Hi everyone,
We're planning to use Retool as a frontend for our end customers in a multi-tenant SaaS context via embedded apps. We've identified a security concern and would appreciate guidance on how to mitigate it.
The Problem
When an embedded Retool app executes a query, the request sent to the Retool backend includes a userParams object that can be modified by the end-user (e.g., via browser DevTools or by replaying/modifying the request).
Here's a simplified example of the request body:
{ "userParams": { "queryParams": { "0": "tenant-uuid-here", "length": 1 } }, "environment": "staging", "queryType": "SqlQueryUnified", ... }
In our case, queryParams[0] contains the tenant ID. An authenticated user could potentially:
-
Change the tenant ID to access another tenant's data
-
Change the environment parameter (e.g., from staging to production)
Our Context
We use Retool embedded apps served to end-customers
Authentication is handled via our backend and works correctly
The issue is authorization: there's no server-side validation that the authenticated user is allowed to access the requested tenant
What We're Looking For
Is there a way to lock down query parameters so they cannot be modified by the client?
Is there a recommended pattern for server-side authorization in embedded apps (e.g., validating that the session belongs to the requested tenant)?
Can we use Retool's backend logic to enforce that certain parameters are derived from the authenticated user's session rather than passed from the frontend?
Any guidance, best practices, or documentation pointers would be greatly appreciated!
Thanks in advance.
