Skip to main content
RapidDev - Software Development Agency
retool-integrationsRetool Native Resource

How to Integrate Retool with Microsoft SQL Server

Connect Retool to Microsoft SQL Server using Retool's native SQL Server connector. Enter your server host, port, database name, and credentials — including Windows Authentication for on-premises instances or Azure Active Directory for Azure SQL. Once connected, write T-SQL queries directly in Retool's query editor, use GUI mode for safe write operations, and build internal dashboards on top of your SQL Server data without exposing the database to the internet.

What you'll learn

  • How to configure Retool's SQL Server resource with SQL authentication, Windows Authentication, or Azure AD credentials
  • How to write T-SQL queries in Retool's query editor using dynamic parameters and prepared statements
  • How to use SSH tunneling to connect Retool Cloud to a SQL Server instance behind a corporate firewall
  • How to configure SSL for encrypted connections to Azure SQL or cloud-hosted SQL Server instances
  • How to use GUI mode for safe INSERT, UPDATE, and DELETE operations to prevent accidental data loss
Book a free consultation
4.9Clutch rating
600+Happy partners
17+Countries served
190+Team members
Intermediate15 min read20 minutesDatabaseLast updated April 2026RapidDev Engineering Team
TL;DR

Connect Retool to Microsoft SQL Server using Retool's native SQL Server connector. Enter your server host, port, database name, and credentials — including Windows Authentication for on-premises instances or Azure Active Directory for Azure SQL. Once connected, write T-SQL queries directly in Retool's query editor, use GUI mode for safe write operations, and build internal dashboards on top of your SQL Server data without exposing the database to the internet.

Quick facts about this guide
FactValue
ToolMicrosoft SQL Server
CategoryDatabase
MethodRetool Native Resource
DifficultyIntermediate
Time required20 minutes
Last updatedApril 2026

Connect Retool to SQL Server: Enterprise Databases, Internal Tools

Microsoft SQL Server powers a large portion of enterprise applications — ERP systems, CRM backends, financial platforms, and manufacturing databases. Teams that rely on SQL Server often need internal tools to query, report on, and manage that data, but building custom admin panels from scratch requires significant development effort. Retool eliminates that effort by connecting directly to SQL Server and turning your queries into interactive dashboards in hours rather than weeks.

Retool's native SQL Server connector supports the full range of enterprise authentication options: standard SQL authentication (username and password), Windows Authentication using Kerberos for on-premises Active Directory environments, and Azure Active Directory authentication for Azure SQL Database. It also supports TLS/SSL encryption and SSH tunneling, making it viable for databases inside private networks and firewalled data centers that cannot expose ports directly to the internet.

One critical security feature to understand is Retool's prepared statement support. All SQL queries containing {{ }} parameter expressions are automatically converted to prepared statements, with parameter values passed separately from the query text. This prevents SQL injection from user-supplied values in filter inputs or form fields. You can also enable GUI mode, which restricts write operations to Retool's visual insert/update/delete interface rather than raw SQL — a useful guardrail for less experienced team members building on sensitive production databases.

Integration method

Retool Native Resource

Retool includes a dedicated Microsoft SQL Server connector that handles the TDS (Tabular Data Stream) protocol, Windows Authentication, SSL connections, and SSH tunneling for on-premises instances behind firewalls. You configure host, port, database, and authentication once in the Resources tab, then write T-SQL queries directly in Retool's query editor. Retool proxies all database connections server-side — no direct connection from the browser to your SQL Server instance.

Prerequisites

  • A running Microsoft SQL Server instance (on-premises, Azure SQL, Amazon RDS for SQL Server, or another cloud provider)
  • A SQL Server login with SELECT permissions on the databases you want to query (and INSERT/UPDATE/DELETE for write operations)
  • Network connectivity from Retool's servers to your SQL Server port (default 1433) — either through firewall rules, SSH tunnel, or self-hosted Retool deployment
  • For Retool Cloud: Retool's IP ranges whitelisted in your firewall or SQL Server instance (35.90.103.132/30 and 44.208.168.68/30 for US West)
  • For Azure SQL: the SQL Server firewall rule allowing Retool's IP ranges, or Azure AD authentication configured if using Managed Identity

