Skip to main content

Manage secrets with environment variables

Learn how to use secrets to manage environment variables.

You can use environment variables to manage secrets like database passwords and bearer tokens. This allows you to automatically rotate secret credentials, and help protect sensitive information.

If your use case requires higher level of security, you may want to use AWS Secrets Manager or HashiCorp Vault to externally manage secrets. These integrations allow you to rotate secrets without redeploying your Retool instance.

To manage secret and non-secret environment variables through Retool's web interface, consider using configuration variables.

1. Define the RETOOL_EXPOSED_DB_PASSWORD variable

Set the RETOOL_EXPOSED_DB_PASSWORD variable to your database connection string. Depending on how you set up Retool, you might need to restart the Docker container.


To avoid leaking potentially sensitive environment variables, Retool only allows users to read environment variables with the RETOOL_EXPOSED_ prefix.

2. Create a new Postgres connection

Add a new Postgres connection and use the connection string format. Make sure to replace the database password with the %RETOOL_EXPOSED_DB_PASSWORD% variable. It should look something like this.

You can use environment variables like this for any field that you define. For example, you could use environment variables to configure the headers you send in API requests.

3. Save and restart the container

Click Save and restart the container.