Skip to main content
RapidDev - Software Development Agency
retool-integrationsRetool Native Resource

How to Integrate Retool with Firebase

Connect Retool to Firebase using the native Firebase Resource, authenticated with a Google service account JSON key. A single Resource covers Firestore, Realtime Database, and Firebase Auth simultaneously — you choose which service to target per query. This makes Retool an ideal admin panel for Firebase-backed apps: manage users, query Firestore documents, and read Realtime Database nodes all from one Retool interface.

What you'll learn

  • How to create a Google service account and configure Retool's native Firebase Resource
  • How to query Firestore collections and documents using Retool's query editor
  • How to build a Firebase Auth user management panel with search, disable, and delete capabilities
  • How to read and write Realtime Database nodes from Retool
  • Why Retool bypasses Firestore security rules and what that means for access control
Book a free consultation
4.9Clutch rating
600+Happy partners
17+Countries served
190+Team members
Intermediate14 min read20 minutesDatabaseLast updated April 2026RapidDev Engineering Team
TL;DR

Connect Retool to Firebase using the native Firebase Resource, authenticated with a Google service account JSON key. A single Resource covers Firestore, Realtime Database, and Firebase Auth simultaneously — you choose which service to target per query. This makes Retool an ideal admin panel for Firebase-backed apps: manage users, query Firestore documents, and read Realtime Database nodes all from one Retool interface.

Quick facts about this guide
FactValue
ToolFirebase
CategoryDatabase
MethodRetool Native Resource
DifficultyIntermediate
Time required20 minutes
Last updatedApril 2026

Why connect Retool to Firebase?

Firebase provides strong client-side SDKs, but administrative operations on Firebase data — bulk-editing Firestore documents, managing hundreds of Auth users, auditing Realtime Database state — require either writing custom admin scripts or using Firebase's limited console UI. Retool fills this gap by providing a visual admin interface backed by the Firebase Admin SDK, with no custom code required for most CRUD operations.

The most common Retool-Firebase use case is a user management panel. Firebase Auth's built-in console shows users in paginated lists but offers no bulk operations, no custom filtering by metadata, and no way to see user data alongside related Firestore documents. In Retool, you can build a panel that searches users by email, shows their associated Firestore profile data, disables or re-enables accounts in bulk, and updates custom claims — all in a single interface.

A critical architectural detail: Retool's Firebase Resource uses the Firebase Admin SDK through your service account, which bypasses Firestore security rules entirely. This is by design for an admin tool — it means Retool has full read/write access to all collections regardless of your security rules. This is powerful for internal tools but requires careful access control on the Retool side (restricting which team members can use Firebase-connected apps) to prevent accidental data modification.

Integration method

Retool Native Resource

Retool's native Firebase Resource connects via a Google service account JSON key and provides access to Firestore, Realtime Database, and Firebase Auth through a single configured resource. Each query selects which Firebase service to target and what operation to perform, without requiring separate resources per service. All operations run through Retool's server-side proxy using the Firebase Admin SDK, bypassing Firestore security rules entirely — giving Retool full administrative access to your Firebase project.

Prerequisites

  • A Firebase project with Firestore, Realtime Database, or Authentication enabled
  • Owner or Editor role on the Firebase project (needed to create service accounts)
  • Access to Google Cloud Console to create and download a service account key
  • A Retool account with Resource creation permissions
  • Understanding that the service account bypasses Firestore security rules — configure Retool app-level access controls accordingly

Step-by-step guide

1

Create a Google service account and download the JSON key

To authenticate Retool with Firebase as an admin client, you need a Google service account with Firebase Admin SDK access. Navigate to the Google Cloud Console (console.cloud.google.com) and select your Firebase project from the project picker at the top. Go to IAM & Admin → Service Accounts. Click Create Service Account. Give it a descriptive name like retool-admin or retool-firebase-integration and optionally add a description. Click Create and Continue. On the permissions step, assign the role Firebase Admin SDK Administrator Service Agent — this role grants full Firebase Admin SDK access. Alternatively, you can use the Firebase Admin SDK Access role for a slightly more restricted but still full-admin access. Click Done. The service account now appears in the list. Click the three-dot menu on the new service account and select Manage Keys. Click Add Key → Create new key. Select JSON format and click Create. Google downloads a JSON file to your computer — this file contains the service account credentials including the private key. Store this file securely; you will paste its entire contents into Retool. Never commit this JSON file to version control or share it publicly — it grants full administrative access to your Firebase project.

Pro tip: You can also create service accounts directly from the Firebase console under Project Settings → Service Accounts → Generate new private key, which is slightly faster and automatically assigns the correct Firebase Admin SDK role.

Expected result: You have a downloaded JSON file containing the service account credentials, including the project_id, private_key, client_email, and other fields required by Retool.

