Retool handles app authentication at the organization level — configure SSO via Settings → Authentication. Once a user logs in, access their identity anywhere in the app using {{ current_user.email }}, {{ current_user.fullName }}, and {{ current_user.groups }}. Use group membership to show/hide components or restrict query execution. Custom login pages are available for embedded apps on Business plans.
| Fact | Value |
|---|---|
| Tool | Retool |
| Difficulty | Beginner |
| Time required | 20-30 min |
| Compatibility | Retool Cloud and Self-hosted |
| Last updated | March 2026 |
Authentication in Retool: Platform-Level, Not App-Level
Unlike traditional web apps where you build a login page and manage sessions, Retool handles authentication at the platform level. Users authenticate once to your Retool organization — then all apps they have permission to access are available without additional login steps.
Retool supports multiple authentication methods: email/password (basic), Google SSO (easy setup), SAML 2.0 (enterprise SSO with Okta, Azure AD, etc.), and OIDC (custom identity providers). On Business plans, you can also use Google Workspace for domain-based access control.
Once authenticated, the current_user object is available in every app — it contains the user's email, name, group memberships, and custom metadata from your SSO provider.
Prerequisites
- Admin access to Retool Settings
- For SSO setup: access to your identity provider (Google Admin Console, Okta, Azure AD, or your OIDC provider)
- Understanding of Retool groups and permissions (recommended)
Step-by-step guide
Configure Google SSO for your Retool organization
Navigate to Settings → Authentication in your Retool org. Click 'Add authentication' or find the Google SSO section. For Google Workspace, enable 'Restrict to specific domains' and enter your company's Google Workspace domain (e.g., yourcompany.com). This allows any user with a @yourcompany.com Google account to log in. Users see a 'Sign in with Google' button on the Retool login page. After Google SSO is enabled, new users signing in with Google are automatically created as Retool users in the 'All Users' default group.
Expected result: Users can log in to Retool using their Google account. Domain restriction prevents unauthorized sign-ups.
Configure SAML 2.0 SSO for enterprise identity providers
For Okta, Azure AD, or other enterprise IdPs, use SAML 2.0. In Settings → Authentication, select 'SAML 2.0'. Retool provides its Service Provider metadata (ACS URL, Entity ID) for you to enter in your IdP. Copy the IdP metadata XML or URL from your identity provider and paste it into Retool's 'IdP metadata URL' or 'IdP metadata XML' field. Configure attribute mappings: email (required), firstName, lastName, and any custom attributes you want available in current_user.metadata. Test the flow before locking out password-based login.
Expected result: Users can authenticate via your enterprise IdP. Retool groups are auto-assigned based on IdP group claims.
Use the current_user object in your app
After authentication is configured, access user identity anywhere in your app using the current_user object. The key properties are: current_user.email (user's email address), current_user.fullName (display name), current_user.id (Retool internal user ID), current_user.groups (array of group names the user belongs to), current_user.metadata (custom attributes from SSO provider). Use these in queries (personalized SQL filters), component visibility conditions, and text components.
1// Personalized SQL query using current user2SELECT *3FROM work_orders4WHERE assigned_to = {{ current_user.email }}5ORDER BY due_date ASC;67// Welcome message in a Text component8Welcome back, {{ current_user.fullName.split(' ')[0] }}!910// Show admin panel only to admins:11// Component Hidden property:12{{ !current_user.groups.includes('Admins') }}1314// Show username in page title:15Support Queue — {{ current_user.fullName }}Expected result: App personalizes content based on the logged-in user's identity and group membership.
Restrict query execution based on user groups
For sensitive operations, add a guard condition in JS Queries that checks group membership before running a write operation. This provides defense-in-depth beyond just hiding UI elements — even if someone finds a way to trigger the query, the JS check will block unauthorized execution.
1// JS Query: deleteRecord2// Guarded to allow only Admin group members34if (!current_user.groups.includes('Admins')) {5 utils.showNotification({6 title: 'Access denied',7 description: 'Only administrators can delete records.',8 notificationType: 'error',9 });10 return;11}1213if (!confirm(`Delete record ID ${table1.selectedRow.data.id}? This cannot be undone.`)) {14 return;15}1617await deleteFromDb.trigger();18await refreshList.trigger();1920utils.showNotification({21 title: 'Record deleted',22 notificationType: 'success',23});Expected result: Delete operation is blocked for non-admin users even if they somehow trigger the query.
