General environment variables
Reference documentation for general environment variables.
General environment variables available for use with Self-hosted Retool deployments.
Only configure environment variables when needed. You can configure many environment variables from your organization's Settings rather than directly editing your deployment's configuration file.
You must restart your instance after setting any variables for them to take effect.
ADMIN_API_ACCESS_TOKEN
If non-empty, Retool creates an API access token with the provided string value. Requires ADMIN_USER_EMAIL to be set to a valid email address of an admin user.
ADMIN_API_ACCESS_TOKEN=token
ADMIN_API_ACCESS_TOKEN_SCOPES
Comma-separated list of scopes to be assigned to the API access token created using ADMIN_API_ACCESS_TOKEN env variable.
ADMIN_API_ACCESS_TOKEN_SCOPES=source_control:read,source_control:write,groups:read,groups:write,spaces:read,spaces:write,folders:read,folders:write,permissions:all:read,permissions:all:write
ADMIN_USER_EMAIL
If non-empty, Retool creates an admin user with the provided email in the Admin Space.
ADMIN_USER_EMAIL=admin@example.com
ALLOW_SAME_ORIGIN_OPTION
Whether to use allow-same-origin for iframes and custom components. If this is not true, custom components are heavily restricted in their behavior. Refer to the configure same-origin and sandbox guide to learn more.
Default value is false.
ALLOW_SAME_ORIGIN_OPTION=false
API_CALLS_PER_MINUTE
Retool uses a point system for rate limiting where endpoint requests cost a certain number of points. The default is 300 points in a 60 second window. If you exceed this, Retool blocks any subsequent API calls for 60 seconds. You can increase the number of points with the API_CALLS_PER_MIN environment variable.
Default value is 300.
API_CALLS_PER_MINUTE=300
BASE_DOMAIN
The full URL of your Retool deployment for user invitations and password resets. This also needs to be set if you dynamically set callback URLs on protected resources.
BASE_DOMAIN=retool.example.com
CREATE_FIRST_ORG
If set to true, Retool automatically creates the first organization on the instance. This is useful for automated provisioning of Retool instances.
Default value is false.
CREATE_FIRST_ORG=true
CUSTOM_RETOOL_SANDBOX_RESTRICTIONS
The JavaScript sandbox restrictions to allow. Specify space-separated values for multiple restrictions. Only configure custom sandbox restrictions if you are comfortable with the security implications.
CUSTOM_RETOOL_SANDBOX_RESTRICTIONS=allow-downloads
DEBUG=1
DISABLE_IMAGE_PROXY
Whether to disable the proxy used for publicly embedded apps.
Default value is false.
DISABLE_IMAGE_PROXY=true
DISABLE_INTERCOM
Disable Retool's support widget in the frontend. Refer to the Retool Support page to learn how to contact Retool.
Default value is false.
DISABLE_INTERCOM=true
DISABLE_MEMORY_AND_CPU_USAGE_LOGGING
Whether to disable logging of memory and CPU usage.
Default value is false.
DISABLE_MEMORY_AND_CPU_USAGE_LOGGING=true
DISABLE_PUBLIC_PAGES
Whether to disable public access to Retool apps. If set to true, also set DISABLE_IMAGE_PROXY to true to fully disable public access.
Default value is false.
DISABLE_PUBLIC_PAGES=true
DOMAINS
The domains to use for EntityID in SAML requests and obtaining SSL certificates when setting up HTTPS.
DOMAINS=retool.your-domain.com -> http://api:3000
HIDE_PROD_AND_STAGING_TOGGLES
Whether to hide the Production and Staging toggles in the Retool interface.
Default value is false.
HIDE_PROD_AND_STAGING_TOGGLES=true
HOST_HEADER_NAME
Retool backend expects Host header to contain the host used in the original request. This is important for Spaces to work properly. If your self-hosted instance has a proxy or load-balancer in front of the Retool backend, you can specify a different header that contains the original host.
Default value is HOST_HEADER_NAME.
HOST_HEADER_NAME=x-forwarded-host
HTML_ESCAPE_RETOOL_EXPRESSIONS
Whether to escape HTML in {{ }} expressions. If set to true, all HTML in expressions is escaped.
Default value is false.
HTML_ESCAPE_RETOOL_EXPRESSIONS=true
HTTP_PROXY=http://proxy.example.com:8080
LICENSE_KEY=key_1234567890
NO_PROXY=localhost,*.service.company
NODE_TLS_REJECT_UNAUTHORIZED
Whether to reject unauthorized TLS certificates. This setting is insecure and not recommended for production instances
NODE_TLS_REJECT_UNAUTHORIZED=0
NUM_WORKERS
The number of worker threads for the api container. The default value is Math.min(Math.max(1, numCPUs), 3), where numCPUs is the number of logical CPU cores on the machine determined by Node.js.
NUM_WORKERS=4
RETOOL_ENVIRONMENT
The environment for SCIM provisioning and Source Control alerts.
Default value is production.
RETOOL_ENVIRONMENT=production
RETOOL_EXPOSED_{NAME}
Use the RETOOL_EXPOSED_ prefix to store secrets that you can use when configuring resources. Only underscores and alphanumeric characters are supported.
RETOOL_EXPOSED_{NAME}=RETOOL_EXPOSED_DB_USERNAME=db_user
SANDBOX_DOMAIN=https://not-your-primary-domain.com
SERVICE_TYPE
Comma-separated list of Retool services to run within a container. If unset, all services run in the same container.
SERVICE_TYPE=MAIN_BACKEND,JOBS_RUNNER
USAGE_API_TOKEN
The access token to enable Usage Analytics. Please reach out to your Retool account manager to obtain this token.
USAGE_API_TOKEN=accessToken