Environment variables reference
Environment variables for Self-hosted Retool deployments.
Environment variables control or override certain functions and characteristics of Self-hosted Retool instances. Some Retool features require you to set environment variables, such as SSO or Source Control.
Only configure environment variables when needed. You can configure many environment variables from your organization's Settings rather than directly editing your deployment's configuration file.
You must restart your instance after setting any variables for them to take effect.
All properties for this object with supported data types or values. You can write JavaScript almost anywhere in Retool to manipulate or read property values.
ADMIN_API_ACCESS_TOKEN
If non-empty, Retool creates an API access token with the provided string value. Requires ADMIN_USER_EMAIL to be set to a valid email address of an admin user.
| Type | string |
| Format | Authentication Key |
| Required | Optional |
| Default | null |
Examples
api-key
ADMIN_API_ACCESS_TOKEN_SCOPES
Comma-separated list of scopes to be assigned to the API access token created using ADMIN_API_ACCESS_TOKEN environment variable.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
source_control:read,source_control:write,groups:read,groups:write,spaces:read,spaces:write,folders:read,folders:write,permissions:all:read,permissions:all:write
ADMIN_USER_EMAIL
If non-empty, Retool creates an admin user with the provided email in the Admin Space.
| Type | string |
| Format | Email Address |
| Required | Optional |
| Default | null |
Examples
admin@example.com
AGENT_EVALS_S3_ACCESS_KEY_ID
The Amazon S3 access key ID for running agent evals.
| Type | string |
| Required | Optional |
| Default | null |
Examples
AKIAIOSFODNN7EXAMPLE
AGENT_EVALS_S3_BUCKET
The Amazon S3 bucket for running agent evals.
| Type | string |
| Required | Optional |
| Default | null |
Examples
retool-agent-evals
AGENT_EVALS_S3_REGION
The Amazon S3 region for running agent evals.
| Type | string |
| Required | Optional |
| Default | null |
Examples
us-west-2
AGENT_EVALS_S3_SECRET_ACCESS_KEY
The Amazon S3 secret access key for running agent evals.
| Type | string |
| Required | Optional |
| Default | null |
Examples
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
ALLOW_SAME_ORIGIN_OPTION
Whether to use allow-same-origin for iframes and custom components. If this is not true, custom components are heavily restricted in their behavior. Refer to the configure same-origin and sandbox guide to learn more.
| Type | boolean |
| Format | True/False |
| Required | Optional |
| Default | false |
Examples
false
API_CALLS_PER_MINUTE
Retool API uses a point system for rate limiting where endpoint requests cost a certain number of points. The default is 300 points in a 60 second window. If you exceed this, Retool blocks any subsequent API calls for 60 seconds. You can increase the number of points with the API_CALLS_PER_MIN environment variable.
| Type | number |
| Format | Integer |
| Required | Optional |
| Default | 300 |
Examples
300
AZURE_REPOS_MAIN_BRANCH
The main branch for the Azure Repos repository.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
main
AZURE_REPOS_ORGANIZATION
The Azure DevOps organization name.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
my-organization
AZURE_REPOS_PERSONAL_ACCESS_TOKEN
The personal access token for the Azure DevOps organization user.
| Type | string |
| Format | Authentication Key |
| Required | Optional |
| Default | null |
Examples
mpoqd2zy7jklzfbhmuzev46vbbcpkeeqminb4wcvwigsrldasdfa
AZURE_REPOS_REPO
The Azure DevOps repository name.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
my-repo
AZURE_REPOS_USER
The username or service account for the for Azure DevOps organization.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
retool
BASE_DOMAIN
The full URL of your Retool deployment for user invitations and password resets. This also needs to be set if you dynamically set callback URLs on protected resources.
| Type | string |
| Format | URL |
| Required | Required |
| Default | null |
Examples
https://retool.example.com
BITBUCKET_APP_PASSWORD
The app password for the Bitbucket user.
| Type | string |
| Format | Password |
| Required | Optional |
| Default | null |
Examples
mpoqd2zy7jklzfbhmuzev46vbbcpkeeqminb4wcvwigsrldasdfa
BITBUCKET_MAIN_BRANCH
The main branch for the Bitbucket repository.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
main
BITBUCKET_REPO
The Bitbucket repository name.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
my-repo
Examples
retool
BITBUCKET_WORKSPACE
The Bitbucket workspace name.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
my-workspace
CLIENT_ID
A Google OAuth client app ID for OAuth-based authentication with Google (e.g., Google SSO with OIDC or using a Google Sheets resource).
