Security environment variables
Reference documentation for security-related environment variables.
| Self-hosted Retool Availability | |||
|---|---|---|---|
| Self-hosted Edge | Generally Available | ||
| Self-hosted Stable | Generally Available | ||
Self-hosted Retool is available on an Enterprise plan only.
Use these security environment variables with your Self-hosted Retool deployment.
Only configure environment variables when needed. You can configure many environment variables from your organization's Settings rather than directly editing your deployment's configuration file.
You must restart your instance after setting any variables for them to take effect.
ENABLE_CLIENT_SIDE_CUSTOM_AUTH_BROWSER_CALLS
Whether to allow custom authentication steps for resources that make REST API calls directly from the browser. If true, these requests include all browser credentials, even cross-origin calls.
| Type | boolean |
| Configurability | Update the deployment's configuration file. |
| Required | Optional |
| Default | false |
Examples
ENABLE_CLIENT_SIDE_CUSTOM_AUTH_BROWSER_CALLS=true
ENCRYPTION_KEY
The encryption key used to encrypt data stored in the PostgreSQL database (e.g., database credentials, SSH keys, etc). If you change this key, you will lose access to all resources that were created before the change.
| Type | string |
| Format | Plain Text |
| Configurability | Update the deployment's configuration file. |
| Required | Optional |
| Default | null |
Examples
ENCRYPTION_KEY=key
SCOPED_SECRETS
Whether to restrict secrets using naming enforcement. When enabled, use the naming convention scoped__resources__<folder>__<secret> to restrict secrets to specific resources and folders. For example, scoped__resources__folder1__secret1 restricts secret1 to resources within folder1.
| Type | boolean |
| Configurability | Update the deployment's configuration file. |
| Required | Optional |
| Default | false |
Examples
SCOPED_SECRETS=true
USE_GCM_ENCRYPTION
Whether to use AES-192-GCM authenticated encryption method instead of AES-192-CBC. If set to true, you must also set ENCRYPTION_KEY.
| Type | boolean |
| Configurability | Update the deployment's configuration file. |
| Required | Optional |
| Default | false |
Examples
USE_GCM_ENCRYPTION=true