRel to use that token as-is.	Yes
OAuth authorization code	Use when you want the Direct Access interactive browser sign-in flow instead of supplying an OAuth access token yourself. This method is Direct Access only. Requires Direct Access setup and OAuth security integration setup.	Direct Access only
Key-pair (JWT)	Use when you authenticate a Snowflake user with a registered private key, especially when your workflow needs non-interactive authentication. Requires admin setup.	Yes
External browser	Use when you want an interactive browser sign-in flow and are not running in CI or another non-interactive environment.	No
Programmatic access token	Use when Snowflake issues programmatic access tokens for the user you want to connect as, especially when your workflow needs non-interactive authentication. Requires admin setup.	Yes

You can configure a single default connection or multiple named Snowflake connections.

Configure username/password authentication

Username/password authentication signs in to Snowflake using your user and password.

Summary	Details
Use when	You want the simplest Snowflake sign-in setup and can store a password securely.
Required fields	`account`, `warehouse`, `user`, and `password`.
Optional fields	None.
Avoid when	Your account requires MFA or your workflow cannot store a password securely.
Supports Direct Access	No

Select the tab for your config method to see how to configure username/password authentication.

raiconfig.yaml
Programmatic

Set authenticator to username_password and provide the required fields:

connections:
  sf:
    type: snowflake
    authenticator: username_password
    account: my_account
    warehouse: my_warehouse
    user: my_user
    password: "{{ env_var('SNOWFLAKE_PASSWORD') }}"

Set SNOWFLAKE_PASSWORD in your environment before running Python.
If you have exactly one connection, default_connection can be omitted.

Use the UsernamePasswordAuth config class or a plain Python dict:

Create the config with a typed auth class:

import os

 from relationalai.config import UsernamePasswordAuth, create_config
 from relationalai.semantics import Model

cfg = create_config(
    default_connection="sf",
    connections={
        "sf": UsernamePasswordAuth(
            account="my_account",
            warehouse="my_warehouse",
            user="my_user",
            password=os.environ["SNOWFLAKE_PASSWORD"],
        ),
    },
)

# Use the config
m = Model("MyModel", config=cfg)

Alternatively, create the config with a dict:

import os

 from relationalai.config import create_config
 from relationalai.semantics import Model

cfg = create_config(
    default_connection="sf",
    connections={
        "sf": {
            "type": "snowflake",
            "authenticator": "username_password",
            "account": "my_account",
            "warehouse": "my_warehouse",
            "user": "my_user",
            "password": os.environ["SNOWFLAKE_PASSWORD"],
        },
    },
)

# Use the config
m = Model("MyModel", config=cfg)

Keep your SNOWFLAKE_PASSWORD out of source control.
Use os.environ["..."] to fail fast when the variable is missing.

Configure username/password authentication with MFA

Username/password MFA authentication supports Snowflake accounts that require multi-factor authentication (MFA). Snowflake handles the MFA flow. PyRel passes the configured MFA fields through to the Snowflake connection.

Summary	Details
Use when	You already use MFA with your Snowflake username-and-password sign-in, and you need PyRel to follow that same sign-in path.
Required fields	`account`, `warehouse`, `user`, and `password`.
Optional fields	`passcode`, only when your MFA method requires a code.
Avoid when	Your workflow needs non-interactive authentication or uses browser-based sign-in instead.
Supports Direct Access	No

Provide a passcode when:

Your MFA flow requires a code (for example, a time-based one-time passcode (TOTP) from an authenticator app).
You are not using a Duo Push prompt.

Omit passcode when:

Your MFA flow shows a Duo Push prompt. In this case, omit passcode and approve the prompt.

For more information on MFA, see Snowflake’s Multi-factor authentication (MFA) documentation.

Select the tab for your config method to see how to configure username/password authentication with MFA.

raiconfig.yaml
Programmatic

Set authenticator to username_password_mfa and provide the required fields:

connections:
  sf:
    type: snowflake
    authenticator: username_password_mfa
    account: my_account
    warehouse: my_warehouse
    user: my_user
    password: "{{ env_var('SNOWFLAKE_PASSWORD') }}"
    passcode: "{{ env_var('SNOWFLAKE_PASSCODE') }}"  # Optional, only set if your MFA method requires it

Omit passcode unless your MFA method requires a code.
Generate a new passcode immediately before you run Python.
Set SNOWFLAKE_PASSWORD (and SNOWFLAKE_PASSCODE when used) in your environment before running Python.
If session creation fails and you used a passcode, generate a new passcode and retry.

