User authentication

Learn about user authentication in Retool.

Retool manages authentication of users for your organization. The available methods and process depends on whether you use Retool Cloud or a Self-hosted deployment.

Retool Cloud authentication

Retool Cloud can authenticate users using:

  • Sign in with Google
  • Email address and password

Sign in with Google for Retool Cloud

Retool supports Sign in with Google. You can sign in using your existing Google account. Retool creates a new organization if you're not an existing user.

If your organization uses Google Workspace and all users share the same domain, users can select Sign in with Google and log in automatically to the same Retool organization. If you attempt to sign in with Google and there is no existing organization, Retool creates one and assigns you as an administrator.

Email and password for Retool Cloud

Logging in with an email address and password operates separately from Sign in with Google. Anyone who signs up to Retool creates a new organization, regardless of whether the email address shares a domain with an existing Retool organization.

Users needing to sign in with an email and password must first be invited to a Retool organization.

Self-hosted Retool authentication

Self-hosted Retool can authenticate users using:

Regardless of authentication method, new users must be added to relevant permission groups to grant them required access. You can either configure the SSO authentication flow to handle this automatically or you can manually configure user permissions.

🚧

Self-hosted Retool uses the BASE_DOMAIN environment variable when creating links, such as invites and password resets. Set this variable to make sure these links are properly created.

SSO providers for Self-hosted Retool

If your organization uses Google Workspace and all users share the same domain, they can select Sign in with Google and log in automatically. If you configure another SSO provider, users can also log in automatically.

These users are only added to the All users permissions group and do not have any permission to take any action. You must add these users to relevant permission groups to grant them access to relevant apps, resources, and workflows.

Email and password for Self-hosted Retool

Logging in with an email address and password operates separately from SSO. Anyone with access to your Self-hosted deployment can sign up but must then be added to permission groups.

Retool recommends using SSO for user authentication. You can disable signups for specific domains by configuring the RESTRICTED_DOMAIN environment variable.