Environment Variables

Variable

Purpose

Minimum Retool Version

JWT_SECRET

Used to sign a JWT to authenticate with the API server. If this is reset, all users with active login sessions will have their sessions invalidated and need to log in again.

ENCRYPTION_KEY

Encrypts things that are stored in the Postgres DB (e.g. database credentials, SSH keys, etc). Make sure to keep track of this key in a location outside of your Retool instance(s). If you change this key, you will lose access to all resources that were created before the change.

COOKIE_INSECURE

Sends auth requests with insecure cookies — set to true if hosting Retool on a non-HTTPS URL or raw IP address. This is typically used if you haven’t deployed Retool on a custom domain yet.

When embedding non-public Retool applications, this must be set to false

BASE_DOMAIN

The BASE_DOMAIN variable helps us create links for your users, like new user invitations and forgotten password resets. The backend tries to guess this, but it can be incorrect if there’s a proxy in front of the actual website.

Please include the full domain where Retool is deployed, like this:

BASE_DOMAIN=https://retool.yourwebsite.com

VERSION_CONTROL_LOCKED

Used for git syncing. Set to true if you want this Retool instance to only pull from (not push to) to your repository.

DISABLE_GIT_SYNCING

Used for git syncing. Set to true on a read-only instance to disable pulling new changes from the connected GitHub repository.

CLIENT_ID

Used for our Google Sheets integration and/or Google SSO.

CLIENT_SECRET

Used for our Google Sheets integration and/or Google SSO.

SCIM_AUTH_TOKEN

A secret token shared with your 3rd party SSO provider (e.g. Okta) to provision user accounts.

RETOOL_EXPOSED_XYZ

Any .env variable of this format is accessible in the Resource configuration screen. More info here.

DEBUG

Set DEBUG=1 to enable verbose logging.

RESTRICTED_DOMAIN

Restricts login to SSO (removes username & password inputs from sign in page).

Note: when deploying Retool, you must first sign up via username & password before you can enable SSO-only login with this environment variable. (In other words, the first user must sign up with username & password.)

The value of this env var should match your email domain.

Example: RESTRICTED_DOMAIN=yourcompany.com

If you want to authorize multiple domains, use a comma-separated list: RESTRICTED_DOMAIN=acme.com,acme.dev

CLIENT_MAX_BODY_SIZE

Used in the nginx container https-portal to limit query response sizes.

LOG_AUDIT_EVENTS

Set to true to print audit logs to log. Defaults to false.

USE_SHORT_SESSIONS

Set to true if you want to enable short sessions. This requires users to login every 12 hours (default is 1 week if this is not enabled, which gets extended at each login). This works with SSO as well.

HIDE_PROD_AND_STAGING_TOGGLES

Set to true to hide prod and staging toggles in the UI, in both edit mode and end user mode. This is useful for reducing confusion when you aren’t managing prod and staging in Retool, e.g. via Git sync between 2+ instances instead.

DISABLE_MEMORY_AND_CPU_USAGE_LOGGING

Set to true to disable logging of CPU usage % and memory stats.

CUSTOM_API_KEY

Provide a custom API key (overrides Retool-generated API keys).

SENDING_INVITES_WITH_EMAIL_DISABLED

Set to true to allow user invites without pinging the invite server (if Retool tries to connecting to the invite server but can’t, you won’t be able to add new users). Useful for air-gapped deployments.

DEFAULT_GROUP_FOR_DOMAINS

Maps SSO domains to Retool groups. Example: DEFAULT_GROUP_FOR_DOMAINS=retool.com -> admin, foo.com -> viewer

Note: only applies to new users signing up via SSO. Does not apply to existing users signing in.

LOG_LEVEL

Controls how much to log to stdout:

Possible values:
"info": default logging level
"verbose": more verbose logs for git syncing, auth systems, etc.
"debug": raw debug logs

CUSTOM_LOGOUT_REDIRECT

Set a custom URL to redirect users to on logout. This is useful, for example, if you wish to redirect users to a URL that logs them out globally from your SSO provider.

