Custom Auth Flow variable storage and lifetime

I have built a custom auth flow from a REST API and have it working as per the docs.

I am curious however because the docs are a bit unclear.

  1. When defining variables like AUTHENTICATION_TOKEN to be passed in the Authorization header for the resource, is that token stored for each user that authenticates to the resource? So they will each have a different auth token stored in that variable?

  2. How long are these variables stored? Just for the duration of their retool session? If not, are there any way to store these in the retool database?

Hello @Cameron_M!

  1. Yes, each user who properly authenticates into the resource will have their own unique token that will be used for their queries to that specific resource.

  2. I believe that in the custom auth setup will depend on the identity provider. This would be a third-party application/service that verifies the users credentials and this would be where you can configure how long the token will be valid for.

The token should be stored until it 'expires' and a new one is generated on the re-auth request. I believe these get reset when the retool session ends.

Hypothetically you could store token values in a retool database as a string or such value, this would likely not be recommended best security practices in case you have a user who should not have access without needing to re-auth and could be very risky so proceed with care!