Configure Sign in with Google

Learn how to configure Sign in with Google for SSO on self-hosted deployments.

You can configure SSO using the Sign in with Google following this guide. This guide applies to self-hosted deployments, but Sign in with Google is also available on Retool Cloud, where it does not require additional configuration.


Follow this guide to configure Sign-in with Google. Refer to the Google SSO with OpenID Connect guide to configure Google SSO using OIDC.

1. Configure Google OAuth client

If you are prompted to configure a consent screen, select Internal as the User type.

Click Create Credentials > OAuth client ID to create a Google OAuth client. Use the following settings.

Setting nameSetting values
Application typeWeb application
Authorized JavaScript originshttps://retool.<yourcompany>.com
Authorized redirect URIshttps://retool.<yourcompany>.com/oauth/oauthcallback
https://retool.<yourcompany>.com/oauth/oauthcallback/mobile (for Retool Mobile only)

2. Update settings in Retool

Click on your new OAuth application in the Credentials tab, and copy the Client ID and Client secret. Save each in your docker.env file using the CLIENT_ID and CLIENT_SECRET environment variables.

If you use Kubernetes Secrets, place the base64-encoded version of these strings inside your Kubernetes secrets file instead of in docker.env.


If you want to restrict sign-in to SSO and remove the option for users to sign in with a username and password, add the RESTRICTED_DOMAIN environment variable.

When setting RESTRICTED_DOMAIN, do not include the protocol or subdomain where you have Retool deployed. Only use, which should match the email address users use to sign in. See the environment variables reference for more details.

3. Restart the Retool instance

Restart your Retool instance to reload the configuration and enable Google SSO. If you use Docker, you can restart the instance with docker-compose up.

sudo docker-compose up -d

4. Enable JIT user provisioning

Just-in-Time (JIT) user provisioning enables Retool to provision accounts when your users sign in with Google for the first time. JIT user provisioning is optional, but it is highly recommended so you don't need to manually invite each user to Retool first.

To enable JIT user provisioning, toggle the switch in the Settings > Advanced page in Retool, then set the DEFAULT_GROUP_FOR_DOMAINS environment variable.