Authentication environment variables
Authentication environment variables available for use with Self-hosted Retool deployments.
CLIENT_ID
A Google OAuth client app ID for OAuth-based authentication with Google (e.g., Google SSO with OIDC or using a Google Sheets resource).
CLIENT_ID=1234567890-abcd.apps.googleusercontent.com
CLIENT_SECRET
A Google OAuth client app secret for OAuth-based authentication with Google (e.g., Google SSO with OIDC or using a Google Sheets resource).
CLIENT_SECRET=1234567890-abcd.apps.googleusercontent.com
CUSTOM_LOGOUT_REDIRECT
A URL that users are redirected to after logging out of Retool.
CUSTOM_LOGOUT_REDIRECT=https://example.com/logout/success
CUSTOM_OAUTH2_SSO_ACCESS_TOKEN_LIFESPAN_MINUTES
The lifespan, in minutes, of custom OpenID provider tokens. If your OpenID Provider returns a refresh token in the initial login flow, Retool automatically uses it to refresh the access and ID tokens every two hours by default. If unset, the default lifespan is 120.
CUSTOM_OAUTH2_SSO_ACCESS_TOKEN_LIFESPAN_MINUTES=60
CUSTOM_OAUTH2_SSO_AUDIENCE
An identifier for a resource to which users should have access upon completion of an OpenID authorization process.
CUSTOM_OAUTH2_SSO_AUDIENCE = https://retool.auth0.com/api/v2
CUSTOM_OAUTH2_SSO_JWT_ROLES_KEY
Returns an array of strings where each string represents an OpenID group name. This setting is used with CUSTOM_OAUTH2_SSO_ROLE_MAPPING to map groups to Retool permission groups.
CUSTOM_OAUTH2_SSO_JWT_ROLES_KEY=idToken.groups
CUSTOM_OAUTH2_SSO_ROLE_MAPPING
The mapping of roles from your OpenID provider to Retool permission groups.
CUSTOM_OAUTH2_SSO_ROLE_MAPPING=devops -> admin, support -> viewer
Roles set using this environment variable are case sensitive. This means:
- Roles set within your IdP that you pass within the variable need to match exactly. For example, if you have a
Retool Adminrole in your IdP, you need to passRetool Admin. - Roles within Retool are always lowercase. For example, if you have a
Retool Adminrole within your IdP, and you want to map it to Retool'sadminrole, you need to set it usingRetool Admin → admin.
CUSTOM_OAUTH2_SSO_ROLE_MAPPING_DISABLED
Disables the mapping of roles from your OpenID provider to Retool permission groups. You need to set this variable to true to disable passing roles from JWTs.
CUSTOM_OAUTH2_SSO_ROLE_MAPPING_DISABLED=true
CUSTOM_OAUTH2_SSO_USERINFO_URL
The endpoint for Retool make an additional request for a fat token containing all available claims from your OpenID SSO provider.
CUSTOM_OAUTH2_SSO_USERINFO_URL=https://yourcompany.okta.com/oauth2/v1/userinfo
DEFAULT_GROUP_FOR_DOMAINS
The default Retool user group for a Google SSO domain. You can specify space-separated values to map multiple domain and group pairs.
Default groups only applies to new users who sign up using SSO, not existing users signing in.
DEFAULT_GROUP_FOR_DOMAINS=example1.org -> admin, example2.com -> viewer
DISABLE_USER_PASS_LOGIN
Disable username and password authentication. If true, users can only log in using SSO.
DISABLE_USER_PASS_LOGIN=true
INVITES_PER_DAY
The number of invites that can be sent to users. If unset, the default is 50.
Use this environment variable if you encounter rate limits on invites.
INVITES_PER_DAY=100
JWT_SECRET
The JWT secret token to sign requests for authentication with Retool's backend API server. If changed, all active user login sessions are invalidated.
JWT_SECRET=676765765327645bvbfgbsfhfbgr
LDAP_ROLE_MAPPING
The mapping of Google LDAP Groups or SAML groups to Retool permission groups used for Google Group syncing and SAML role mapping.
LDAP_ROLE_MAPPING="retool-admins -> admin, support -> Support"
Roles set using this environment variable are case sensitive. This means:
- Roles set within your IdP that you pass within the variable need to match exactly. For example, if you have a
Retool Adminrole in your IdP, you need to passRetool Admin. - Roles within Retool are always lowercase. For example, if you have a
Retool Adminrole within your IdP, and you want to map it to Retool'sadminrole, you need to set it usingRetool Admin → admin.
LDAP_ROLE_MAPPING_DISABLED
Disable syncing SAML groups or Google Groups to Retool permission groups. When LDAP_ROLE_MAPPING is set and LDAP_ROLE_MAPPING_DISABLED is true, Retool logs the groups that would have synced to Retool when a user logs in.
LDAP_ROLE_MAPPING_DISABLED=true
LDAP_SYNC_ALL_GROUPS
Whether to sync all groups regardless of whether they're configured in the LDAP_ROLE_MAPPING environment variable. When enabled, new groups are created during SAML sync.
