If you’re using Retool cloud, you’ll need to whitelist our IP addresses (below) so we can connect to your data source.
Each database has a slightly different way of allowing remote connections, but here are a few links to popular ones:
- PostgreSQL (using .conf files)
- MySQL (using GRANT)
- MongoDB (if self hosted, instructions here)
- Redshift (via AWS security groups)
If you run into any problems whitelisting IPs, reach out to support through our Intercom widget on the bottom right of your screen. Check out our connection docs for more info.
For databases like PostgreSQL and MongoDB, Retool lets you connect using a connection string or traditional credentials (username, database, password, port).
If you’re using a connection string, they usually follow a standard format:
The last slash (/mydb) references the database name that you want to connect to. If you’re copying your connection string from a console (like MongoDB Atlas), that might default to something like /test – make sure to replace it with your intended database.
Whether you’re using a connection string or regular credentials, you’ll need to enter your database username and password. There are not the same as the credentials you use to login to web consoles.
For example, if you’re using MongoDB Atlas, you’ll have a username and password to login to the web console: these are not what you use to connect to a resource in Retool. You need your database username and password, which you were prompted for when you created the cluster.
Best practice is to create a new database user specifically for connecting with Retool (you can even call it retool if you’d like).
Some Retool integrations allow you to connect to your data with end-to-end encryption using SSL, like MongoDB. This keeps your data safe and also prevents threats like MITM attacks. If we support SSL for a resource, there will be an SSL toggle “SSL” on the resource connection page.
In most cases, this is enough to ensure that all connections are end-to-end encrypted. Sometimes, though, your database might use a custom SSL certificate to encrypt traffic instead of a publicly signed certificate. In those cases, you’ll need to tell Retool to trust the custom SSL certificate. Once you’ve checked “Connect using SSL,” you’ll see another checkbox for a custom certificate:
If you’re having trouble whitelisting Retool’s IP address or want to use SSH, Retool lets you connect to data sources that are in a private network with SSH Tunnels. Check out our documentation and common errors you might run into here.
getaddrinfo ENOTFOUND– the hostname you provided doesn’t work. It could be incorrect or private (behind a VPC).
password authentication failed for user– you’ve got the wrong password, or the wrong username. Make sure to check both.
database "" does not exist– you’re trying to connect to a database that doesn’t exist. Check your spelling!
connect ECONNREFUSED– you’ve got the wrong port, or you haven’t properly whitelisted Retool’s IP address.
Updated 14 days ago