Use the UsernamePasswordMFAAuth config class or a plain Python dict:

Create the config with a typed auth class:

import os

 from relationalai.config import UsernamePasswordMFAAuth, create_config
 from relationalai.semantics import Model

cfg = create_config(
    default_connection="sf",
    connections={
        "sf": UsernamePasswordMFAAuth(
            account="my_account",
            warehouse="my_warehouse",
            user="my_user",
            password=os.environ["SNOWFLAKE_PASSWORD"],
            passcode=os.getenv("SNOWFLAKE_PASSCODE"),  # Optional, only set if your MFA method requires it
        ),
    },
)

# Use the config
m = Model("MyModel", config=cfg)

Alternatively, create the config with a dict:

import os

 from relationalai.config import create_config
 from relationalai.semantics import Model

cfg = create_config(
    default_connection="sf",
    connections={
        "sf": {
            "type": "snowflake",
            "authenticator": "username_password_mfa",
            "account": "my_account",
            "warehouse": "my_warehouse",
            "user": "my_user",
            "password": os.environ["SNOWFLAKE_PASSWORD"],
            "passcode": os.getenv("SNOWFLAKE_PASSCODE"),  # Optional, only set if your MFA method requires it
        },
    },
)

# Use the config
m = Model("MyModel", config=cfg)

If SNOWFLAKE_PASSCODE is unset, passcode is omitted.
Store secrets in environment variables or a secret manager.
If session creation fails and you used a passcode, generate a new passcode and retry.

Configure OAuth authentication

OAuth authentication signs in to Snowflake with an OAuth access token that you provide. PyRel does not acquire, refresh, or validate that token.

Summary	Details
Use when	You already receive an OAuth access token from another step in your workflow and want PyRel to use it without managing OAuth itself.
Required fields	`account`, `warehouse`, and `token`.
Optional fields	None.
Avoid when	You want PyRel to run an interactive browser sign-in flow. Use OAuth authorization code for the Direct Access browser flow instead.
Supports Direct Access	Yes

Select the tab for your config method to see how to configure OAuth authentication.

raiconfig.yaml
Programmatic

Set authenticator to oauth and provide the required fields:

connections:
  sf:
    type: snowflake
    authenticator: oauth
    account: my_account
    warehouse: my_warehouse
    token: "{{ env_var('SNOWFLAKE_OAUTH_TOKEN') }}"

Acquire and refresh the token outside PyRel.
The token value must be a valid OAuth access token.
Keep SNOWFLAKE_OAUTH_TOKEN out of your config file.
If session creation fails with an authentication error, refresh the token and retry.

Use the OAuthAuth config class or a plain Python dict:

Create the config with a typed auth class:

import os

 from relationalai.config import OAuthAuth, create_config
 from relationalai.semantics import Model

cfg = create_config(
    default_connection="sf",
    connections={
        "sf": OAuthAuth(
            account="my_account",
            warehouse="my_warehouse",
            token=os.environ["SNOWFLAKE_OAUTH_TOKEN"],
        ),
    },
)

# Use the config
m = Model("MyModel", config=cfg)

Alternatively, create the config with a dict:

import os

 from relationalai.config import create_config
 from relationalai.semantics import Model

cfg = create_config(
    default_connection="sf",
    connections={
        "sf": {
            "type": "snowflake",
            "authenticator": "oauth",
            "account": "my_account",
            "warehouse": "my_warehouse",
            "token": os.environ["SNOWFLAKE_OAUTH_TOKEN"],
        },
    },
)

# Use the config
m = Model("MyModel", config=cfg)

You must rotate the token outside PyRel.
After you rotate a token, follow the guidance in Clear the session cache to ensure the new token is used.
If session creation fails with an authentication error, refresh the token and retry.

Configure OAuth authorization-code authentication

Unlike OAuth token, this method does not use an access token that you provide. Instead, OAuth authorization-code authentication uses the Direct Access interactive browser sign-in flow. PyRel opens a browser, receives the callback, and exchanges the returned authorization code for tokens.

Summary	Details
Use when	You want an interactive OAuth sign-in flow for Direct Access instead of supplying a token yourself.
Required fields	`account` and `warehouse`.
Optional fields	None.
Avoid when	Your workflow is non-interactive or you already manage OAuth access tokens outside PyRel. In those cases, use OAuth token instead.
Supports Direct Access	Yes

Select the tab for your config method to see how to configure OAuth authorization-code authentication.

raiconfig.yaml
Programmatic

Set authenticator to oauth_authorization_code:

connections:
  sf:
    type: snowflake
    authenticator: oauth_authorization_code
    account: my_account
    warehouse: my_warehouse

This flow is only for Direct Access interactive sign-in.
Before you try this flow, complete the setup in Direct Access and Create an OAuth Security Integration for Direct Access.