LDAP_SYNC_ALL_GROUPS=true
LDAP_SYNC_GROUP_CLAIMS
Enable syncing Google Groups to Retool.
LDAP_SYNC_GROUP_CLAIMS=true
LDAP_SERVER_URL
When syncing Google Groups to Retool, the LDAP server URL for Google's Secure LDAP Service.
LDAP_SERVER_URL="ldaps://ldap.google.com:636"
LDAP_SERVER_NAME
When syncing Google Groups to Retool, the LDAP server name.
LDAP_SERVER_NAME="ldap.google.com"
LDAP_BASE_DOMAIN_COMPONENTS
When syncing Google Groups to Retool, the organization's email domain in DC syntax.
LDAP_BASE_DOMAIN_COMPONENTS="dc=example,dc=com"
LDAP_SERVER_CERTIFICATE
When syncing Google Groups to Retool, the certificate from the downloaded bundle.
LDAP_SERVER_CERTIFICATE=filename
LDAP_SERVER_KEY
When syncing Google Groups to Retool, the private key from the downloaded bundle.
LDAP_SERVER_KEY=filename
PRESERVE_PASSWORDS_FIRST_GOOGLE_LOGIN
Prevent Retool resetting your password when logging in with Google for the first time.
PRESERVE_PASSWORDS_FIRST_GOOGLE_LOGIN=true
RESTRICTED_DOMAIN
Restrict users from logging in unless they use SSO for the specified domain. This value must match your email domain. Specify comma-separated values for multiple domains.
This removes the Retool username and password fields from the sign in page. When you deploy Self-hosted Retool, you must first sign up with a username and password. You can then enable SSO-only logins with this variable.
RESTRICTED_DOMAIN=example.com,example.org
SAML_FIRST_NAME_ATTRIBUTE
The first name attribute in the SAML response. If unset, the default is firstName.
SAML_FIRST_NAME_ATTRIBUTE=nameFirst
SAML_LAST_NAME_ATTRIBUTE
The first name attribute in the SAML response. If unset, the default is lastName.
SAML_LAST_NAME_ATTRIBUTE=nameLast
SAML_GROUPS_ATTRIBUTE
The groups attribute in the SAML response. If unset, the default is groups.
SAML_GROUPS_ATTRIBUTE=userGroups
SAML_IDP_METADATA
An XML document that contains information necessary for configuring SAML-enabled identity or service providers.
<md:EntityDescriptor xmlns:md="urn:desert:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/your_entity_id">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:desert:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>your_certificate</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:desert:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:desert:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example-98123.okta.com/app/company/jfdu90324f/sso/saml"/>
<md:SingleSignOnService Binding="urn:desert:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example-98123.okta.com/app/company/your_entity_id/sso/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
SAML_SYNC_GROUP_CLAIMS
Sync Retool group memberships using the retool- prefix with the groups listed in SAML_GROUPS_ATTRIBUTE.
The prefix is not shown in the Retool interface.
SAML_SYNC_GROUP_CLAIMS=true
When SAML_SYNC_GROUP_CLAIMS=true, users are removed from any groups that do not have a corresponding IdP group. This includes users assigned to the Admin group. If you enable this setting, test the signin flow with a non-admin or test user.
SCIM_AUTH_TOKEN
A secret token shared with your SSO provider to provision user accounts. If you use Retool Spaces, this token only applies to the admin Space.
SCIM_AUTH_TOKEN=token
SCIM_LOG_FULL_REQUESTS
Log SCIM requests to the Retool API container logs.
SCIM_LOG_FULL_REQUESTS=true
SENDING_INVITES_WITH_EMAIL_DISABLED
Allow user invites without pinging Retool's user invitation server. You must enable this if you have an airgapped deployment.
SENDING_INVITES_WITH_EMAIL_DISABLED=true
TRIGGER_OAUTH_2_SSO_LOGIN_AUTOMATICALLY
Automatically start the Oauth 2 SSO login flow when users navigate to your Retool instance.
Use either TRIGGER_OAUTH_2_SSO_LOGIN_AUTOMATICALLY or TRIGGER_SAML_LOGIN_AUTOMATICALLY, you cannot enable both.
TRIGGER_OAUTH_2_SSO_LOGIN_AUTOMATICALLY=true
TRIGGER_SAML_LOGIN_AUTOMATICALLY=false
TRIGGER_SAML_LOGIN_AUTOMATICALLY
Automatically start the SAML SSO login flow when users navigate to your Retool instance.
Use either TRIGGER_SAML_LOGIN_AUTOMATICALLY or TRIGGER_OAUTH_2_SSO_LOGIN_AUTOMATICALLY, you cannot enable both.
TRIGGER_OAUTH_2_SSO_LOGIN_AUTOMATICALLY=false
TRIGGER_SAML_LOGIN_AUTOMATICALLY=true
USE_SHORT_SESSIONS
Restrict session length to 12 hours. If unset, default session length is one week.
USE_SHORT_SESSIONS=true