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
123456789012-abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com
CLIENT_MAX_BODY_SIZE
On the https-portal container, specify the maximum request body size, in bytes, megabytes (M), or kilobytes (K). Any upload that exceeds this limit results in a 413 HTTP error. Set to 0 to allow bodies of any size.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
40M
8096K
1048576
CLIENT_SECRET
A Google OAuth client app secret for OAuth-based authentication with Google (e.g., Google SSO with OIDC or using a Google Sheets resource).
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
abcdefghijklmnopqrstuvwxyz
CODE_COMMIT_AWS_ACCESS_KEY_ID
The AWS access key ID for the IAM user.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
AKIAIOSFODNN7EXAMPLE
CODE_COMMIT_AWS_DEFAULT_REGION
The AWS region for the CodeCommit repository.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
us-west-2
CODE_COMMIT_AWS_SECRET_ACCESS_KEY
The AWS secret access key for the IAM user.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
CODE_COMMIT_HTTPS_PASSWORD
The password for HTTPS authentication with the CodeCommit repository.
| Type | string |
| Format | Password |
| Required | Optional |
| Default | null |
Examples
mpoqd2zy7jklzfbhmuzev46vbbcpkeeqminb4wcvwigsrldasdfa
CODE_COMMIT_HTTPS_USERNAME
The username for HTTPS authentication with the CodeCommit repository.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
retool
CODE_COMMIT_MAIN_BRANCH
The main branch for the CodeCommit repository.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
main
CODE_COMMIT_REPOSITORY_NAME
The CodeCommit repository name.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
my-repo
CODE_EXECUTOR_INGRESS_DOMAIN
The domain for the code-executor service that executes arbitrary user-defined JavaScript and Python code with installed custom libraries. The value depends on your deployment configuration, but must include a protocol (http:// or https://).
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
code-executor.example.com
CONTAINER_UNPRIVILEGED_MODE
Whether to run the code-executor service in an unprivileged mode and remove any sandboxing of user code.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
false
COOKIE_INSECURE
Whether to send authentication requests using insecure cookies. Enable this if your Retool deployment uses a non-HTTPS URL or IP address. This is typically used when a Retool deployment is not yet configured with a custom domain.
| Type | boolean |
| Required | Optional |
| Default | true |
Examples
true
CREATE_FIRST_ORG
If set to true, Retool automatically creates the first organization on the instance. This is useful for automated provisioning of Retool instances.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
CUSTOM_API_KEY
An API key to authenticate workflow webhook requests. Add to the request as an x-api-key header to trigger workflows.
| Type | string |
| Required | Optional |
| Default | null |
Examples
retool_wk_2ed0cfe975474f4091fbe603d975d7b7
CUSTOM_LOGOUT_REDIRECT
A URL that users are redirected to after logging out of Retool.
| Type | string |
| Format | URL |
| Required | Optional |
| Default | null |
Examples
https://example.com/logout/success
CUSTOM_OAUTH2_SSO_ACCESS_TOKEN_LIFESPAN_MINUTES
The lifespan, in minutes, of custom OpenID provider tokens.
| Type | number |
| Format | Integer |
| Required | Optional |
| Default | 120 |
Examples
60
CUSTOM_OAUTH2_SSO_AUDIENCE
An identifier for a resource to which users should have access upon completion of an OpenID authorization process.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
https://retool.auth0.com/api/v2
CUSTOM_OAUTH2_SSO_JWT_ROLES_KEY
Returns an array of strings where each string represents an OpenID group name. This setting is used with CUSTOM_OAUTH2_SSO_ROLE_MAPPING to map groups to Retool permission groups.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
idToken.groups
CUSTOM_OAUTH2_SSO_ROLE_MAPPING
The mapping of roles from your OpenID provider to Retool permission groups.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
devops -> admin, support -> viewer
CUSTOM_OAUTH2_SSO_ROLE_MAPPING_DISABLED
Disables the mapping of roles from your OpenID provider to Retool permission groups. Set this variable to true to disable passing roles from JWTs.