Use the OAuthAuthorizationCodeAuth config class or a plain Python dict:

Create the config with a typed auth class:

from relationalai.config import OAuthAuthorizationCodeAuth, create_config
from relationalai.semantics import Model

cfg = create_config(
    default_connection="sf",
    direct_access=True,
    connections={
        "sf": OAuthAuthorizationCodeAuth(
            account="my_account",
            warehouse="my_warehouse",
        ),
    },
)

m = Model("MyModel", config=cfg)

Alternatively, create the config with a dict:

from relationalai.config import create_config
from relationalai.semantics import Model

cfg = create_config(
    default_connection="sf",
    direct_access=True,
    connections={
        "sf": {
            "type": "snowflake",
            "authenticator": "oauth_authorization_code",
            "account": "my_account",
            "warehouse": "my_warehouse",
        },
    },
)

m = Model("MyModel", config=cfg)

Keep direct_access=True at the top level because this flow is for Direct Access.
For API details, see OAuthAuthorizationCodeAuth and the Snowflake connections reference.

Configure key-pair authentication

Use this when you authenticate to Snowflake with a private key (JWT). Set authenticator to jwt and provide a private key file via private_key_path. Snowflake must have the matching public key registered on the user.

Summary	Details
Use when	Your workflow needs non-interactive authentication without storing a password, and your Snowflake user is already configured for key-pair sign-in. For the required Snowflake admin setup, see Configure Key-Pair (JWT) Authentication for Direct Access.
Required fields	`account`, `warehouse`, `user`, and `private_key_path`.
Optional fields	`private_key_passphrase` when the private key is encrypted.
Avoid when	You do not control private-key distribution or you want an interactive sign-in flow.
Supports Direct Access	Yes

Select the tab for your config method to see how to configure key-pair authentication.

raiconfig.yaml
Programmatic

Set authenticator to jwt and provide the required fields:

connections:
  sf:
    type: snowflake
    authenticator: jwt
    account: my_account
    warehouse: my_warehouse
    user: my_user
    private_key_path: /path/to/key.pem
    private_key_passphrase: "{{ env_var('SNOWFLAKE_PRIVATE_KEY_PASSPHRASE') }}"  # Optional, only set if your key is encrypted

If your key is not encrypted, omit private_key_passphrase.
The passphrase is used to decrypt the local private key.
The key file is read when the Snowpark session is created.
Keep the key file out of source control and restrict file permissions.

Use the JWTAuth config class or a plain Python dict:

Create the config with a typed auth class:

import os

 from relationalai.config import JWTAuth, create_config
 from relationalai.semantics import Model

cfg = create_config(
    default_connection="sf",
    connections={
        "sf": JWTAuth(
            account="my_account",
            warehouse="my_warehouse",
            user="my_user",
            private_key_path="/path/to/key.pem",
            private_key_passphrase=os.getenv("SNOWFLAKE_PRIVATE_KEY_PASSPHRASE"),
        ),
    },
)

# Use the config
m = Model("MyModel", config=cfg)

Alternatively, create the config with a dict:

import os

 from relationalai.config import create_config
 from relationalai.semantics import Model

cfg = create_config(
    default_connection="sf",
    connections={
        "sf": {
            "type": "snowflake",
            "authenticator": "jwt",
            "account": "my_account",
            "warehouse": "my_warehouse",
            "user": "my_user",
            "private_key_path": "/path/to/key.pem",
            "private_key_passphrase": os.getenv("SNOWFLAKE_PRIVATE_KEY_PASSPHRASE"),
        },
    },
)

# Use the config
m = Model("MyModel", config=cfg)

Ensure the process can read private_key_path at runtime.
If the key is encrypted, set SNOWFLAKE_PRIVATE_KEY_PASSPHRASE before creating a session.
If session creation fails with an authentication error, confirm that the user’s public key is configured in Snowflake.

Configure external browser authentication

Use this to authenticate via an interactive browser sign-in flow.

