Connect with SSL/TLS

Learn how to connect to your resources using SSL/TLS encryption.

Retool supports SSL/TLS connections to database resources as long as the database server is configured to support it.

The following resource types have options for SSL/TLS encryption in their configuration settings:

Connect using SSL/TLS

To connect with SSL, on the Create resource or Edit resource form, select the Use SSL/TLS checkbox. Depending on the resource, additional fields are shown once the checkbox is clicked. The standard options are CA Certificate, Client Key, Client Certifcate, and Verification mode.

SSL/TLS Options

For API Resources, specify an HTTPS base URL before clicking the Use self-signed certificates checkbox to add TLS options.

API resource TLS options

CA Certificate is a certificate signed by a trusted, third-party certificate authority (CA). The client, which is Retool in this case, uses the certificate to verify that they are talking to the correct server. Client Key and Client Certificate are additional fields that identify the client to the server.

Verification modes

The following table lists the available Verification mode options:

Verification modepsql equivalentDescription
Full verificationverify-fullVerifies the server host matches the name stored in the server certificate and checks the CA certificate.
Verify CA Certificateverify-caVerifies the server by checking the certificate chain up to the root certificate stored on the client.
Skip CA Certificate verificationrequireEstablishes an encrypted connection without CA certificate verification.

Retool uses Node drivers to power our resources, and occasionally, the drivers are limited in their functionality. As a result, not all resources support all modes. For example, MySQL only supports Verify CA Certificate and Skip CA Certificate verification.