Environment Variables




Used to sign a JWT to authenticate with the API server. If this is reset, all users with active login sessions will have their sessions invalidated and need to log in again.


Encrypts things that are stored in the Postgres DB (e.g. database credentials, SSH keys, etc). Make sure to keep track of this key in a location outside of your Retool instance(s). If you change this key, you will lose access to all resources that were created before the change.


Sends auth requests with insecure cookies — set to true if hosting Retool on a non-HTTPS URL or raw IP address. This is typically used if you haven’t deployed Retool on a custom domain yet.

When embedding non-public Retool applications, this must be set to false


The BASE_DOMAIN variable helps us create links for your users, like new user invitations and forgotten password resets. The backend tries to guess this, but it can be incorrect if there’s a proxy in front of the actual website.

Please include the full domain where Retool is deployed, like this:



Used for git syncing. Set to true if you want this Retool instance to only pull from (not push to) to your repository.


Used for git syncing. Set to true on a read-only instance to disable pulling new changes from the connected GitHub repository.


Used for our Google Sheets integration and/or Google SSO.


Used for our Google Sheets integration and/or Google SSO.


A secret token shared with your 3rd party SSO provider (e.g. Okta) to provision user accounts.


Any .env variable of this format is accessible in the Resource configuration screen. More info here.


Set DEBUG=1 to enable verbose logging.


Restricts login to SSO (removes username & password inputs from sign in page).

Note: when deploying Retool, you must first sign up via username & password before you can enable SSO-only login with this environment variable. (In other words, the first user must sign up with username & password.)

The value of this env var should match your email domain.

Example: RESTRICTED_DOMAIN=yourcompany.com

If you want to authorize multiple domains, use a comma-separated list: RESTRICTED_DOMAIN=acme.com,acme.dev


Used in the nginx container https-portal to limit query response sizes.


Set to true to print audit logs to log. Defaults to false.


Set to true if you want to enable short sessions. This requires users to login every 12 hours (default is 1 week if this is not enabled, which gets extended at each login). This works with SSO as well.


Set to true to hide prod and staging toggles in the UI, in both edit mode and end user mode. This is useful for reducing confusion when you aren’t managing prod and staging in Retool, e.g. via Git sync between 2+ instances instead.


Set to true to disable logging of CPU usage % and memory stats.


Provide a custom API key (overrides Retool-generated API keys).


Set to true to allow user invites without pinging the invite server (if Retool tries to connecting to the invite server but can’t, you won’t be able to add new users). Useful for air-gapped deployments.


Maps SSO domains to Retool groups. Example: DEFAULT_GROUP_FOR_DOMAINS=retool.com -> admin, foo.com -> viewer

Note: only applies to new users signing up via SSO. Does not apply to existing users signing in.


Controls how much to log to stdout:

Possible values:
"info": default logging level
"verbose": more verbose logs for git syncing, auth systems, etc.
"debug": raw debug logs


Set a custom URL to redirect users to on logout. This is useful, for example, if you wish to redirect users to a URL that logs them out globally from your SSO provider.


Set one of these environment variables to true to enable automatically starting the SSO flow for SAML login or Oauth2 SSO login, respectively. That is, when an unauthenticated user navigates to retool.yourdomain.xyz they will automatically be sent into the SSO workflow.


Set this environment variable to allow editors to set Resource custom authentication steps that make REST API calls directly from the browser. Browser credentials will be included, even for cross-origin calls, with these requests.


Set this environment variable to allow configuring custom authentication steps that are performed whenever a user logs in to Retool. These steps are defined under Organization Settings -> Authentication and allow you to define variables that can be used in any REST API resources (e.g. for tokens that shared across multiple resources).


Set this environment variable if you need to run queries that take more than 2 minutes to complete. Specify the timeout in milliseconds. For example, the default value is 120000 ms (2 minutes)

Note: if you have Retool behind a load balancer, make sure you also increase the load balancer's timeout by a commensurate amount.


Set to true to force SSL connections to your Retool Postgres DB.


Customize the Retool Javascript sandbox restrictions, e.g. to enable downloads from Retool Run JS queries set this to allow-downloads. Currently only allow-popups, allow-downloads, and allow-modals are supported (space-separate to enable multiple restrictions). Note: only set this environment variable if you are comfortable with the security implications.


Prevents all query headers (including cookies) from getting added to audit log entries.


A value in minutes. Allows a custom token lifespan to be set for use with Custom OpenId providers when accessing variables like %USER_OAUTH2_ACCESS_TOKEN%


Set this environment variable if you need to use a custom certificate when connecting to your Retool DB.

ex. Let's say your certificate is mounted to /var/data/certs/certificate.pem
in your Docker container, you would use
for the value of this variable.


If you want to use Google Cloud SQL as the Retool DB, all 3 of these are required.


Restricts login to SSO (removes username & password inputs from sign in page).

Requires v2.68.18 or higher


Controls public access links. Set to true to disable public access across all apps.


The hostname of the Redis reader endpoint, used to connect Redis to Retool as a caching layer. More info here.


Port number to connect to your Redis instance. By default, this should be 6379.


Number between 0-15 to specify the database within Redis to read/write from. If unsure, set to 0, as that is the default port.


Password for Redis instance, if password was set during setup.


Boolean set to True if and only if TLS is enabled.


Set to "production" by default, you are not able to configure to other values.


Use these 3 variables in order to setup the Protected Applications feature.


Set this variable to false to disable Retool from polling GitHub and syncing down changes from the Protected Apps repository. This will not unprotect your apps, but pause the syncing process.


Set to true to stop Intercom from being loaded in the frontend. You can still contact Retool support by emailing us at [email protected].

Requires v2.72.28 or higher


To preserve account security, Retool resets your password the first time you log in with Google. Set this environment variable to true to opt out of this behavior.

Requires v2.75.4 or higher

Did this page help you?