| Type | boolean |
| Required | Optional |
| Default | null |
Examples
true
CUSTOM_OAUTH2_SSO_USERINFO_URL
The endpoint for Retool to make an additional request for a fat token containing all available claims from your OpenID SSO provider.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
https://yourcompany.okta.com/oauth2/v1/userinfo
CUSTOM_RETOOL_SANDBOX_RESTRICTIONS
The JavaScript sandbox restrictions to allow. Specify space-separated values for multiple restrictions. Only configure custom sandbox restrictions if you are comfortable with the security implications.
| Type | string |
| Required | Optional |
| Default | null |
Examples
allow-downloads
DATABASE_MIGRATIONS_TIMEOUT_SECONDS
The timeout, in seconds, for database migrations. If the migration takes longer than this time, the migration fails. Consider setting a higher value if you're upgrading to another major version of Self-hosted Retool or the upgrade includes changes from multiple minor versions.
| Type | number |
| Format | Integer |
| Required | Optional |
| Default | 0 |
Examples
1000
DBCONNECTOR_NUM_WORKERS
The number of worker threads for the db-connector container. The default value is Math.min(Math.max(1, numCPUs), 3), where numCPUs is the number of logical CPU cores on the machine determined by Node.js.
| Type | number |
| Format | Integer |
| Required | Optional |
| Default | 0 |
Examples
4
DBCONNECTOR_POSTGRES_POOL_MAX_SIZE
The PostgreSQL connection pool maximum size.
| Type | number |
| Format | Integer |
| Required | Optional |
| Default | 10 |
Examples
20
DBCONNECTOR_QUERY_TIMEOUT_MS
The duration, in milliseconds, for queries to run before timing out. If your Retool deployment is behind a load balancer, increase the load balancer's timeout by a proportionate amount.
| Type | number |
| Required | Optional |
| Default | 120000 |
| Units | ms |
Examples
120000
DEBUG
Whether to enable verbose logging for debugging purposes.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
DEFAULT_GROUP_FOR_DOMAINS
The default Retool user group for a Google SSO domain. Default groups only apply to new users who sign up using SSO, not existing users signing in.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
example1.org -> admin, example2.com -> viewer
DISABLE_AUDIT_TRAILS_LOGGING
Whether to disable logging of audit trails.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
DISABLE_FORWARDABLE_COOKIE_DECODING
Whether to disable decoding of forwardable cookies.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
Examples
true
DISABLE_IMAGE_PROXY
Whether to disable the proxy used for publicly embedded apps.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
DISABLE_INTERCOM
Disable Retool's support widget in the frontend. Refer to the Retool Support page to learn how to contact Retool.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
DISABLE_IPTABLES_SECURITY_CONFIGURATION
Whether to disable the default security configuration for link-local address, which is done by running the following startup commands requiring elevated privileges. Set to true if privileged access (e.g NET_ADMIN) cannot be given to the container running Code executor service.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
false
DISABLE_MEMORY_AND_CPU_USAGE_LOGGING
Whether to disable logging of memory and CPU usage.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
DISABLE_PUBLIC_PAGES��
Whether to disable public access to Retool apps. If set to true, also set DISABLE_IMAGE_PROXY to true to fully disable public access.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
DISABLE_SOURCE_CONTROL_SYNCING
Whether to disable Source Control syncing changes with the repository. This only pauses the syncing process and protected items are unaffected.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
DISABLE_USER_PASS_LOGIN
Disable username and password authentication. If true, users can only log in using SSO.
