Make API keys write-only and not visible

When configuring an API resource in Retool the API key is shown in plain text in the UI. My suggestion is to allow the API key to be updated, but not viewable through the UI, as this would make it more secure in the absence of a dedicated key management function within Retool. API keys is one example but I think anything that stores credentials should adopt the same approach, e.g. database connection strings. Thanks!

Hey @markhammondmambu! We do support secret variables via Configuration variables on the Team plan or higher and you can use RETOOL_EXPOSED on a self-hosted instance on any plan.

I believe that all db passwords etc are sanitized in the UI after the resource has been saved, but let me know if there is an instance where this isn't the case. Thanks!

1 Like