TRIGGER_SAML_LOGIN_AUTOMATICALLY
TRIGGER_OAUTH_2_SSO_LOGIN_AUTOMATICALLY

Set one of these environment variables to true to enable automatically starting the SSO flow for SAML login or Oauth2 SSO login, respectively. That is, when an unauthenticated user navigates to retool.yourdomain.xyz they will automatically be sent into the SSO workflow.

ENABLE_CLIENT_SIDE_CUSTOM_AUTH_BROWSER_CALLS

Set this environment variable to allow editors to set Resource custom authentication steps that make REST API calls directly from the browser. Browser credentials will be included, even for cross-origin calls, with these requests.

ENABLE_CUSTOM_PLATFORM_LEVEL_AUTH_STEPS

Set this environment variable to allow configuring custom authentication steps that are performed whenever a user logs in to Retool. These steps are defined under Organization Settings -> Authentication and allow you to define variables that can be used in any REST API resources (e.g. for tokens that shared across multiple resources).

DBCONNECTOR_QUERY_TIMEOUT_MS

Set this environment variable if you need to run queries that take more than 2 minutes to complete. Specify the timeout in milliseconds. For example, the default value is 120000 ms (2 minutes)

Note: if you have Retool behind a load balancer, make sure you also increase the load balancer's timeout by a commensurate amount.

POSTGRES_SSL_ENABLED

Set to true to force SSL connections to your Retool Postgres DB.

CUSTOM_RETOOL_SANDBOX_RESTRICTIONS

Customize the Retool Javascript sandbox restrictions, e.g. to enable downloads from Retool Run JS queries set this to allow-downloads. Currently only allow-popups, allow-downloads, and allow-modals are supported (space-separate to enable multiple restrictions). Note: only set this environment variable if you are comfortable with the security implications.

HIDE_ALL_HEADERS_IN_AUDIT_LOG_EVENTS

Prevents all query headers (including cookies) from getting added to audit log entries.

CUSTOM_OAUTH2_SSO_ACCESS_TOKEN_LIFESPAN_MINUTES

A value in minutes. Allows a custom token lifespan to be set for use with Custom OpenId providers when accessing variables like %USER_OAUTH2_ACCESS_TOKEN%

POSTGRES_CUSTOM_SSL_CERT_PATH

Set this environment variable if you need to use a custom certificate when connecting to your Retool DB.

ex. Let's say your certificate is mounted to /var/data/certs/certificate.pem
in your Docker container, you would use
/var/data/certs
for the value of this variable.

POSTGRES_CUSTOM_SSL_CERT_FILE_NAME
POSTGRES_CUSTOM_SSL_KEY_FILE_NAME
POSTGRES_CUSTOM_SSL_CA_FILE_NAME

If you want to use Google Cloud SQL as the Retool DB, all 3 of these are required.

DISABLE_USER_PASS_LOGIN

Restricts login to SSO (removes username & password inputs from sign in page).

2.68.18

DISABLE_PUBLIC_PAGES

Controls public access links. Set to true to disable public access across all apps.

REDIS_HOST

The hostname of the Redis reader endpoint, used to connect Redis to Retool as a caching layer. More info here.

REDIS_PORT

Port number to connect to your Redis instance. By default, this should be 6379.

REDIS_DB

Number between 0-15 to specify the database within Redis to read/write from. If unsure, set to 0, as that is the default port.

REDIS_PASSWORD

Password for Redis instance, if password was set during setup.

REDIS_TLS

Boolean set to True if and only if TLS is enabled.

NODE_ENV

Set to "production" by default, you are not able to configure to other values.

GITHUB_APP_ID
GITHUB_APP_INSTALLATION_ID
GITHUB_APP_PRIVATE_KEY

Use these 3 variables in order to setup the Protected Applications feature.

Updated 25 days ago


Environment Variables


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.