Inviting users and authentication
Learn how users authenticate, and how to invite them to your Retool.
Retool manages authentication for all the tools you build in Retool. In the cloud version, that means that if you authenticated via SSO (as you should!), and somebody else SSO's in with the same domain, they'll get read access to the tools you've created.
Access controls and Retool plans
Granular access controls are only available on the Business or Enterprise plans. All users invited to accounts on the Free and Team plans have edit access.
Depending on how you sign in, and whether you use the cloud or on premise version, the user invite flow is different. To invite users, you should visit /settings
.
Cloud
Google SSO
When you sign in to Retool via G Suite, Retool checks if an organization has already been created for that G Suite domain. If an organization already exists, you get added to that organization and can access all Retool apps for that organization in view-only mode. An admin
can change your permissions by adding you to a User Group that has more permissions.
If no organization is found, Retool creates a new one and adds you as an admin
to that new organization.
Email + password
When you sign in to Retool via email and password, Retool always creates a new organization for you, even if you sign in with an email address that matches the domain of an existing Retool organization. When using email and password sign in, if you want to access the Retool apps of others, you need an invitation from them. Or, if you want others to use your Retool apps, you need to invite them.
Okta SSO
Okta SSO is currently not supported in the cloud version of Retool. Please contact us for more details.
On premise
For on premise deployments of Retool, only the first user can sign up. For all subsequent users, they have to be invited from within the application itself.
Setting the
BASE_DOMAIN
environment variableThe
BASE_DOMAIN
variable helps Retool create links for your users, like new user invitations and forgotten password resets. The backend tries to guess this, but it can be incorrect if there’s a proxy in front of the actual website.Set
BASE_DOMAIN=https://retool.yourwebsite.com
to make sure these links are properly created.
Google SSO
Users with the same domain will be able to sign in, but will not be able to view or edit pages, datasources, or anything else. You must explicitly add them to a group in order for them to have permissions.
Okta SSO
Once you add somebody to the Retool group on Okta, they're allowed to sign in to Retool. But you must explicitly grant them permissions inside Retool - otherwise they won't be able to view or edit pages, datasources, or anything else.
Email + password
Users who sign in via email and password will not be able to see anything after signing in, just like Google SSO. We suggest disabling email + password sign in / up on on-premise deployments. (To do this, set the RESTRICTED_DOMAIN
environment variable.)
Updated 10 days ago