| Type | boolean |
| Format | True/False |
| Required | Optional |
| Default | false |
Examples
true
DOMAINS
The domains to use for EntityID in SAML requests and obtaining SSL certificates when setting up HTTPS.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
retool.your-domain.com -> http://api:3000
ENABLE_CLIENT_SIDE_CUSTOM_AUTH_BROWSER_CALLS
Whether to allow custom authentication steps for resources that make REST API calls directly from the browser. If true, these requests include all browser credentials, even cross-origin calls.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
ENABLE_CUSTOM_PLATFORM_LEVEL_AUTH_STEPS
Whether to allow configuration of custom authentication steps for users to perform whenever they log into Retool.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
ENCRYPTION_KEY
The encryption key used to encrypt data stored in the PostgreSQL database (e.g., database credentials, SSH keys, etc). If you change this key, you will lose access to all resources that were created before the change.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
key
FORWARDABLE_SAME_DOMAIN_COOKIES_ALLOWLIST
Whether to send authentication requests using insecure cookies. When you have cookies scoped to your primary domain, you can use this variable to include those cookies in requests from the subdomain you host Retool on to your primary domain.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
cookieName
GITHUB_APP_ID
The GitHub App ID for the GitHub repository.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
12345
GITHUB_APP_INSTALLATION_ID
The GitHub App installation ID for the GitHub repository.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
12345
GITHUB_APP_PRIVATE_KEY
The GitHub App private key for the GitHub repository, formatted as a single-line. If you use Kubernetes Secrets, you must base64-encode this value twice.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDf7Zz7z7z7z7z7
GITLAB_MAIN_BRANCH
The main branch for the GitLab repository.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
main
GITLAB_ORGANIZATION_NAME
The GitLab organization name.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
my-organization
GITLAB_PROJECT_ACCESS_TOKEN
The project access token for the GitLab repository.
| Type | string |
| Format | Authentication Key |
| Required | Optional |
| Default | null |
Examples
mpoqd2zy7jklzfbhmuzev46vbbcpkeeqminb4wcvwigsrldasdfa
Examples
123
GITLAB_PROJECT_SLUG
The path of the GitLab project URL.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
company/eng/product-dev
GITLAB_REPOSITORY_NAME
The GitLab repository name.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
my-repo
GITLAB_URL
The GitLab URL for the GitLab repository.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
https://gitlab.com
HIDE_ALL_HEADERS_IN_AUDIT_LOG_EVENTS
Whether to prevent all query headers and cookies from being added to audit log entries.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
HIDE_PROD_AND_STAGING_TOGGLES
Whether to hide the Production and Staging toggles in the Retool interface.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
HOST_HEADER_NAME
Retool backend expects Host header to contain the host used in the original request. This is important for Spaces to work properly. If your self-hosted instance has a proxy or load-balancer in front of the Retool backend, you can specify a different header that contains the original host.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | HOST_HEADER_NAME |
Examples
x-forwarded-host
HTML_ESCAPE_RETOOL_EXPRESSIONS
Whether to escape HTML in `` expressions. If set to true, all HTML in expressions is escaped.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
HTTP_PROXY
The HTTP proxy to use for all HTTP requests.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
http://proxy.example.com:8080
INVITES_PER_DAY
The number of invites that can be sent to users.
| Type | number |
| Required | Optional |
| Default | 50 |
Examples
100
Examples
true
JWT_SECRET
The JWT secret token to sign requests for authentication with Retool's backend API server. If changed, all active user login sessions are invalidated.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
676765765327645bvbfgbsfhfbgr
KEEPALIVE_TIMEOUT
The keep alive timeout for queries, in seconds. Queries that exceed this limit results in a 514 HTTP error.
