Configure API authentication
Learn how to configure API authentication on your resources.
Retool supports many types of API authentication. You can use static authentication tokens or create auth that asks the end user to provide credentials each time they access the application.
If none of the following options work for your API, you can use custom API authentication.
API authentication
You can add authentication details for an API by navigating to the Authentication section of the Resource settings page.
This lists all the authentication types Retool support natively, and Custom Auth to create custom or multi-step flows.

OAuth 2.0
Retool also supports the OAuth 2.0 authentication scheme. In OAuth 2.0, authentication details are not shared between your end users unless you enable the Share OAuth2.0 credentials between users option.
When the share credentials option is disabled, each of your end users will be required to authenticate via the OAuth authentication flow. The Access/Refresh token that is returned by the OAuth identity provider will be encrypted and then associated with the user's current session with Retool. This allows you to delegate authorization and authentication to the OAuth Identity provider. If needed, you can set the token's lifespan in the Advanced > Access token lifespan field.
Here is a sample configuration of Retool connecting with Google's OAuth 2.0 API. Things to take note of:
- We added the header:
Authorization: Bearer OAUTH2_TOKEN
- theOAUTH2_TOKEN
is a magic placeholder string that gets replaced with the access token at runtime. You can use this magic string in the header or in the URL parameters of the query. - The OAuth callback URL is static and cannot be directly changed. Self-hosted organizations can dynamically set the callback URL, however, as the URL's domain corresponds to the value for the BASE_DOMAIN environment variable.
