How to create External Users for External Apps?

Hi Retool Team,

Now that we have external apps :tada::raised_hands:t5:, how can we improve the process of creating external users, considering this is currently only possible for admins?

It would be fantastic if this access control could be managed via API. However, it seems this feature is only available for Enterprise plans, even though external apps are also included in Business plans (which I am on).

Given that the cost for each external user is $10/month, we need an efficient way to send invites to our external users without doing it manually. The goal is to expand the scope of Retool, and manual processes can be tedious and time-consuming.

Idea: This new User Action query could contain an option called Create External User which simply requires an email that do not belong to the organization domain. That sends the invite as this documentation: Build custom product pages | Retool Docs

image

Thank you for your attention and support.

Best regards, Juan Pablo

Wow, there is a User Action resource!!

Absolutely agree on this one, it is an easy one to add!

I saw @JuanPablo has already commented here which I will link as well to keep making my point :wink:

1 Like

if a random person navigates to your domain who doesn't have an email belonging to your org, they default to an external-user.

if someone navigates to your domain who does have an org email or who has been approved to join and they:

  • DO NOT have write permissions for anything, they're labeled as an end-user
  • DO have write permissions and within the current billing period have created or edited an app, module or workflow, they're labeled as a standard-user

anybody who DOES have an org email or has write permissions and they:

  • HAVE NOT created or edited an app, module or workflow within the current billing period is labeled an end-user
  • HAVE created or edited something is a standard-user

a simple way to remember this is usually:
external-user = random or unknown person
end-user = co-workers who only view/read
standard-user = other devs who create/edit anything

1 Like

great info @bobthebear thanks for summarizing

when you invite users from Settings, it appears to hit this API endpoint:
/api/organization/admin/bulkInviteUsers

if someone can come up with a way to fetch a CSRF token programmatically, there's a chance we can hack together something satisfying. i'm not a web developer, so I honestly don't even know how CSRF works, but someone a few years ago seems to be asking a similar question: using credentials privider to log in on Retool ยท nextauthjs/next-auth ยท Discussion #3240 ยท GitHub

like @MiguelOrtiz said in that linked post, it behooves Retool to give us an API for user invites so we can add more billed users.

1 Like

There's no need to hack around with intercepting tokens from the frontend - users on the business plan have access to create API tokens for user invites and user attributes. Feel free to reference the docs for how to access - the scopes available to you on your plan will be visible in your specific API page under settings.

1 Like

Hey @albert thanks for the information,
Maybe I'm doing it wrong, but I have grant all the scopes to my API and still get the message

{
    "success": false,
    "message": "API access is only available for enterprise customers"
}

Some of the endpoint works like the send invites which let me add new users as external users, but when I try to read from the users endpoint i get the error "API access is only available for enterprise customers"

Do you know why I cannot have access to all of the endpoints?
Thank you!

Unfortunately, reading users and other endpoints are currently not in scope for the business plan.

@albert hmm... the retool API docs show it's available only for Enterprise:

image

i guess i hadn't gotten far enough to verify the API behaves according to the docs yet. a month ago or so, i had scoped out APIv2 to see if building a terraform provider plugin was worth having to write Go code, but found it was missing way too many endpoints to be useful.

not to scope creep this topic here, but if the API is Enterprise-only, and startup credits cap us at Business plan, then we really have no way to:

  • create many environments
  • manage many users programmatically
  • provision default apps+resources+queries+workflows with per-environment overrides
  • interact with modules

and so there's bound to be some hacking involved.

1 Like

Hey @albert I understand that most endpoints are for Enterprise, but then why I have the option to assign the scope of read / write in my business plan if however i cannot have access?

@albert i can confirm successful user invite thru API on Business plan. thanks for info!

While on the business plan, you can create scopes for user invites and user attributes. There is a separate scope for users, which is not available.

1 Like

This is all clear, but how can you update a user's attributes with the API (business plan) if you don't know his user_id? Or is it just general adding / updating user_attributes and then via retool admin update a particular user?

1 Like

Right on spot @LinoPino, not much sense in being able to send invites if endpoints like attributes or groups are not available. All of my users have groups and attributes so just sending them an (not personalised) invite is really not a solution

1 Like

the user attribues endpoint is actually accessible. I just made a REST API Resource and used the /user_attribues endpoint to test it. It's def not very clear, you kinda have to piece it all together from different places:


this says you only need the Users > Write permission on the API Token, so you do not need any permissions for Retool API > Read/Write to access User Attribues.


on the User Attribues page you can see a base req of Business or Enterprise, so unless otherwise stated features that have access to User Attribues should have the same or more strict requirements

here's the resource I made for ref

2 Likes

Thanks @bobthebear, I'll give it a go. When I last looked into this I don't think the attributes section was available when generating a token. This seems positive

1 Like

well, if it's a mistake favoring me.... it'd be awesome if everybody could please pretend they're a blind goldfish :flushed: :grimacing: :rofl:

2 Likes