| Type | number |
| Required | Optional |
| Default | 0 |
Examples
1000
LDAP_BASE_DOMAIN_COMPONENTS
The organization's email domain in DC syntax when syncing Google Groups to Retool.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
dc=example,dc=com
LDAP_ROLE_MAPPING
The mapping of Google LDAP Groups or SAML groups to Retool permission groups used for Google Group syncing and SAML role mapping.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
retool-admins -> admin, support -> Support
LDAP_ROLE_MAPPING_DISABLED
Disable syncing SAML groups or Google Groups to Retool permission groups. When LDAP_ROLE_MAPPING is set and LDAP_ROLE_MAPPING_DISABLED is true, Retool logs the groups that would have synced to Retool when a user logs in.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | false |
Examples
true
LDAP_SERVER_CERTIFICATE
The certificate from the downloaded bundle when syncing Google Groups to Retool.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
filename
LDAP_SERVER_KEY
The private key from the downloaded bundle when syncing Google Groups to Retool.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
filename
LDAP_SERVER_NAME
The LDAP server name when syncing Google Groups to Retool.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
ldap.google.com
LDAP_SERVER_URL
The LDAP server URL for Google's Secure LDAP Service when syncing Google Groups to Retool.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
ldaps://ldap.google.com:636
LDAP_SYNC_ALL_GROUPS
Whether to sync all groups regardless of whether they're configured in the LDAP_ROLE_MAPPING environment variable. When enabled, new groups are created during SAML sync.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
LDAP_SYNC_GROUP_CLAIMS
Enable syncing Google Groups to Retool.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
LICENSE_KEY
The license key for your Retool deployment.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
key_1234567890
MOBILE_PUSH_NOTIFIER_API_TOKEN
The API token for the mobile push notifier service.
| Type | string |
| Format | Authentication Key |
| Required | Optional |
| Default | null |
Examples
api-key
MOBILE_PUSH_NOTIFIER_HOST
The host for the mobile push notifier service.
| Type | string | ||||
| Format | URL | ||||
| Required | Optional | ||||
| Allowed Values |
| ||||
| Default | null |
Examples
https://spb8yl7d3j.execute-api.us-west-2.amazonaws.com
NO_PROXY
A comma-separated list of hosts that should not be proxied.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
localhost,*.service.company
NODE_ENV
The Node.js environment. Should always be set to production.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
production
NODE_OPTIONS
Used to specify the maximum heap size for the JavaScript v8 engine.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | --max-old-space-size=1024 |
Examples
--max-old-space-size=1024
NODE_TLS_REJECT_UNAUTHORIZED
Whether to reject unauthorized TLS certificates. This setting is insecure and not recommended for production instances
| Type | boolean |
| Format | True/False |
| Required | Optional |
| Default | false |
Examples
false
NUM_WORKERS
The number of worker threads for the api container. The default value is Math.min(Math.max(1, numCPUs), 3), where numCPUs is the number of logical CPU cores on the machine determined by Node.js.
| Type | number |
| Format | Integer |
| Required | Optional |
| Default | 0 |
Examples
4
POSTGRES_CUSTOM_SSL_CA_FILE_NAME
The custom SSL CA file name for the PostgreSQL connection. This is required when configuring Google Cloud SQL as the database to use instead of Retool's PostgreSQL database.
| Type | string |
| Format | Plain Text |
| Required | Required |
| Default | null |
Examples
ca.pem
POSTGRES_CUSTOM_SSL_CERT_PATH
The custom SSL certificate path for the PostgreSQL connection. This is required when configuring Google Cloud SQL as the database to use instead of Retool's PostgreSQL database.
| Type | string |
| Format | File Path |
| Required | Optional |
| Default | null |
Examples
/path/to/cert
POSTGRES_CUSTOM_SSL_KEY_FILE_NAME
The custom SSL key file name for the PostgreSQL connection. This is required when configuring Google Cloud SQL as the database to use instead of Retool's PostgreSQL database.
| Type | string |
| Format | File Name |
| Required | Optional |
| Default | null |
Examples
client-key.pem
POSTGRES_SSL_ENABLED
Whether to enable SSL for the PostgreSQL connection.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
POSTGRES_SSL_REJECT_UNAUTHORIZED
Whether to reject unauthorized SSL certificates for the PostgreSQL connection if POSTGRES_SSL_ENABLED is true.
| Type | boolean |
| Required | Optional |
| Default | true |
Examples
true
PRESERVE_PASSWORDS_FIRST_GOOGLE_LOGIN
Prevent Retool from resetting your password when logging in with Google for the first time.
