Configure Sign in with Google
Learn how to configure Sign in with Google for SSO.
You can configure SSO using the Sign in with Google following this guide. This guide applies to Retool Cloud and self-hosted deployments.
Follow this guide to configure Sign-in with Google. Refer to the Google SSO with OpenID Connect guide to configure Google SSO using OIDC.
1. Configure Google OAuth client
Navigate to the Credentials page of your Google APIs console. Create or select your project.
Click Create Credentials > OAuth client ID to create a Google OAuth client. Use the following settings if you have a custom domain set on your organization.
| Setting name | Setting values |
|---|---|
| Application type | Web application |
| Authorized JavaScript origins | https://<your_base_domain>.com |
| Authorized redirect URIs | https://<your_base_domain>.com/oauthcallbackhttps://<your_base_domain>.com/oauthhttps://<your_base_domain>.com/oauthcallback/mobile (for Retool Mobile only) |
If you are using Retool Cloud, you must also set the following authorized redirect URIs to enable Sign-in with Google:
https://login.retool.com/oauthcallbackhttps://login.retool.com/oauthcallback/clihttps://login.retool.com/oauth/oauthcallback
If you are prompted to configure a consent screen, select Internal as the User type.
For more information on setup needed in the Google APIs console, refer to Google's setup guide.
2. Update settings in Retool
Click on your new OAuth application in the Credentials tab, and copy the Client ID and Client secret.
- Retool Cloud
- Self-hosted deployments
Visit Settings > Custom SSO, select Google SSO, and add your Client ID and Client Secret.
In your docker.env file, set your Client ID and Client Secret as the values of the CLIENT_ID and CLIENT_SECRET environment variables. Set the BASE_DOMAIN environment variable as well, so Google handles redirect requests correctly.
If you use Kubernetes Secrets, place the Base64-encoded version of these strings inside your Kubernetes secrets file instead of in docker.env.
CLIENT_ID={YOUR_GOOGLE_CLIENT_ID}
CLIENT_SECRET={YOUR_GOOGLE_CLIENT_SECRET}
To automatically provision users on sign-in, set the DEFAULT_GROUP_FOR_DOMAINS environment variable.
DEFAULT_GROUP_FOR_DOMAINS=example1.org -> admin, example2.com -> viewer
If you want to restrict sign-in to SSO and remove the option for users to sign in with a username and password, add the RESTRICTED_DOMAIN environment variable.
RESTRICTED_DOMAIN=yourcompany.com
When setting RESTRICTED_DOMAIN, do not include the protocol or subdomain where you have Retool deployed. Only use yourcompany.com, which should match the email address users use to sign in. See the environment variables reference for more details.
Restart your Retool instance to reload the configuration and enable Google SSO. If you use Docker, you can restart the instance with docker compose up.
sudo docker compose up -d