2FA Failing for Users + No Session Timeout in Retool Cloud (Business Plan)

💬 Account & User Management
, , ,
1

Current plan level: Business
Monthly/Annual: Annual
Version of Retool: Cloud

Question / Issue

We're seeing two potentially related issues with 2FA and session management in Retool Cloud:

1. Frequent 2FA failures

About once a week, I have to reset 2FA for a user because their code from the authenticator app is rejected.

  • I've verified they're using the correct code.
  • This issue affects users across different authenticator apps (e.g., Microsoft Authenticator, Okta Verify) and device types (iOS, Android), so it doesn’t seem isolated to a specific platform.

2. Session doesn't expire

On the flip side, I personally haven't been prompted to log in to Retool in over 2 months — despite using it daily.

  • Based on Retool's self-hosted docs, the max session length is supposed to be 1 week.
  • I can’t find a similar doc for Retool Cloud, but I’d expect some session timeout for security.

image
image788×190 6.98 KB

Why I’m posting

These issues make me think there might be something off on Retool’s end with 2FA or session management.

Has anyone else experienced this?
Any ideas on:

  • Why 2FA codes might stop working?
  • Whether max session limits are actually enforced on Retool Cloud?

What I’m hoping to resolve

  1. Prevent users' valid 2FA codes from failing randomly
  2. Ensure session timeout settings are respected for security

Thanks in advance for any insight or guidance!

1 Like
2

Hey @sgodoshian - I've been keeping an eye on this for a while now, but don't really have any particularly meaningful insights. Do you still find yourself needing to regularly reset 2FA for any users? I see a fair number of error logs for one user, in particular, over the past month or so - most recently on April 17.

As far as sessions on the Cloud is concerned, I'm not actually sure what the intended duration should be. I think JWTs should expire after 3 days, but that might just be for Google SSO. Can you open up your dev tools and take a look at your accessToken cookie?

3

Have you had a chance to revisit this, @sgodoshian?

4

Hey @Darren! Yes we still have to reset 2FA codes every so often.

I just looked at my accessToken cookie: 2025-07-22T00:49:42.157Z - so that is a week, but I guess it keeps getting reupped every time I use Retool? I haven't had to log in since I was out of the office for over a week.

5

We converted over to custom SSO, so this won't be an issue for us anymore. That being said, right before we mad that switch, there were 3 users who needed to have their 2FA reset because their code stopped working :sweat_smile:

I wonder if it was something with our org?

1 Like
6

I suppose it's possible. :thinking: The overall volume of Invalid 2fa token errors is pretty high, but it's hard to tell which subset of those may be false positives. That's the specific error your users were seeing, yeah? Feel free to DM me the email of an affected user and I can take a closer look.

Glad to hear that you're switching over to a custom SSO solution, though! That will give you finer control over session duration, as well.

1 Like