Claude Code Plugin
The Metatate Claude Code plugin brings Metatate's structured context and decision layer into developer workflows. Claude Code remains the workspace, while Metatate remains the source of truth for governed data context, intended-use validation, authorization decisions, explanations, and audit evidence.
The plugin is distributed from Metatate's GitHub-hosted Claude Code plugin repository:
metatateai/metatate-claude-plugins
It does not run a Metatate-hosted MCP gateway. Claude Code connects directly to the Snowflake-managed MCP server installed by the Metatate Snowflake Native App.
How it works
Claude Code
|-- Metatate plugin slash commands
|-- Snowflake OAuth login
v
Snowflake managed MCP endpoint
METATATE_APP.CORE.METATATE_MCP
|
v
Metatate canonical MCP tools
Snowflake Intelligence, Claude Code, and Cortex Code use the same Metatate decision layer through different interfaces:
| Client | Interface | Authentication |
|---|---|---|
| Snowflake Intelligence | core.agent_* wrappers | Active Snowflake session |
| Claude Code plugin | core.metatate_mcp managed MCP server | Snowflake OAuth with session:role:<role> |
| Cortex Code plugin | core.metatate_mcp managed MCP server | Role-restricted PAT plus X-Snowflake-Role |
Prerequisites
Before installing the plugin, confirm:
- Metatate is installed from the Snowflake Marketplace listing and running in the target Snowflake account.
- The managed MCP server exists, normally
METATATE_APP.CORE.METATATE_MCP. - At least one policy has been deployed so Metatate has governed assets to return.
- A Snowflake administrator has created a custom OAuth security integration for Claude Code.
- Claude Code is installed on the user's workstation.
Snowflake administrator setup
Create or select a least-privilege role for Claude users. Do not use ACCOUNTADMIN, SECURITYADMIN, ORGADMIN, or other broad administration roles for day-to-day Claude use.
The examples below use METATATE_CLAUDE_USER.
USE ROLE ACCOUNTADMIN;
CREATE SECURITY INTEGRATION METATATE_CLAUDE_CODE_OAUTH
TYPE = OAUTH
OAUTH_CLIENT = CUSTOM
ENABLED = TRUE
OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
OAUTH_REDIRECT_URI = 'http://localhost:8080/callback'
OAUTH_ALLOW_NON_TLS_REDIRECT_URI = TRUE
OAUTH_ISSUE_REFRESH_TOKENS = TRUE;
ALTER SECURITY INTEGRATION METATATE_CLAUDE_CODE_OAUTH
SET ALLOWED_ROLES_LIST = ('METATATE_CLAUDE_USER')
PRE_AUTHORIZED_ROLES_LIST = ('METATATE_CLAUDE_USER');
ALTER USER <snowflake_user>
ADD DELEGATED AUTHORIZATION OF ROLE METATATE_CLAUDE_USER
TO SECURITY INTEGRATION METATATE_CLAUDE_CODE_OAUTH;
SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('METATATE_CLAUDE_CODE_OAUTH');
Share these values with each Claude Code user through your approved secret-sharing process:
- Snowflake account URL, for example
https://<account>.snowflakecomputing.com - OAuth client ID
- OAuth client secret
- Snowflake role, for example
METATATE_CLAUDE_USER - App database, schema, and MCP server name if they differ from
METATATE_APP.CORE.METATATE_MCP
Do not paste the OAuth client secret into shell commands, tickets, screenshots, docs, or committed files.
Install the plugin
In Claude Code, add the Metatate plugin repository with Claude Code's marketplace command:
/plugin marketplace add metatateai/metatate-claude-plugins
Install the plugin:
/plugin install metatate@metatate-claude-plugins
Restart Claude Code if prompted.
Register the managed MCP server
The plugin and the MCP connection are separate:
- The plugin adds Metatate commands and guidance.
- The MCP registration gives Claude Code access to the Snowflake-managed Metatate tools.
Register the MCP server with the values from your Snowflake administrator:
claude mcp add-json --scope user --client-secret metatate '{
"type": "http",
"url": "https://<account-url>/api/v2/databases/METATATE_APP/schemas/CORE/mcp-servers/METATATE_MCP",
"oauth": {
"clientId": "<snowflake-oauth-client-id>",
"callbackPort": 8080,
"scopes": "session:role:<snowflake-role>"
}
}'
Claude Code prompts for the OAuth client secret because the command uses --client-secret metatate.
The session:role:<snowflake-role> scope is required. It makes Snowflake issue the OAuth session for the intended Metatate role instead of falling back to the user's default role or secondary role ALL.
Authenticate
Open Claude Code and run:
/mcp
Select the metatate server and authenticate. A browser opens to Snowflake OAuth. After login, Snowflake redirects to Claude Code on:
http://localhost:8080/callback
Smoke test
Run:
/metatate:discover-context
Then ask:
Show governed assets I can inspect. If needed, ask me for a database, schema, domain, sensitivity level, or compliance tag.
Pick one fully qualified table returned by Metatate, then test a decision workflow:
/metatate:authorize-use
Use your environment-specific table, role, operation, and intended use:
Can role <snowflake-role> read <fully-qualified-governed-table> for <intended-use>?
Claude should call the Metatate MCP tools and return governed context, rationale, and any decision or validation IDs returned by Metatate.
Available commands
/metatate:discover-context/metatate:inspect-data/metatate:inspect-rules/metatate:authorize-use/metatate:validate-query/metatate:explain-decision/metatate:policy-review/metatate:release-gate
Updating
Update the plugin repository metadata:
/plugin marketplace update metatate-claude-plugins
Then update the plugin from Claude Code's plugin UI, or reinstall it if your Claude Code version does not expose update actions.
Removing
Remove the MCP server:
claude mcp remove metatate
Then uninstall the plugin:
/plugin uninstall metatate@metatate-claude-plugins
Troubleshooting
If Snowflake shows The role ALL requested has been explicitly blocked, remove the existing MCP registration and register again with session:role:<snowflake-role>. Ask your Snowflake administrator to confirm that the same role is configured in ALLOWED_ROLES_LIST and PRE_AUTHORIZED_ROLES_LIST.
If Claude Code installs the plugin but does not show Metatate commands, restart Claude Code and run:
/plugin marketplace update metatate-claude-plugins
If Claude Code authenticates but cannot find the Metatate MCP tools, ask your administrator to verify:
SHOW MCP SERVERS IN SCHEMA METATATE_APP.CORE;