Skip to main content
RapidDev - Software Development Agency
retool-tutorial

How to Implement Authentication in a Retool Application

Retool handles app authentication at the organization level — configure SSO via Settings → Authentication. Once a user logs in, access their identity anywhere in the app using {{ current_user.email }}, {{ current_user.fullName }}, and {{ current_user.groups }}. Use group membership to show/hide components or restrict query execution. Custom login pages are available for embedded apps on Business plans.

What you'll learn

  • Configure Google SSO, SAML, or OIDC authentication in Retool organization settings
  • Access the current_user object properties: email, fullName, id, groups, and metadata
  • Show or hide UI elements based on {{ current_user.groups }} for role-based display
  • Set up custom login pages for externally embedded Retool apps
  • Understand the difference between Retool's built-in auth and resource-level auth
Book a free consultation
4.9Clutch rating
600+Happy partners
17+Countries served
190+Team members
Beginner6 min read20-30 minRetool Cloud and Self-hostedLast updated March 2026RapidDev Engineering Team
TL;DR

Retool handles app authentication at the organization level — configure SSO via Settings → Authentication. Once a user logs in, access their identity anywhere in the app using {{ current_user.email }}, {{ current_user.fullName }}, and {{ current_user.groups }}. Use group membership to show/hide components or restrict query execution. Custom login pages are available for embedded apps on Business plans.

Quick facts about this guide
FactValue
ToolRetool
DifficultyBeginner
Time required20-30 min
CompatibilityRetool Cloud and Self-hosted
Last updatedMarch 2026

Authentication in Retool: Platform-Level, Not App-Level

Unlike traditional web apps where you build a login page and manage sessions, Retool handles authentication at the platform level. Users authenticate once to your Retool organization — then all apps they have permission to access are available without additional login steps.

Retool supports multiple authentication methods: email/password (basic), Google SSO (easy setup), SAML 2.0 (enterprise SSO with Okta, Azure AD, etc.), and OIDC (custom identity providers). On Business plans, you can also use Google Workspace for domain-based access control.

Once authenticated, the current_user object is available in every app — it contains the user's email, name, group memberships, and custom metadata from your SSO provider.

Prerequisites

  • Admin access to Retool Settings
  • For SSO setup: access to your identity provider (Google Admin Console, Okta, Azure AD, or your OIDC provider)
  • Understanding of Retool groups and permissions (recommended)

Step-by-step guide

1

Configure Google SSO for your Retool organization

Navigate to Settings → Authentication in your Retool org. Click 'Add authentication' or find the Google SSO section. For Google Workspace, enable 'Restrict to specific domains' and enter your company's Google Workspace domain (e.g., yourcompany.com). This allows any user with a @yourcompany.com Google account to log in. Users see a 'Sign in with Google' button on the Retool login page. After Google SSO is enabled, new users signing in with Google are automatically created as Retool users in the 'All Users' default group.

Expected result: Users can log in to Retool using their Google account. Domain restriction prevents unauthorized sign-ups.

2

Configure SAML 2.0 SSO for enterprise identity providers

For Okta, Azure AD, or other enterprise IdPs, use SAML 2.0. In Settings → Authentication, select 'SAML 2.0'. Retool provides its Service Provider metadata (ACS URL, Entity ID) for you to enter in your IdP. Copy the IdP metadata XML or URL from your identity provider and paste it into Retool's 'IdP metadata URL' or 'IdP metadata XML' field. Configure attribute mappings: email (required), firstName, lastName, and any custom attributes you want available in current_user.metadata. Test the flow before locking out password-based login.

Expected result: Users can authenticate via your enterprise IdP. Retool groups are auto-assigned based on IdP group claims.

3

Use the current_user object in your app

After authentication is configured, access user identity anywhere in your app using the current_user object. The key properties are: current_user.email (user's email address), current_user.fullName (display name), current_user.id (Retool internal user ID), current_user.groups (array of group names the user belongs to), current_user.metadata (custom attributes from SSO provider). Use these in queries (personalized SQL filters), component visibility conditions, and text components.

typescript
1// Personalized SQL query using current user
2SELECT *
3FROM work_orders
4WHERE assigned_to = {{ current_user.email }}
5ORDER BY due_date ASC;
6
7// Welcome message in a Text component
8Welcome back, {{ current_user.fullName.split(' ')[0] }}!
9
10// Show admin panel only to admins:
11// Component Hidden property:
12{{ !current_user.groups.includes('Admins') }}
13
14// Show username in page title:
15Support Queue {{ current_user.fullName }}

Expected result: App personalizes content based on the logged-in user's identity and group membership.

4

Restrict query execution based on user groups

For sensitive operations, add a guard condition in JS Queries that checks group membership before running a write operation. This provides defense-in-depth beyond just hiding UI elements — even if someone finds a way to trigger the query, the JS check will block unauthorized execution.

typescript
1// JS Query: deleteRecord
2// Guarded to allow only Admin group members
3
4if (!current_user.groups.includes('Admins')) {
5 utils.showNotification({
6 title: 'Access denied',
7 description: 'Only administrators can delete records.',
8 notificationType: 'error',
9 });
10 return;
11}
12
13if (!confirm(`Delete record ID ${table1.selectedRow.data.id}? This cannot be undone.`)) {
14 return;
15}
16
17await deleteFromDb.trigger();
18await refreshList.trigger();
19
20utils.showNotification({
21 title: 'Record deleted',
22 notificationType: 'success',
23});

Expected result: Delete operation is blocked for non-admin users even if they somehow trigger the query.

