Google API authentication
Learn about different authentication methods for Google APIs.
You can use either OAuth or service account authentication methods to connect with Google APIs and limit the access available from Retool, depending on your needs. Both methods differ in their setup and usage.
OAuth 2.0 authentication
Refer to the Authenticate with Google APIs using OAuth 2.0 guide to learn how to configure this for use with Retool.
OAuth enables you to quickly authenticate with Google. It also provides some control over the access Retool has to your Google data.
- User OAuth
- Shared OAuth
OAuth-based authentication with individual user credentials. Each user is prompted to authenticate with Google using an OAuth flow, and API calls from Retool are made on behalf of the logged-in user. When using apps built using authenticated Google resources, users can only interact with APIs and data to which they have access.
For example, cloud-hosted Retool organizations can grant Retool either Read and write or Read only access to your Google Sheets data. This option determines the scopes passed with the OAuth request. Retool recommends Read and write so that Retool can read and write spreadsheet data (e.g., create new sheets or update cell rows).
To create other Google API resources, or to use Retool's Google integrations with self-hosted deployments, you create Google Cloud projects and OAuth 2.0 credentials with scopes you define.
OAuth-based authentication with shared user credentials. The user creating the resource is prompted to authenticate with Google using an OAuth authentication flow, and subsequent API calls from Retool are made on behalf of the user that completed authentication. When building apps on top of Google Sheets, all users in a Retool organization can access and edit sheets that have been shared with the user who completed the authentication process.
Service account authentication
Authenticate with a service account tied to a Google Cloud project. This method allows users to give Retool access to certain APIs or data (e.g., spreadsheets) with the service account's email address.
Retool recommends using service account authentication when you need to share credentials across users but limit Retool's access to a subset of data. This authentication flow restricts Retool's access to APIs or data shared with the service account email address only.
Refer to Google's service account documentation to learn more.