Hello,
Can someone help me confirm if my understanding is correct:
Let's say I have one user with business account ($50/mo). I also have 70 users all sharing this one account to login into Retool but then using Custom API Authentication to authenticate with their own accounts (i.e. not Retool accounts) and get an access token.
Does that mean that I still pay $50 a month? Thanks!
Me too. I'm just wondering if we could be missing something.
I would be interested to know how you are authenticating non Retool users. If you have 70 people all sharing the credentials to log in to Retool itself, then yes and so you have each person “log in” through the custom auth implementation?
You might make this work but wouldn’t this limit the your capability to create groups and different levels of access/operations? I guess you could handle all ACL stuff in a DB yourself. Just seems like a lot to work around. Not to mention auditing who “logged in” and changed something….just curious to hear more thoughts on this approach.
My idea was to just use what we already have implemented our GraphQL API. It already has user accounts, auditing and ACL stuff.
I wrote to the Retool team and they said this is not supported. They didn't mentioned more details but now that I think about it I can see why:
Because all users share the same account every time someone uses the custom api auth they will reset the access token for the next person. I tested this with two separate Retool sessions I can confirm it is happening.
Unfortunately this means we probably won't be able to use Retool as we have a team of 70 people that will all need Retool accounts.
It seems I've been thinking about this the wrong way. In our case we already have an existing admin web app. We'd like to move it gradually to Retool. What we can do is use the embed functionality:
Each admin user will be logged into Retool with the same account. However, they will use their own accounts to login into our admin. Their user id can then be passed to the embedded Retool app as a url param so it can be sent with every query in order for the API to know which user did what action.
Interesting - could someone simply change the URL param or is that not shown in the embedded app? Would like to know if your idea works out for you....
The user id url param won't shown. It will be sent as a header param from be embedded app to the API.
We had the same idea but figured out it was against Retool’s TOS, you can’t try to bypass the user fee structure. It really sucks because $50 a month per user is ridiculous . And we need audit trails. I hope they consider adding another type of user for internal apps that don’t need access to edit.
At least that’s what we were told by chat support and someone in sales. It would be helpful if a member from the retool team could chime in here about what’s allowed...
Yeah, I agree. I too got the impression this is not allowed, when I talked to their sales team. Retool is such a great tool, I really hope in the future they introduce another plan that will cover for such cases.