| Type | boolean |
| Required | Optional |
| Default | null |
Examples
true
PROXY_CONNECT_TIMEOUT
The proxy connect timeout for queries, in seconds. Queries that exceed this limit results in a 514 HTTP error.
| Type | number |
| Required | Optional |
| Default | 0 |
Examples
1000
PROXY_READ_TIMEOUT
The proxy read timeout for queries, in seconds. Queries that exceed this limit results in a 514 HTTP error.
| Type | number |
| Required | Optional |
| Default | 0 |
Examples
1000
PROXY_SEND_TIMEOUT
The proxy send timeout for queries, in seconds. Queries that exceed this limit results in a 514 HTTP error.
| Type | number |
| Required | Optional |
| Default | 0 |
Examples
1000
REDIS_DB
The database number for read and write operations, between 0 and 15.
| Type | number |
| Required | Optional |
| Default | 0 |
Examples
0
REDIS_HOST
The hostname of the Redis reader endpoint that connects the Redis instance as a caching layer.
| Type | string |
| Format | Hostname |
| Required | Optional |
| Default | null |
Examples
redis-retool
REDIS_PASSWORD
The password for the Redis instance.
| Type | string |
| Format | Password |
| Required | Optional |
| Default | null |
Examples
password
REDIS_PORT
The port number of the Redis reader endpoint that connects the Redis instance as a caching layer.
| Type | number |
| Required | Optional |
| Default | 6379 |
Examples
6379
Examples
true
RESTRICTED_DOMAIN
Restrict users from logging in unless they use SSO for the specified domain. Specify comma-separated values for multiple domains.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
example.com,example.org
RETOOL_CLIENT_MAX_BODY_SIZE
The maximum body size, in megabytes, for Retool client requests. Any uploads that exceed this limit, or if this limit is set to 0, result in a 413 HTTP error.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | 100mb |
Examples
20mb
RETOOL_ENVIRONMENT
The environment for SCIM provisioning and Source Control alerts.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | production |
Examples
production
RETOOL_EXPOSED_{NAME}
Use the RETOOL_EXPOSED_ prefix to store secrets that you can use when configuring resources. Only underscores and alphanumeric characters are supported.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
RETOOL_EXPOSED_DB_USERNAME=db_user
SAML_FIRST_NAME_ATTRIBUTE
The first name attribute in the SAML response.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | firstName |
Examples
nameFirst
SAML_GROUPS_ATTRIBUTE
The groups attribute in the SAML response.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | groups |
Examples
userGroups
SAML_IDP_METADATA
An XML document that contains information necessary for configuring SAML-enabled identity or service providers.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
<md:EntityDescriptor xmlns:md="urn:desert:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/your_entity_id"><md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:desert:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>your_certificate</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:desert:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:desert:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example-98123.okta.com/app/company/jfdu90324f/sso/saml"/><md:SingleSignOnService Binding="urn:desert:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example-98123.okta.com/app/company/your_entity_id/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>"
SAML_LAST_NAME_ATTRIBUTE
The last name attribute in the SAML response.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | lastName |
Examples
nameLast
SAML_SYNC_GROUP_CLAIMS
Sync Retool group memberships using the retool- prefix with the groups listed in SAML_GROUPS_ATTRIBUTE. The prefix is not shown in the Retool interface.
| Type | boolean |
| Required | Optional |
| Default | null |
Examples
true
Examples
https://not-your-primary-domain.com
SANDBOX_MAX_FILE_DESCRIPTORS
The maximum number of file descriptors within a single sandbox.
| Type | number |
| Required | Optional |
| Default | 256 |
Examples
256
SANDBOX_MOUNT_DIR
Used to configure where files will be mounted into the sandbox.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | /tmp |
Examples
/tmp
SCIM_AUTH_TOKEN
A secret token shared with your SSO provider to provision user accounts. If you use Spaces, this token only applies to the admin Space.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
api-key
SCIM_LOG_FULL_REQUESTS
Log SCIM requests to the Retool API container logs.
| Type | boolean |
| Required | Optional |
| Default | null |
Examples
true
SENDING_INVITES_WITH_EMAIL_DISABLED
Allow user invites without pinging Retool's user invitation server. You must enable this if you have an airgapped deployment.