2

Configure the Firebase Resource in Retool

In Retool, navigate to the Resources tab and click Add Resource. Search for or scroll to Firebase in the resource type list and click it. Give the resource a name like Firebase Production. In the Authentication section, Retool asks for the Firebase service account JSON. Open the downloaded JSON key file in a text editor. Copy the entire JSON content — the full object including the opening and closing curly braces. Paste it into the Service Account Key field in Retool's resource configuration. Retool parses the JSON and displays the project ID and service account email it extracted, confirming the format is correct. If your Firebase project uses a specific database URL for Realtime Database access, enter it in the Database URL field — this is typically https://your-project-id-default-rtdb.firebaseio.com (find it in Firebase Console → Realtime Database). This field is only required if you plan to query the Realtime Database; Firestore and Auth queries work without it. Click Save and Retool tests the connection. A successful connection shows a green Connected status and the Firebase project ID.

Pro tip: If you have both a production and a staging Firebase project, create two separate Firebase Resources in Retool with descriptive names. This prevents accidentally running admin operations on the wrong project.

Expected result: The Firebase Resource appears in your Resources list with a Connected status showing your Firebase project ID. You are ready to create queries against Firestore, Realtime Database, and Firebase Auth.

3

Query Firebase Auth to list and manage users

Create a new query in the Code panel, select your Firebase resource, and set the Service to Firebase Auth from the service dropdown. Select the Action List users. Set the Max results to 1000 (the maximum Auth allows per page) and leave the Page token blank for the first page. Run the query. The response contains a users array of user records, each with uid, email, displayName, emailVerified, disabled, providerData, creationTime, and lastSignInTime fields. Apply a transformer to flatten and format the user records for a Table component. Create a second query targeting Firebase Auth with Action Get user — reference {{ table1.selectedRow.uid }} as the UID to fetch detailed information about a selected user. Create a third query with Action Update user to modify user properties. Set the UID to {{ table1.selectedRow.uid }} and set Disabled to {{ disableToggle.value }} to let operators toggle account status. Wire this query to a Toggle component or a button's onClick event handler. For the delete action, create a fourth query with Action Delete user and require a confirmation modal before executing — accidental user deletions in Firebase Auth are not reversible without a backup.

auth_users_transformer.js
1// Firebase Auth transformer — flatten user records for Table binding
2const users = data.users || [];
3return users.map(user => ({
4 uid: user.uid,
5 email: user.email || '(no email)',
6 display_name: user.displayName || '',
7 email_verified: user.emailVerified ? 'Yes' : 'No',
8 status: user.disabled ? 'Disabled' : 'Active',
9 provider: (user.providerData || []).map(p => p.providerId).join(', ') || 'unknown',
10 created: user.metadata?.creationTime
11 ? new Date(user.metadata.creationTime).toLocaleDateString()
12 : '',
13 last_sign_in: user.metadata?.lastSignInTime
14 ? new Date(user.metadata.lastSignInTime).toLocaleDateString()
15 : 'Never'
16}));

Pro tip: Firebase Auth's List Users API returns up to 1000 users per page. For apps with more than 1000 users, use the pageToken from the response to implement pagination — store it in a Retool variable and pass it to the next List Users query.

Expected result: A table of Firebase Auth users displays with columns for email, display name, verification status, account status, sign-in provider, and dates. You can select rows to view details and trigger enable/disable actions.

4

Query Firestore collections and documents

Create a new query, select your Firebase resource, and set the Service to Firestore. Select the Action Get collection. In the Collection path field, enter the name of your Firestore collection (e.g., users, posts, or orders). Firestore also supports subcollections — enter the full path like users/userId/orders. Optionally, add Filter conditions in the query editor to filter documents: set a field name (e.g., status), operator (e.g., ==), and value (e.g., pending). You can add multiple filter conditions. Run the query. Firestore returns an array of documents, each with an id field and the document's field values merged at the top level — unlike raw Firestore SDK responses, Retool's connector flattens document data for you. Apply a transformer to format date fields (Firestore Timestamps are returned as objects with seconds and nanoseconds) and any nested objects. For write operations, create a separate query with Action Update document, set the Document path to the full document path (e.g., users/{{ table1.selectedRow.id }}), and provide the updated fields as a JSON object. For creating new documents, use Action Create document and either specify a document ID or leave it blank for Firestore to auto-generate one.

firestore_transformer.js
1// Firestore transformer — format timestamps and flatten nested fields
2const docs = data || [];
3return docs.map(doc => ({
4 id: doc.id,
5 // Access document fields directly (Retool flattens them)
6 email: doc.email || '',
7 status: doc.status || '',
8 name: doc.name || doc.displayName || '',
9 // Convert Firestore Timestamps (returned as objects with _seconds)
10 created_at: doc.createdAt?._seconds
11 ? new Date(doc.createdAt._seconds * 1000).toLocaleDateString()
12 : doc.createdAt || '',
13 updated_at: doc.updatedAt?._seconds
14 ? new Date(doc.updatedAt._seconds * 1000).toLocaleDateString()
15 : doc.updatedAt || ''
16}));

Pro tip: Firestore's native querying is limited — you cannot query across multiple fields without a composite index, and inequality filters have restrictions. For complex filtering requirements, fetch a broader dataset and filter in a Retool JavaScript transformer instead.

