User authentication

Learn about user authentication in Retool.

Retool manages authentication of users for your organization. The available methods and process depend on whether you use Retool Cloud or a Self-hosted deployment.

Retool Cloud authentication

Retool Cloud can authenticate users using:

• Sign in with Google
• Email address and password

Sign in with Google for Retool Cloud

Retool supports Sign in with Google. You can sign in using your existing Google account. Retool creates a new organization if you're not an existing user.

If your organization uses Google Workspace and all users share the same domain, users can select Sign in with Google and log in automatically to the same Retool organization. If you attempt to sign in with Google and there is no existing organization, Retool creates one and assigns you as an administrator.

Reset Google Login

If needed, you can reset Google Login on your account. Navigate to your account page and then click Reset Google Login under the Security section. This removes the link to your Google account, which means you need to enter a new password to log back in.

Email and password for Retool Cloud

Logging in with an email address and password operates separately from Sign in with Google.

You can specify a set of domains from which to allow users with a matching email address to join. Navigate to Settings > Advanced, then add one or more domains to the Auto-join domain section. You then specify whether users with a matching email address can request to join or join automatically for that domain.

When auto-join is disabled, anyone who signs up to Retool with a username and password creates a new organization, regardless of whether the email address shares a domain with an existing Retool organization. To join an organization using email and password instead of creating a new one, they will need to receive an invitation.

Change user emails

Users in organizations that do not use SSO can change their own email from the Account settings page. After an email address is updated, a validation email is sent to the existing email address to flag accidental or malicious changes.

Self-hosted Retool authentication

Self-hosted Retool can authenticate users using:

• A supported SSO provider, such as Sign in with Google.
• Email address and password.

Regardless of authentication method, new users must be added to relevant permission groups to grant them required access. You can either configure the SSO authentication flow to handle this automatically or you can manually configure user permissions.mdx).

Self-hosted Retool uses the BASE_DOMAIN environment variable when creating links, such as invites and password resets. Set this variable to make sure these links are properly created.

SSO providers for Self-hosted Retool

If your organization uses Google Workspace and all users share the same domain, they can select Sign in with Google and log in automatically. If you configure another SSO provider, users can also log in automatically.

These users are only added to the All users permissions group and do not have any permission to take any action. You must add these users to relevant permission groups to grant them access to relevant apps, resources, and workflows.

Retool recommends using SSO for user authentication. You can restrict signups for users to only specific domains by configuring the RESTRICTED_DOMAIN environment variable. Using this environment variable will also remove the email and password login UI.

Email and password for Self-hosted Retool

Logging in with an email address and password operates separately from SSO. Anyone with access to your Self-hosted deployment can sign up but must then be added to permission groups.

Change user emails

Users in organizations that do not use SSO can change their own email from the Account settings page. After an email address is updated, a validation email is sent to the existing email address to flag accidental or malicious changes.