| Type | boolean |
| Required | Optional |
| Default | null |
Examples
true
SERVICE_TYPE
Comma-separated list of Retool services to run within a container. If unset, all services run in the same container.
| Type | string |
| Required | Optional |
| Default | null |
Examples
MAIN_BACKEND,JOBS_RUNNER
SESSION_DURATION_MINUTES
Set a custom session duration, in minutes. The default value is either 720 (12 hours) or 10080 (1 week), depending on whether USE_SHORT_SESSIONS is set to true.
| Type | number |
| Format | Integer |
| Required | Optional |
| Default | 0 |
Examples
60
TEMPORAL_TASKQUEUE_WORKFLOW
The task queue for the Temporal cluster. Used by clients connecting to Temporal for all Retool Workflow-related requests (enqueue, query, etc.). This value should match WORKER_TEMPORAL_TASKQUEUE.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | workflows |
Examples
workflows
TRIGGER_OAUTH_2_SSO_LOGIN_AUTOMATICALLY
Automatically start the Oauth 2 SSO login flow when users navigate to your Retool instance. Use either TRIGGER_OAUTH_2_SSO_LOGIN_AUTOMATICALLY or TRIGGER_SAML_LOGIN_AUTOMATICALLY, you cannot enable both.
| Type | boolean |
| Required | Optional |
| Default | null |
Examples
true
TRIGGER_SAML_LOGIN_AUTOMATICALLY
Automatically start the SAML SSO login flow when users navigate to your Retool instance. Use either TRIGGER_SAML_LOGIN_AUTOMATICALLY or TRIGGER_OAUTH_2_SSO_LOGIN_AUTOMATICALLY, you cannot enable both.
| Type | boolean |
| Required | Optional |
| Default | null |
Examples
true
USAGE_API_TOKEN
The access token to enable Usage Analytics. Please reach out to your Retool account manager to obtain this token.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
accessToken
USE_GCM_ENCRYPTION
Whether to use AES-192-GCM authenticated encryption method instead of AES-192-CBC. If set to true, you must also set ENCRYPTION_KEY.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
USE_SHORT_SESSIONS
Restrict session length to 12 hours. If unset, session length is one week.
| Type | boolean |
| Required | Optional |
| Default | null |
Examples
true
VERSION_CONTROL_LOCKED
Whether to enable version control and create a read-only Retool instance. If enabled, users cannot create, edit, or protect all elements (apps, workflows, resources, etc). Users with edit or own permissions are still permitted to create new releases. Admins can still delete unprotected elements.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
WORKER_TEMPORAL_TASKQUEUE
The task queue for the Temporal worker. Used by workers connecting to Temporal for all Retool Workflow-related requests (enqueue, query, etc.). This value should match TEMPORAL_TASKQUEUE_WORKFLOW.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | workflows |
Examples
workflows
WORKFLOW_BACKEND_HOST
The hostname for all Retool Workflow-related backend requests, such as querying resources, updating workflow status, and storing block results and logs. The value depends on your deployment configuration, but must include a protocol (http:// or https://).
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
http://workflow-backend
WORKFLOW_CPU_LIMIT
The maximum number of CPUs a workflow can use when running. Requires WORKFLOW_MONITOR_PROCESS_ENABLED to be true.
| Type | number |
| Required | Optional |
| Default | 1 |
Examples
1
WORKFLOW_MEMORY_LIMIT_MBS
The maximum amount of memory, in megabytes, a workflow can use when running. Requires WORKFLOW_MONITOR_PROCESS_ENABLED to be true.
| Type | number |
| Format | Integer |
| Required | Optional |
| Default | 2147 |
| Units | MiB |
Examples
2147
WORKFLOW_MONITOR_PROCESS_ENABLED
Whether to limit the memory and CPUs available to a workflow while running. If enabled, WORKFLOW_MEMORY_LIMIT_MIBS and WORKFLOW_CPU_LIMIT can be set.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
WORKFLOW_TEMPORAL_ACTIVITY_TASK_POLLERS
The number of Temporal activity task pollers that concurrently run.