Expected result: A Firestore collection is queried and returns document data. The transformer formats timestamps correctly and flattens any nested objects, making the data ready to bind to Table components.

5

Build a unified user management panel

Combine Firebase Auth and Firestore queries into a unified user management panel. The panel has three sections: a search bar at the top, a user list table in the center, and a user detail panel on the right. The search bar filters users by email using a JavaScript query that calls the Get user by email action from Firebase Auth. The main table shows Auth user data from the listUsers query. When a user row is selected, a second Firestore query runs using {{ table1.selectedRow.uid }} as the document path to fetch the user's Firestore profile document — this shows application-level data like subscription status, usage statistics, or onboarding completion. The detail panel on the right shows a Form with the user's profile data and a Save Changes button that triggers an Update document Firestore query. Add action buttons in the Table toolbar for Disable Account (Firebase Auth Update user with disabled: true) and Delete Account (with a Confirm modal). Configure event handlers on the disable and delete queries to refresh the user list and show success notifications. This pattern — Auth for identity management combined with Firestore for profile data — covers the most common Firebase admin use case. For teams building complex Firebase admin tooling across multiple collections with custom business logic, RapidDev's team can help architect the full Retool solution.

Pro tip: Use Retool's Permissions system to restrict which team members can access the Firebase Resource. Since the service account bypasses Firestore security rules, the Retool app itself is your access control layer.

Expected result: A complete Firebase user management panel allows operators to search users, view their Auth and Firestore profile data side by side, and take administrative actions — all from one Retool interface.

Common use cases

Firebase Auth user management panel

Build a Retool panel for operations teams to manage Firebase Auth users: search by email, view account status (enabled/disabled, email verified), see when accounts were created and last used, disable or delete accounts, and update custom claims that control app-level permissions. This replaces navigating Firebase's console for routine user operations.

Retool Prompt

Build a Retool user management panel that lists Firebase Auth users in a Table with columns for email, display name, account status, email verified, creation date, and last sign-in. Include a search input that filters by email. Add action buttons to disable/enable and delete selected users.

Copy this prompt to try it in Retool

Firestore content review and moderation tool

Create a Retool moderation dashboard that queries a Firestore collection of user-generated content (posts, comments, reviews) and lets moderators approve, reject, or flag items. The Table shows the content with a status column, and action buttons update the Firestore document's status field. Filters let moderators focus on pending items queued for review.

Retool Prompt

Build a Retool content moderation tool that reads from a Firestore 'posts' collection, shows posts with status 'pending_review' in a Table with the post content and author metadata, and includes Approve and Reject buttons that update the post's status field in Firestore.

Copy this prompt to try it in Retool

Realtime Database monitoring dashboard

Build a Retool monitoring panel that reads nodes from your Firebase Realtime Database — for example, a queue of background jobs, sensor readings, or game state — and displays the current state in real time. Operations teams can inspect current values, manually set nodes to specific values for debugging, and delete stale entries without writing Firebase Admin SDK scripts.

Retool Prompt

Build a Retool monitoring panel that reads a Firebase Realtime Database path /jobs/queue and displays the current queue entries in a Table showing job ID, status, and created timestamp. Include a Delete button to remove completed jobs and an input to manually set a job's status.

Copy this prompt to try it in Retool

Troubleshooting

Resource shows 'Error parsing service account JSON' when saving

Cause: The service account JSON was not pasted correctly — it may be missing characters, contain extra whitespace, or have been partially copied.

Solution: Open the downloaded JSON key file in a code editor and select all (Ctrl/Cmd + A), then copy and paste into the Retool field. Ensure the pasted content starts with { and ends with } and contains the private_key field. Do not manually edit the JSON or add line breaks.

Firestore query returns an empty array even though documents exist

Cause: The Collection path may contain a typo, a leading slash, or reference a subcollection incorrectly. Firestore collection paths are case-sensitive.

Solution: Verify the collection name exactly as it appears in the Firebase Console. Collection paths should not have a leading slash — use users not /users. For subcollections, use the full path format: users/uid123/orders. Test by querying the collection without any filters first to confirm the path is correct.

