[Bug] AWS SigV4 Signature Mismatch - Retool proxy injecting baggage/x-datadog headers breaks signing

steve1 · February 2, 2026, 11:57pm

## Summary

Since approximately Feb 2, 2026 evening (KST), all REST API queries using AWS v4 authentication to AWS OpenSearch are failing with 400 errors due to SigV4 signature mismatch.

Nothing was changed on our side. This appears to be caused by a Retool infrastructure update that introduced new proxy headers into the request.

## Error Message

The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method.

## Root Cause Analysis

The Canonical String in the error reveals that Retool's proxy is injecting the following headers into the outbound request, which get included in the AWS SigV4 signature calculation:

- baggage: Contains Sentry tracing data (sentry-release=3.332.0, sentry-environment=production) - x-datadog-parent-id - x-datadog-sampling-priority - x-datadog-tags - x-datadog-trace-id - ot-baggage-requestid: undefined

These headers are Retool's own observability/monitoring headers (Sentry, Datadog), NOT user-configured headers.

## Signed Headers (from error)

Actual: baggage;content-length;content-type;host;ot-baggage-requestid;x-amz-date;x-datadog-parent-id;x-datadog-sampling-priority;x-datadog-tags;x-datadog-trace-id

Expected: content-length;content-type;host;x-amz-date

## Environment

- Retool version: 3.334.0 (Cloud) - Resource type: REST API with AWS v4 authentication - AWS Service: OpenSearch (ap-northeast-2) - "Exclude default headers": Checked but does NOT remove the tracing headers

## Impact

All OpenSearch queries fail with 400 errors. Dashboard is completely non-functional.

## Steps to Reproduce

1. Create a REST API resource with AWS v4 authentication 2. Point it to any AWS service (e.g., OpenSearch) 3. Run any query - 400 error with SigV4 signature mismatch 4. Inspect the canonical string - observe baggage, x-datadog-* headers

## Workaround Attempted

Checked "Exclude default headers" - Did NOT fix (tracing headers injected at proxy level)

## Expected Behavior

Retool's internal observability headers should NOT be included in AWS SigV4 canonical string. This is a P0 regression for anyone using AWS v4 authenticated resources.

Breakage report also filed via in-app form.

John_V · February 3, 2026, 12:16am

Hey @steve1

Thanks for letting us know.

We are investigating this internally now and hoping to get a fix out asap. We will keep you posted!

Thanks for your patience on this

Regards,
John | Retool Support

John_V · February 3, 2026, 1:12am

Hey @steve1

We are actively rolling back the latest Cloud release which caused this.

It should replicate throughout Retool Cloud in the coming next hour or so.

Regards,
John | Retool Support

Topic		Replies	Views
422 Error When Trying to Use OpenAPI 3.1.0 Resource 💬 Queries and Resources bug	10	131	February 12, 2026
[bug] S3 upload queries in Retool Portals use wrong origin in HTTP request 💬 Queries and Resources bug , s3	4	286	July 29, 2024
OpenAPI Intermittent Operation Not Found - Possible Caching Issue 💬 Queries and Resources bug	7	162	July 31, 2025
Data Sources returning error 💬 App Building	8	1267	July 27, 2023
404 from `/api/embed-url/external-user` 💬 External Apps resource-connection , bug	6	126	February 11, 2025

[Bug] AWS SigV4 Signature Mismatch - Retool proxy injecting baggage/x-datadog headers breaks signing

Related topics