5

Set up a custom login page for embedded apps

When embedding Retool apps in external websites using Retool's Embed feature (Business plan), you may want a branded login experience instead of Retool's default login page. Navigate to Settings → Embedding → Custom login. Configure a custom login URL that your users are redirected to. After successful authentication on your platform, generate a Retool embed URL with a JWT embed token containing the user's identity. Retool validates the JWT and creates a Retool user session automatically — users never see Retool's login page.

Expected result: Embedded Retool apps use your custom login flow. Users see your branded login, not Retool's.

Complete working example

SQL Query: getPersonalizedData
1-- Personalized query using current_user for multi-tenant data isolation
2-- Only returns records belonging to the current user's team
3
4SELECT
5 r.id,
6 r.title,
7 r.status,
8 r.priority,
9 r.due_date,
10 r.created_at,
11 u.full_name AS assignee_name
12FROM requests r
13JOIN users u ON r.assignee_id = u.id
14WHERE
15 -- Filter by team based on current user's group membership
16 r.team_id = (
17 SELECT team_id FROM users WHERE email = {{ current_user.email }}
18 )
19 -- Admins can see all records, regular users see only their own
20 AND (
21 {{ current_user.groups.includes('Admins') }}
22 OR r.assignee_email = {{ current_user.email }}
23 )
24ORDER BY r.priority DESC, r.due_date ASC
25LIMIT 200;

Common mistakes when implementing Authentication in a Retool Application

Why it's a problem: Hiding UI elements with current_user.groups as the only access control for sensitive operations

How to avoid: CSS visibility and Hidden properties can be bypassed. Add server-side checks in SQL WHERE clauses (AND user_email = {{ current_user.email }}) and JavaScript guards (if (!current_user.groups.includes('Admins')) return;) for any write operation.

Why it's a problem: Enabling SSO without first testing it with a non-admin account, then getting locked out

How to avoid: Before enforcing SSO, test the full login flow with a test account. Keep password-based login as a fallback for at least one admin account until SSO is confirmed working.

Why it's a problem: Using current_user.email in SQL queries without parameterization, creating SQL injection risk

How to avoid: Retool automatically parameterizes {{ }} expressions in SQL queries using prepared statements. This is safe. Avoid string concatenation like 'WHERE email = \'' + current_user.email + '\'' — always use the {{ }} syntax.

Best practices

  • Use Retool's built-in SSO integration rather than building custom authentication — it's more secure and easier to maintain
  • Always configure both UI-level hiding (Hidden property) AND query-level guards for sensitive operations
  • Map your IdP groups to Retool groups during SAML/OIDC setup to automate permission management
  • Test authentication setup with a non-admin test account before going live to verify that regular users see the correct experience
  • For embedded apps, always generate embed JWTs server-side — the embed secret must never reach the browser
  • Log authentication events: Retool's audit log records login events, SSO changes, and permission modifications

Still stuck?

Copy one of these prompts to get a personalized, step-by-step explanation.

ChatGPT Prompt

I'm setting up authentication for a Retool app used by multiple departments. I need: (1) SAML 2.0 SSO configuration steps for Okta with attribute mapping (email, groups), (2) a SQL query that filters records based on the user's department using {{ current_user.groups }}, (3) a JS Query 'deleteRecord' that checks if the user is in the 'Managers' group before allowing deletion, (4) how to hide the admin settings panel using the Hidden property with {{ current_user.groups }} expressions.

Retool Prompt

Configure Retool authentication: SAML 2.0 settings with IdP metadata URL and email attribute mapping. In a SQL query, use WHERE team = {{ current_user.metadata.department }} for personalization. JS Query 'guardedDelete' that checks if (!current_user.groups.includes('Admins')) { return; }. Component Hidden expression: {{ !current_user.groups.includes('Managers') }}. Show how to display {{ current_user.fullName }} in a welcome Text component.

Frequently asked questions

Can Retool apps be accessed without logging in (public access)?

Yes — in app Settings, enable 'Public access' to make an app accessible without a Retool account. Public apps cannot use {{ current_user }} since there is no authenticated user. Public access is suitable for external-facing dashboards but not for internal tools handling sensitive data.

What is current_user.metadata and how do I populate it?

current_user.metadata contains custom attributes forwarded from your SSO provider. Configure attribute mapping in your SAML or OIDC settings: map IdP attributes (like department, employeeId, costCenter) to Retool metadata fields. Access them as {{ current_user.metadata.department }}. Email/password accounts don't have SSO metadata.

How does Retool handle authentication for self-hosted deployments?

Self-hosted Retool supports all the same authentication methods (email/password, Google SSO, SAML, OIDC) configured in the same Settings UI. The only difference is that the SSO callback URLs point to your self-hosted domain instead of Retool Cloud. Some authentication features (like Retool's managed identity verification) require network access to Retool's auth services.

RapidDev

Talk to an Expert

Our team has built 600+ apps. Get personalized help with your project.

Book a free consultation

Learning is great. Shipping is faster with help.

Our engineers have built 600+ apps on Retool and the tools around it. If your project needs to be live sooner than your learning curve allows — book a free consultation.

Book a free consultation

We put the rapid in RapidDev

Need a dedicated strategic tech and growth partner? Discover what RapidDev can do for your business! Book a call with our team to schedule a free, no-obligation consultation. We'll discuss your project and provide a custom quote at no cost.