Firebase Auth List Users only returns the first 1000 users and stops

Cause: Firebase Auth's List Users API has a hard maximum of 1000 users per request. Apps with more than 1000 users require pagination using the pageToken from each response.

Solution: After the first query, check if the response contains a pageToken field. Store it in a Retool State variable. For the next page, pass this token as the Page token in a second List Users query. Repeat until the response has no pageToken, indicating the last page.

typescript
1// Store page token for pagination
2// In a JavaScript query after listUsers runs:
3const token = listUsers.data.pageToken || null;
4retoolState.setValue({ pageToken: token });

'The caller does not have permission' error on Firestore or Auth queries

Cause: The service account does not have the required Firebase Admin SDK role, or the service account belongs to a different Google Cloud project than the Firebase project.

Solution: In Google Cloud Console → IAM & Admin → IAM, find the service account email and confirm it has the Firebase Admin SDK Administrator Service Agent role. Also verify the service account's project_id in the JSON key matches your Firebase project ID — service accounts cannot be used across projects.

Best practices

  • Store the service account JSON in a Retool configuration variable marked as secret rather than pasting it directly into the resource — this enables credential rotation without editing the resource configuration.
  • Create a dedicated service account for Retool with a descriptive name and audit its usage in Google Cloud's Audit Logs — this makes it easy to track which operations came from Retool.
  • Require confirmation modals for all destructive operations (delete user, delete document) since Firebase Admin SDK operations are not easily reversible without backups.
  • Use Retool's app-level access controls to restrict which users can access Firebase-connected apps — since the service account bypasses Firestore security rules, Retool access control is your only protection.
  • For paginated Firebase Auth user lists (over 1000 users), implement pagination using Retool State variables to store and pass pageToken values between queries.
  • Apply JavaScript transformers to convert Firestore Timestamps (objects with _seconds and _nanoseconds) to human-readable dates before binding to Table components.
  • For scheduled Firebase maintenance tasks (archiving old documents, sending batch notifications), use Retool Workflows instead of app-layer queries — Workflows run server-side with retry logic and do not require a user to be logged in.
  • Test all Firebase queries against a Firebase Emulator Suite or a dedicated staging project before running against production — the Admin SDK bypass of security rules means mistakes affect all data.

Alternatives

Frequently asked questions

Does Retool's Firebase Resource bypass Firestore security rules?

Yes. Retool uses the Firebase Admin SDK through your service account, which has full administrative privileges and bypasses all Firestore security rules. This is intentional for an admin tool — it means Retool can read and write any document in any collection regardless of the rules you have configured for client-side access. This makes Retool powerful for admin operations but means you should carefully control which team members can access Retool apps connected to Firebase.

Can I query Firestore subcollections in Retool?

Yes. Enter the full subcollection path in the Collection path field using the format parentCollection/documentId/subcollection — for example, users/uid123/orders. For collection group queries (querying a subcollection across all parent documents), you will need to use the Firebase Admin SDK directly via a REST API query to the Firestore REST endpoint, as Retool's native connector may not expose collection group queries in its UI.

Can I use Retool with both Firebase Firestore and Realtime Database in the same app?

Yes. A single Firebase Resource in Retool covers both services. When creating a query, you select which service to use (Firestore or Realtime Database) via the Service dropdown. You can have multiple queries in the same Retool app targeting different services through the same Resource. No additional configuration is needed beyond ensuring the Database URL is set in the resource for Realtime Database queries.

How do I handle Firebase Auth custom claims in Retool?

Custom claims appear in the Firebase Auth user record under the customClaims field when you use the Get user or List users action. To update custom claims, use the Update user action and set the Custom claims field to a JSON object — for example, {admin: true, role: 'editor'}. Custom claim updates take effect the next time the user's ID token is refreshed. Be aware that custom claims are limited to 1000 bytes total per user.

Can I trigger Firebase Cloud Functions from Retool?

Yes, but not through the Firebase native Resource — Cloud Functions are triggered via HTTP endpoints. Create a REST API Resource in Retool pointing to your Firebase Function's HTTP trigger URL, and authenticate using the same service account by generating a signed JWT or using Firebase's identity verification. For callable functions, use their HTTPS endpoint and pass the required auth headers.

RapidDev

Talk to an Expert

Our team has built 600+ apps. Get personalized help with your project.

Book a free consultation

Integrations are where projects stall

We wire Retool integrations like this one every week — auth, webhooks, edge cases included. Fixed-price builds from $13K, delivered in 6–10 weeks.

Talk to an integration engineer

We put the rapid in RapidDev

Need a dedicated strategic tech and growth partner? Discover what RapidDev can do for your business! Book a call with our team to schedule a free, no-obligation consultation. We'll discuss your project and provide a custom quote at no cost.