| Type | number |
| Required | Optional |
| Default | 2 |
Examples
2
WORKFLOW_TEMPORAL_CLUSTER_FRONTEND_HOST
The hostname for the Temporal cluster. If you're using Temporal Cloud, your host may end with .tmprl.cloud. This environment variable does not need to be set if using Retool-managed Temporal cluster.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
org.example.tmprl.cloud
WORKFLOW_TEMPORAL_CLUSTER_FRONTEND_PORT
The port for the Temporal cluster.
| Type | number |
| Required | Optional |
| Default | 7233 |
Examples
7233
WORKFLOW_TEMPORAL_CLUSTER_NAMESPACE
The namespace for the Temporal cluster.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | workflows |
Examples
workflows
WORKFLOW_TEMPORAL_CONCURRENT_ACTIVITIES_LIMIT
The maximum number of concurrent activities that can be executed by a single workflow. Refer to the Temporal documentation for more information.
| Type | number |
| Required | Optional |
| Default | 10 |
Examples
10
WORKFLOW_TEMPORAL_CONCURRENT_TASKS_LIMIT
The maximum number of concurrent tasks that can be executed by a single workflow. Refer to the Temporal documentation for more information.
| Type | number |
| Required | Optional |
| Default | 10 |
Examples
10
WORKFLOW_TEMPORAL_OPENTELEMETRY_COLLECTOR
The OpenTelemetry collector endpoint for Temporal Worker metrics.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
http://open-telemetry-collector-opentelemetry-collector:4318
WORKFLOW_TEMPORAL_SERVER_NAME_OVERRIDE
The server name override for the Temporal cluster. This overrides the target name (SNI) used for TLS host name checking. It can be useful if you have reverse proxy in front of Temporal server and you need to override the SNI to direct traffic to the appropriate backend server based on custom routing rules. Connections can be refused if the provided SNI does not match the expected host. Adding this override should be done with care. This does not need to be set if using Retool-managed Temporal cluster.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
other.domain.tmprl.cld
WORKFLOW_TEMPORAL_SERVER_ROOT_CA_CRT
Base64 encoded PEM certificate for the root CA of the Temporal cluster. This does not need to be set if using Retool-managed Temporal cluster.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
UXVpcyBjb21tb2RvIGV4ZXJjaXRhd
WORKFLOW_TEMPORAL_STICKY_CACHE_SIZE
The size of the Temporal sticky queue cache.
| Type | number |
| Required | Optional |
| Default | 200 |
Examples
100
WORKFLOW_TEMPORAL_TLS_CRT
Base64 encoded certificate for TLS client certification pair. See Temporal documentation for more details. This does not need to be set if using Retool-managed Temporal cluster.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
UXVpcyBjb21tb2RvIGV4ZXJjaXRhd
WORKFLOW_TEMPORAL_TLS_ENABLED
Whether to enable TLS for the Temporal cluster. You can set this to true if you use your own Temporal Cloud. This does not need to be set if using Retool-managed Temporal cluster.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
true
WORKFLOW_TEMPORAL_TLS_KEY
Base64 encoded private key for TLS client certification pair. This does not need to be set if using Retool-managed Temporal cluster.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
c2VjcmV0X2tleQ==
WORKFLOW_TEMPORAL_WORKER_SHUTDOWN_GRACE_TIME
The timeout, in minutes, to wait for pending workflows to complete before the Temporal worker gracefully shuts down. If the worker does not shut down within this time, it is forcefully terminated.
| Type | number |
| Required | Optional |
| Default | 15 |
Examples
15
WORKFLOW_TEMPORAL_WORKFLOW_TASK_POLLERS
The number of Temporal workflow task pollers that concurrently run.
| Type | number |
| Required | Optional |
| Default | 10 |
Examples
10
WORKFLOW_WORKER_HEALTHCHECK_PORT
The port for the /api/checkHealth health check endpoint for the Temporal worker.
| Type | number |
| Required | Optional |
| Default | 3005 |
Examples
3005