Set up a custom login page for embedded apps
When embedding Retool apps in external websites using Retool's Embed feature (Business plan), you may want a branded login experience instead of Retool's default login page. Navigate to Settings → Embedding → Custom login. Configure a custom login URL that your users are redirected to. After successful authentication on your platform, generate a Retool embed URL with a JWT embed token containing the user's identity. Retool validates the JWT and creates a Retool user session automatically — users never see Retool's login page.
Expected result: Embedded Retool apps use your custom login flow. Users see your branded login, not Retool's.
Complete working example
1-- Personalized query using current_user for multi-tenant data isolation2-- Only returns records belonging to the current user's team34SELECT5 r.id,6 r.title,7 r.status,8 r.priority,9 r.due_date,10 r.created_at,11 u.full_name AS assignee_name12FROM requests r13JOIN users u ON r.assignee_id = u.id14WHERE15 -- Filter by team based on current user's group membership16 r.team_id = (17 SELECT team_id FROM users WHERE email = {{ current_user.email }}18 )19 -- Admins can see all records, regular users see only their own20 AND (21 {{ current_user.groups.includes('Admins') }}22 OR r.assignee_email = {{ current_user.email }}23 )24ORDER BY r.priority DESC, r.due_date ASC25LIMIT 200;Common mistakes when implementing Authentication in a Retool Application
Why it's a problem: Hiding UI elements with current_user.groups as the only access control for sensitive operations
How to avoid: CSS visibility and Hidden properties can be bypassed. Add server-side checks in SQL WHERE clauses (AND user_email = {{ current_user.email }}) and JavaScript guards (if (!current_user.groups.includes('Admins')) return;) for any write operation.
Why it's a problem: Enabling SSO without first testing it with a non-admin account, then getting locked out
How to avoid: Before enforcing SSO, test the full login flow with a test account. Keep password-based login as a fallback for at least one admin account until SSO is confirmed working.
Why it's a problem: Using current_user.email in SQL queries without parameterization, creating SQL injection risk
How to avoid: Retool automatically parameterizes {{ }} expressions in SQL queries using prepared statements. This is safe. Avoid string concatenation like 'WHERE email = \'' + current_user.email + '\'' — always use the {{ }} syntax.
Best practices
- Use Retool's built-in SSO integration rather than building custom authentication — it's more secure and easier to maintain
- Always configure both UI-level hiding (Hidden property) AND query-level guards for sensitive operations
- Map your IdP groups to Retool groups during SAML/OIDC setup to automate permission management
- Test authentication setup with a non-admin test account before going live to verify that regular users see the correct experience
- For embedded apps, always generate embed JWTs server-side — the embed secret must never reach the browser
- Log authentication events: Retool's audit log records login events, SSO changes, and permission modifications
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
I'm setting up authentication for a Retool app used by multiple departments. I need: (1) SAML 2.0 SSO configuration steps for Okta with attribute mapping (email, groups), (2) a SQL query that filters records based on the user's department using {{ current_user.groups }}, (3) a JS Query 'deleteRecord' that checks if the user is in the 'Managers' group before allowing deletion, (4) how to hide the admin settings panel using the Hidden property with {{ current_user.groups }} expressions.
Configure Retool authentication: SAML 2.0 settings with IdP metadata URL and email attribute mapping. In a SQL query, use WHERE team = {{ current_user.metadata.department }} for personalization. JS Query 'guardedDelete' that checks if (!current_user.groups.includes('Admins')) { return; }. Component Hidden expression: {{ !current_user.groups.includes('Managers') }}. Show how to display {{ current_user.fullName }} in a welcome Text component.
Frequently asked questions
Can Retool apps be accessed without logging in (public access)?
Yes — in app Settings, enable 'Public access' to make an app accessible without a Retool account. Public apps cannot use {{ current_user }} since there is no authenticated user. Public access is suitable for external-facing dashboards but not for internal tools handling sensitive data.
What is current_user.metadata and how do I populate it?
current_user.metadata contains custom attributes forwarded from your SSO provider. Configure attribute mapping in your SAML or OIDC settings: map IdP attributes (like department, employeeId, costCenter) to Retool metadata fields. Access them as {{ current_user.metadata.department }}. Email/password accounts don't have SSO metadata.
How does Retool handle authentication for self-hosted deployments?
Self-hosted Retool supports all the same authentication methods (email/password, Google SSO, SAML, OIDC) configured in the same Settings UI. The only difference is that the SSO callback URLs point to your self-hosted domain instead of Retool Cloud. Some authentication features (like Retool's managed identity verification) require network access to Retool's auth services.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation