API key auth not working with Open API

I’ve created an Open API resource and provided an API key, but it looks like Retool is making all requests without the API key.

Here’s the Open API spec I’m using:
https://gist.githubusercontent.com/rohansingh/06007cba8872efe81e932b601e87ac48/raw/325034b6a0bed57e43a4c081b54da1af1fbb1408/app-server.json

You can see that API key security is defined in the spec, and I’ve selected it in the resource:

Based on the spec, Retool should send the API key via the key query parameter on all requests. Unfortunately, I can see from my server request logs that Retool isn’t sending the key at all, so the requests are denied.

I’ve also tried adding the key to the Custom Query Parameters section of the Open API resource definition, but that has no effect either. In both cases, Retool is making the requests without sending any query parameters at all.

Anyone know how to get auth working with an Open API resource?

Here are some requests that came from Retool in my logs:

I know they’re from Retool based on the user agent and IP address. As you can see, there are no query parameters provided at all.

Hey @rohan! Welcome to the community and sorry for the delay. Not sure what’s going on here - let me loop in an engineer and get back to you.

1 Like

Alright @rohan, this is definitely a bug. I’ll file a ticket and hopefully get this fixed soon - in the meanwhile, you can work around it by adding your key to the URL manually, like ?key=myAPIKeyHere. Would that work?

@justin Great, thanks a bunch!

Unfortunately I don’t think there’s any way to manually specify a query parameter in an Open API spec. The spec has a base URL (eg., my-api.com), and then a list of “paths” for different resources. The final URL’s are constructed by the client by combining those.

That said, I have managed to create a REST API resource and added the key as a URL parameter in there. That works as expected for now!

This workaround is a bit of a pain since I have to manually type in the URL’s and things that are defined in the Open API spec, so it would be nice to get the Open API bug fixed. But for now I can make queries to our backend and get some stuff done. Thanks again!