Step-by-step guide

1

Configure network access for Retool Cloud

Before creating the Retool resource, ensure your SQL Server instance is reachable from Retool's infrastructure. For Retool Cloud connecting to an on-premises SQL Server, you have two main options: whitelist Retool's published IP ranges in your corporate firewall or use SSH tunneling. For IP whitelisting, add the CIDR blocks 35.90.103.132/30 and 44.208.168.68/30 (US West) or the appropriate ranges for your Retool Cloud region to your firewall's allow list for port 1433 (or your custom SQL Server port). For SSH tunneling — the preferred option for sensitive on-premises databases — you will need an SSH bastion host that can reach your SQL Server internally. You configure the SSH host details directly in the Retool resource settings, and Retool will tunnel the SQL Server connection through the SSH host. For Azure SQL Database, navigate to your Azure SQL Server's Networking settings in the Azure portal and add a firewall rule for Retool's IP ranges, or use the 'Allow Azure services and resources to access this server' toggle if Retool Cloud qualifies. For self-hosted Retool deployed in the same VPC as your SQL Server, no IP whitelisting is needed — Retool uses the private network address directly.

Pro tip: Use SSH tunneling rather than direct firewall exposure for production databases — it adds an encryption layer and means only your SSH bastion host needs to be internet-reachable, not the SQL Server port itself.

Expected result: SQL Server port 1433 (or custom port) is accessible from Retool's server IP ranges, or an SSH tunnel configuration is ready. A telnet or nc test from a machine on Retool's network should confirm connectivity.

2

Create the SQL Server resource in Retool

In Retool, navigate to the Resources tab in the left sidebar and click '+ Create new resource'. Scroll through the list and select 'Microsoft SQL Server'. On the configuration screen, enter the following: Name — a descriptive name like 'Production SQL Server' or 'Azure SQL (Orders DB)'. Host — the fully qualified hostname or IP address of your SQL Server instance. For Azure SQL, this looks like your-server.database.windows.net. Port — the SQL Server port, defaulting to 1433. Specify an alternate port if your instance uses one. Database name — the specific database you want to connect to (e.g., OrdersDB). Authentication type — choose SQL Server Authentication for standard username/password login, or Windows Authentication for Kerberos-based AD login (self-hosted Retool only; Cloud does not support Kerberos). Username and Password — your SQL Server login credentials. If using SSL, toggle on 'Use SSL' and upload your certificate if using a self-signed cert. If using an SSH tunnel, toggle on 'Connect via SSH tunnel' and enter the SSH host, SSH user, and paste your SSH private key. Click 'Test connection' to verify. A successful connection shows a green indicator and the SQL Server version string.

Pro tip: Create a dedicated read-only SQL Server login for Retool dashboards and a separate login with write permissions for operational tools. Never use a database admin account (sa) in Retool.

Expected result: The SQL Server resource is saved and shows a green connected status. The test result displays the SQL Server version, confirming Retool can reach the instance and authenticate successfully.

3

Write T-SQL queries in the query editor

Open your Retool app and create a new query in the Code panel. Select your SQL Server resource. The query editor defaults to SQL mode, where you write T-SQL directly. Retool's {{ }} syntax works within SQL queries for dynamic parameterization — these expressions are compiled into prepared statements automatically, preventing SQL injection. Use them for filter values, sort columns, and pagination offsets. T-SQL-specific features work natively: CTEs (WITH clauses), window functions, TOP instead of LIMIT, NOLOCK hints, and stored procedure calls using EXEC. For pagination, T-SQL uses OFFSET-FETCH syntax. For date filtering, use Retool's date component values directly in WHERE clauses with CAST or CONVERT functions if needed. You can also call stored procedures: set the query type to 'Run stored procedure' in the query options and specify the procedure name and parameters. For schema exploration, use SELECT * FROM INFORMATION_SCHEMA.TABLES to list available tables, which is useful when building a data browser tool.