Summary	Details
Use when	You can complete a browser sign-in on the machine running PyRel and want to avoid storing a password or token in config.
Required fields	`account`, `warehouse`, and `user`.
Optional fields	None.
Avoid when	You run in CI, scheduled jobs, or another non-interactive environment.
Supports Direct Access	No

Select the tab for your config method to see how to configure external browser authentication.

raiconfig.yaml
Programmatic

Set authenticator to externalbrowser and provide the required fields:

connections:
  sf:
    type: snowflake
    authenticator: externalbrowser
    account: my_account
    warehouse: my_warehouse
    user: my_user

This authenticator requires an interactive browser session.
If you need to sign in again, follow the guidance in Clear the session cache to ensure a new session is used.

Use the ExternalBrowserAuth config class or a plain Python dict:

Create the config with a typed auth class:

 from relationalai.config import ExternalBrowserAuth, create_config
 from relationalai.semantics import Model

cfg = create_config(
    default_connection="sf",
    connections={
        "sf": ExternalBrowserAuth(
            account="my_account",
            warehouse="my_warehouse",
            user="my_user",
        ),
    },
)

# Use the config
m = Model("MyModel", config=cfg)

Alternatively, create the config with a dict:

 from relationalai.config import create_config
 from relationalai.semantics import Model

cfg = create_config(
    default_connection="sf",
    connections={
        "sf": {
            "type": "snowflake",
            "authenticator": "externalbrowser",
            "account": "my_account",
            "warehouse": "my_warehouse",
            "user": "my_user",
        },
    },
)

# Use the config
m = Model("MyModel", config=cfg)

Run this in an environment that can launch a browser.
If you need to sign in again, follow the guidance in Clear the session cache to ensure a new session is used.

Configure programmatic access token authentication

Programmatic access token (PAT) authentication signs in to Snowflake using a programmatic access token. PyRel does not issue, rotate, or validate these tokens.

Summary	Details
Use when	You already receive a Snowflake programmatic access token from another step in your workflow and need non-interactive authentication without storing a password or key file. For the required Snowflake admin setup, see Issue a Programmatic Access Token for Direct Access.
Required fields	`account`, `warehouse`, `user`, plus either `token` or `token_file_path`.
Optional fields	None.
Avoid when	You need PyRel to issue or rotate the token for you.
Supports Direct Access	Yes

Select the tab for your config method to see how to configure programmatic access token authentication.

raiconfig.yaml
Programmatic

Set authenticator to programmatic_access_token and provide the required fields:

connections:
  sf:
    type: snowflake
    authenticator: programmatic_access_token
    account: my_account
    warehouse: my_warehouse
    user: my_user
    token: "{{ env_var('SNOWFLAKE_PROGRAMMATIC_ACCESS_TOKEN') }}"

You can use token_file_path instead of token when you want PyRel to read the token from a file:

connections:
    sf:
        type: snowflake
        authenticator: programmatic_access_token
        account: my_account
        warehouse: my_warehouse
        user: my_user
        token_file_path: /path/to/token.txt

Token issuance and rotation are managed outside PyRel.
Keep your Snowflake PAT out of your config file.

Use the ProgrammaticAccessTokenAuth config class or a plain Python dict:

Create the config with a typed auth class:

import os

 from relationalai.config import ProgrammaticAccessTokenAuth, create_config
 from relationalai.semantics import Model

cfg = create_config(
    default_connection="sf",
    connections={
        "sf": ProgrammaticAccessTokenAuth(
            account="my_account",
            warehouse="my_warehouse",
            user="my_user",
            token=os.environ["SNOWFLAKE_PROGRAMMATIC_ACCESS_TOKEN"],
        ),
    },
)

# Use the config
m = Model("MyModel", config=cfg)

Alternatively, create the config with a dict:

import os

 from relationalai.config import create_config
 from relationalai.semantics import Model

cfg = create_config(
    default_connection="sf",
    connections={
        "sf": {
            "type": "snowflake",
            "authenticator": "programmatic_access_token",
            "account": "my_account",
            "warehouse": "my_warehouse",
            "user": "my_user",
            "token": os.environ["SNOWFLAKE_PROGRAMMATIC_ACCESS_TOKEN"],
        },
    },
)

# Use the config
m = Model("MyModel", config=cfg)

Use token_file_path instead of token when you want PyRel to read the token from a file instead of embedding the token value directly.

After you rotate a token, follow the guidance in Clear the session cache to ensure the new token is used.
Store the token in an environment variable or secret manager.

Define multiple connections

Define multiple connections when you need separate Snowflake configurations in the same project (for example, dev vs prod). If you define multiple connections, set default_connection so PyRel knows which one to use by default.

Select the tab for your config method to see how to define multiple connections.

raiconfig.yaml
Programmatic

Define the default connection and each named Snowflake connection:

default_connection: sf_dev
connections:
    sf_dev:
        type: snowflake
        authenticator: username_password
        account: my_dev_account
        warehouse: my_warehouse
        user: my_user
        password: "{{ env_var('SNOWFLAKE_PASSWORD') }}"
    sf_prod:
        type: snowflake
        authenticator: username_password
        account: my_prod_account
        warehouse: my_warehouse
        user: my_user
        password: "{{ env_var('SNOWFLAKE_PASSWORD') }}"

If your code always selects a connection by name, PyRel can still work without a default connection, but the examples in this guide use the default connection.
Keep secrets out of source control by using environment variables (for example SNOWFLAKE_PASSWORD).

Create a config with multiple named Snowflake connections:

import os

from relationalai.config import create_config
from relationalai.semantics import Model

cfg = create_config(
    connections={
        "sf_dev": {
            "type": "snowflake",
            "authenticator": "username_password",
            "account": "my_dev_account",
            "warehouse": "my_warehouse",
            "user": "my_user",
            "password": os.environ["SNOWFLAKE_PASSWORD"],
        },
        "sf_prod": {
            "type": "snowflake",
            "authenticator": "username_password",
            "account": "my_prod_account",
            "warehouse": "my_warehouse",
            "user": "my_user",
            "password": os.environ["SNOWFLAKE_PASSWORD"],
        },
    },
    default_connection="sf_dev",
)

# Use the config
m = Model("MyModel", config=cfg)

Use os.environ["..."] to fail fast when an environment variable is missing.
To switch defaults, change default_connection or create a different config per environment.

Validate your connection

Start with the rai connect CLI command for the quickest check. Use Python when you want to validate the connection your code will use or test a specific named connection.

A successful check confirms that PyRel can connect to Snowflake with the connection you meant to test. If PyRel creates a new Snowpark session, that validates your connection settings.

For more on using a Snowpark session, see Snowflake’s Session documentation.

Validate the default connection with the CLI

Use rai connect when you want to validate the default connection from your active config:

rai connect

rai connect checks only the default connection. To test a specific named connection, use the Python example in Validate a specific named connection.
If you use profiles, rai connect uses the active profile. Set active_profile in your raiconfig.yaml, or set RAI_PROFILE in your shell before you run the command.

Validate the default connection in Python

Use the .get_session() method on Model.config to create a session from your default connection:

from relationalai.semantics import Model

m = Model("MyModel")
session = m.config.get_session()

# Execute a simple query to verify the session works:
session.sql("SELECT 1").collect()

get_session() uses default_connection when it is set.
If you have exactly one connection, PyRel treats it as the default automatically.

Validate a specific named connection

Get a specific Snowflake connection by name, then call .get_session() on it:

from relationalai.config import SnowflakeConnection
from relationalai.semantics import Model

m = Model("MyModel")
conn = m.config.get_connection(SnowflakeConnection, name="sf_prod")
session = conn.get_session()

# Execute a simple query to verify the session works:
session.sql("SELECT 1").collect()

Clear the session cache

When you change Snowflake credentials, rotate a token, or need to trigger sign-in again, clear the cached Snowpark session so PyRel creates a new one with the updated authentication:

In notebooks and short-running scripts, you can clear the session cache by simply restarting the Python process.
In long-running scripts and applications, you can programmatically clear the session cache to force PyRel to create a new session with the updated authentication without restarting the whole process.

To programmatically refresh a connection after its Snowflake authentication changes:

Get the connection whose Snowflake authentication changed

Use the default connection, or replace this with .get_connection() if you updated a specific named connection:
```
from relationalai.semantics import Model

m = Model("MyModel")
conn = m.config.get_default_connection()
```
Clear the cached Snowpark session

Call .clear_session_cache() so PyRel stops reusing the session that was created before the auth change:
```
conn.clear_session_cache()
```
Optionally create the replacement session now

Call .get_session() if you want to sign in immediately and confirm the updated credentials work:
```
session = conn.get_session()
```

This only clears PyRel’s in-memory cache for the connection you call it on. In the rare case you have multiple connections with changed auth, clear the cache for each one.
You do not need to do the optional .get_session() step unless you want to verify the new credentials right away. If you skip that step, PyRel creates a replacement session internally the next time it needs one.