Retool
Security Guide

How to Secure Your Retool App

Last updated: January 12, 2026

Retool builds internal tools that often access sensitive data. This guide covers securing your Retool applications.

Get Starter ScanRetool Security Overview

Why Security Matters for Retool

Key Security Concerns

Resource credentials stored in Retool - potential blast radius if compromised
SQL injection possible if using raw string interpolation in queries
Apps default to accessible by all org members - explicit restriction needed
API endpoints created by Retool are publicly addressable (auth required)
Staging/dev apps may accidentally connect to production databases

Security Strengths

SOC 2 Type II certified - enterprise-grade compliance
Self-hosted option (Retool On-Premise) for air-gapped deployments
Comprehensive audit logging with user action tracking
Granular RBAC - control access per app, resource, and query
Query approval workflows for sensitive operations
SSO integration (SAML, OIDC) for enterprise identity management

Step-by-Step Security Guide

1. Configure Resource Permissions

Use minimum required permissions for database connections. Don't connect with admin credentials.

2. Implement Row-Level Filtering

Use Retool's query parameters to filter data based on logged-in user. Don't expose all data to all users.

-- Filter by current user
SELECT * FROM orders WHERE user_id = {{ current_user.id }}

3. Enable Audit Logging

Turn on audit logging to track who accesses what data and when.

4. Use SSO for Authentication

Configure SSO instead of Retool passwords for enterprise security and centralized access control.

5. Review Query Templates

Ensure queries use parameterized inputs to prevent SQL injection.

6. Set Up Access Controls

Use Retool's permission groups to restrict app and resource access by role.

Common Security Mistakes

Avoid these common Retool security pitfalls:

Admin database credentials in resources
No row-level filtering on queries
Audit logging disabled
Broad access to sensitive apps
Unparameterized query inputs

Recommended Security Tools

Use these tools to maintain security throughout development:

VAS Security Scanner
npm audit / yarn audit
Git-secrets
Snyk

Ready to Secure Your App?

Security is an ongoing process, not a one-time checklist. After implementing these steps, use VAS to verify your Retool app is secure before launch, and consider regular scans as you add new features.

Start Security Scan

Frequently Asked Questions

Is it safe to connect Retool to production databases?

Yes, with precautions: use read-only credentials where possible, implement row-level filtering, enable audit logging, and restrict access to authorized users only.

How do I prevent SQL injection in Retool?

Use {{ }} template syntax for user inputs - Retool automatically parameterizes these. Never use string concatenation for query building.

Explore Related Resources

Related Security Resources

Retool SecurityIs Retool Safe?Retool Security Checklist

Similar Platforms

How to Secure BubbleHow to Secure SupabaseHow to Secure PostgreSQL