orders-query.sql
1-- T-SQL query with dynamic parameters, pagination, and date filtering
2-- References Retool component values using {{ }} syntax (compiled to prepared statements)
3
4SELECT
5 o.OrderID,
6 o.OrderDate,
7 o.Status,
8 c.CustomerName,
9 c.Email,
10 SUM(oi.Quantity * oi.UnitPrice) AS TotalValue,
11 COUNT(oi.ItemID) AS ItemCount
12FROM Orders o
13INNER JOIN Customers c ON o.CustomerID = c.CustomerID
14INNER JOIN OrderItems oi ON o.OrderID = oi.OrderID
15WHERE
16 o.OrderDate BETWEEN {{ dateRangePicker.start }} AND {{ dateRangePicker.end }}
17 AND o.Status = {{ statusFilter.value }}
18 AND (c.CustomerName LIKE '%' + {{ searchInput.value }} + '%'
19 OR c.Email LIKE '%' + {{ searchInput.value }} + '%')
20GROUP BY o.OrderID, o.OrderDate, o.Status, c.CustomerName, c.Email
21ORDER BY o.OrderDate DESC
22OFFSET {{ (table1.page - 1) * table1.pageSize }} ROWS
23FETCH NEXT {{ table1.pageSize }} ROWS ONLY;

Pro tip: SQL Server's TOP clause does not support OFFSET — use OFFSET-FETCH (SQL Server 2012+) for proper pagination. If targeting older SQL Server versions, use ROW_NUMBER() in a CTE for pagination instead.

Expected result: The query executes successfully and returns rows from your SQL Server database. The results appear in the query editor's response panel as a JSON array, ready to be bound to a Table component.

4

Use GUI mode for safe write operations

Retool's GUI mode provides a visual interface for INSERT, UPDATE, and DELETE operations that is safer for write operations than raw SQL, especially for less experienced users. In the query editor, click the 'GUI' toggle (next to 'SQL' in the query mode tabs). In GUI mode, select the table you want to modify from a dropdown populated by Retool's schema introspection. Choose the operation type: Bulk insert a list, Update by primary key, Bulk update by primary key, Delete by primary key, or Bulk upsert. For an Update operation, the GUI generates a safe parameterized query under the hood — you just map component values to column names. For example, to update an order status from a selected table row: set Table to 'Orders', Operation to 'Update by primary key', set the primary key (OrderID) to {{ table1.selectedRow.id }}, and add a column mapping for Status → {{ statusDropdown.value }}. GUI mode prevents accidental WHERE-less UPDATE/DELETE statements that would modify all rows. Administrators can lock a resource to GUI mode only in the resource settings, preventing anyone from writing raw UPDATE/DELETE SQL.

update-query.sql
1-- Equivalent SQL that Retool GUI mode generates for an Update by primary key
2-- This is shown for reference; in GUI mode you set this up visually
3
4UPDATE Orders
5SET
6 Status = {{ statusDropdown.value }},
7 LastModified = GETDATE(),
8 ModifiedBy = {{ current_user.email }}
9WHERE OrderID = {{ table1.selectedRow.id }};

Pro tip: Even in SQL mode, always include a WHERE clause in UPDATE and DELETE statements. Consider requiring a confirmation modal (Popconfirm component) before running any destructive query.

Expected result: The GUI mode interface shows the target table's columns as a form, with your component bindings mapped to the correct columns. Running the query updates the record and the success handler refreshes the data query.

5

Configure SSL and SSH tunneling for production security

Production SQL Server instances should use encrypted connections. For SSL configuration in Retool: open the SQL Server resource settings, scroll to the SSL section, and toggle on 'Use SSL'. If your SQL Server uses a certificate from a trusted CA (Let's Encrypt, DigiCert, etc.), no additional configuration is needed. If using a self-signed certificate (common in on-premises environments), enable 'Trust server certificate' or upload the CA certificate PEM file. For Azure SQL, SSL is always required and handled automatically. For SSH tunneling: in the resource settings, toggle on 'Connect via SSH tunnel'. Enter the SSH Hostname (the public IP or hostname of your bastion host), the SSH Port (usually 22), and SSH Username (the user Retool will connect as on the bastion). For authentication, paste your SSH private key in PEM format in the SSH Private Key field — never use password-based SSH in production. The bastion host must be able to reach your SQL Server's hostname and port from its network. Retool will create an encrypted SSH tunnel from its backend to the bastion, then connect to SQL Server through that tunnel. Test the connection to confirm both layers work. For complex enterprise SQL Server setups involving Kerberos, Always Encrypted, or multi-subnet failover clusters, RapidDev's team can help architect and build your Retool solution.

Pro tip: Generate a dedicated SSH key pair for Retool's tunnel access. Store the private key in Retool and the public key in ~/.ssh/authorized_keys on the bastion host. Restrict the key to SQL Server port forwarding only using forced commands in authorized_keys.

Expected result: The resource test connection succeeds via the SSH tunnel with SSL encryption. The SQL Server connection string in Retool shows both SSL and tunnel indicators as active.

Common use cases

Build an operations reporting dashboard on ERP data

Your organization's ERP system runs on SQL Server and the reporting module is slow or requires IT involvement for custom queries. A Retool app can connect directly to the SQL Server database, run T-SQL queries against the relevant tables, and display inventory levels, order statuses, and production metrics in real time with filter controls for date range, product line, and location — no report request tickets required.

Retool Prompt

Build an operations dashboard connected to our SQL Server ERP database. Show a Table with open orders filtered by date range and status. Add a Bar Chart showing order volume by product category for the last 30 days. Include filter dropdowns for warehouse location and order status.

Copy this prompt to try it in Retool

Create a customer data management panel

Your CRM backend uses SQL Server and customer service agents need to look up customer records, update contact information, and add internal notes — without full database access. The Retool app provides a search-and-edit interface: agents search by name or email, the Table shows matching records, and a selected-row detail panel allows controlled edits with audit logging via a SQL INSERT to a changes table.

Retool Prompt

Build a customer management panel that queries a SQL Server customers table. Add a search input that filters by name or email using a parameterized WHERE clause. Show customer details in a Form component when a row is selected. Add a Save button that updates the record and inserts an audit log entry.

Copy this prompt to try it in Retool

Monitor SQL Server performance and query slow queries

Database administrators want a live monitor showing active connections, longest-running queries, and table sizes without logging into SSMS on a production server. The Retool app queries SQL Server's dynamic management views (DMVs) to surface blocking queries, index statistics, and wait statistics in a refreshable dashboard that updates every 30 seconds.

Retool Prompt

Build a SQL Server monitoring dashboard that queries sys.dm_exec_requests to show active queries, sys.dm_os_wait_stats for top wait types, and sys.dm_db_index_usage_stats for index utilization. Add a 30-second auto-refresh and a button to kill a selected blocking session.

Copy this prompt to try it in Retool

Troubleshooting

Connection test fails with 'Login failed for user' error

Cause: The SQL Server login credentials are incorrect, the login does not have permission to connect to the specified database, or the database name in the resource configuration does not exist on the server.

Solution: Verify the username and password by connecting directly to SQL Server using SSMS or Azure Data Studio from a machine that can reach the server. Confirm the database name is spelled correctly and that the login has at minimum CONNECT permission on that database. For Azure SQL, the login must exist in the master database and also be mapped to the target database.

Query returns 'Cannot use LIKE with parameters' or parameter binding errors

Cause: SQL Server prepared statements require exact type matching. Wrapping a {{ }} parameter in string concatenation for LIKE queries can conflict with Retool's prepared statement compilation.

Solution: Use SQL Server's CONCAT function or the + operator with explicit CAST/CONVERT for LIKE parameters, or use a SQL Server LIKE pattern that references the parameter directly. Alternatively, pass the wildcard characters as part of the Retool component value itself.

typescript
1-- Option 1: Pass wildcards from component value
2-- searchInput.value = '%john%' (user types search term, wildcards added client-side)
3WHERE CustomerName LIKE {{ searchInput.value }}
4
5-- Option 2: Disable prepared statements for this query (use cautiously)
6-- Advanced tab Disable prepared statements
7-- Then construct the LIKE clause directly:
8WHERE CustomerName LIKE '%' + {{ searchInput.value }} + '%'

Queries time out on large tables or complex joins

Cause: SQL Server queries run against large tables without proper indexes, or complex queries exceed Retool's default query timeout (10 seconds for most operations).

Solution: Increase the query timeout in the query's Advanced settings (up to 600,000ms / 10 minutes on Retool Cloud). Add missing indexes to your SQL Server tables for the columns used in WHERE, JOIN, and ORDER BY clauses. Use SELECT TOP to limit result sets during development. For reporting queries that are inherently slow, consider pre-aggregating data in SQL Server views or scheduled Retool Workflows.

SSH tunnel connection fails with 'Host key verification failed'

Cause: Retool is connecting to the SSH bastion host for the first time and cannot verify the host key, or the bastion host's key has changed (e.g., after a server rebuild).

Solution: In the Retool resource settings, there is an option to trust the SSH host key on first connection. If the key has changed, you may need to remove and re-add the SSH tunnel configuration. Verify the bastion hostname is correct and that it is reachable from Retool's IP ranges.

Best practices

  • Create dedicated SQL Server logins for Retool with minimum required permissions — a read-only login for dashboards (GRANT SELECT) and a separate login with write permissions for operational tools. Never use sa or a database owner account.
  • Enable Retool's prepared statements (the default) for all user-parameterized queries — this is your primary defense against SQL injection when users can influence query values through filter inputs.
  • Use SQL Server's row-level security or view-based access control to restrict what data the Retool login can see, rather than relying solely on Retool's access controls — defense in depth for sensitive data.
  • For Retool Cloud connecting to on-premises SQL Server, prefer SSH tunneling over direct firewall port exposure — the tunnel encrypts the connection and limits the attack surface to a single bastion host.
  • Enable SSL/TLS for all SQL Server connections, especially for Azure SQL or any cloud-hosted instance — set 'Encrypt connection' to true in the resource settings.
  • Use Retool's GUI mode for INSERT, UPDATE, and DELETE operations on production databases, and consider restricting the resource to GUI mode only for less experienced builders to prevent accidental mass updates.
  • Schedule expensive reporting queries using Retool Workflows rather than running them synchronously in app queries — cache results in Retool Database and display the cached data for better performance and reduced database load.

Alternatives

Frequently asked questions

Does Retool support Windows Authentication (Kerberos) for SQL Server?

Windows Authentication is supported for self-hosted Retool deployments where the Retool server is joined to the same Active Directory domain as the SQL Server instance. It is not available for Retool Cloud because Retool's cloud infrastructure is not part of your AD domain. For cloud-hosted Retool accessing a SQL Server in a corporate AD environment, use SQL Server Authentication with a dedicated service account, or migrate to Azure SQL with Azure Active Directory authentication.

Can I call SQL Server stored procedures from Retool?

Yes. In the query editor, use the EXEC statement in SQL mode: EXEC dbo.GetOrderSummary @StartDate = {{ dateRange.start }}, @EndDate = {{ dateRange.end }}. Stored procedures that return result sets work the same as SELECT queries — Retool captures the output and makes it available as query.data. For stored procedures with OUTPUT parameters, use a wrapper query that captures the output into a temp table and selects from it.

How do I connect Retool to Azure SQL Database?

Azure SQL uses the same SQL Server connector in Retool. Set the Host to your-server.database.windows.net, Port to 1433, and enable SSL (Azure SQL requires it). For authentication, use SQL Server Authentication with an Azure SQL login, or configure Azure Active Directory authentication. In the Azure portal, add Retool's IP ranges to the SQL Server firewall rules under Networking settings.

What is the maximum query result size Retool can handle from SQL Server?

Retool Cloud caps query results at approximately 100 MB. For large datasets, use pagination in your T-SQL queries with OFFSET-FETCH, limit result sets to the columns and rows you actually need to display, and avoid SELECT * on wide tables. For reports requiring very large datasets, pre-aggregate in a SQL Server view or materialized result table and query the summary data instead.

Can Retool display data from multiple SQL Server databases in the same app?

Yes, by creating multiple SQL Server resources — one per database connection. Each query targets a specific resource, so a single Retool app can simultaneously display data from your orders database, customer database, and analytics database. You can join data across resources using JavaScript transformers that merge the query results in memory. For cross-database queries on the same server, you can also use SQL Server's three-part naming (DatabaseName.SchemaName.TableName) in a single query.

RapidDev

Talk to an Expert

Our team has built 600+ apps. Get personalized help with your project.

Book a free consultation

Integrations are where projects stall

We wire Retool integrations like this one every week — auth, webhooks, edge cases included. Fixed-price builds from $13K, delivered in 6–10 weeks.

Talk to an integration engineer

We put the rapid in RapidDev

Need a dedicated strategic tech and growth partner? Discover what RapidDev can do for your business! Book a call with our team to schedule a free, no-obligation consultation. We'll discuss your project and provide a custom quote at no cost.