Masking of Auth Tokens to Public

Refer to attached sequence diagram

From the UI Frontend to access our backend data source API in a VPC, it is required to first obtained an auth token from AWS API Gateway. Then, using this token to call the data source API.

When this auth token response to UI Frontend, I understand that this token will shows in the response (correct me if I am wrong). This token will have the chance to expose and poses security risk.


  1. Does Retool hava a more secure way to store this kind of token when it responds?
  2. Is there a way to secure hide this token from possible public access? And, still available to use in next steps data source API call?

Thank you.

Check out the docs on resource authentication.

The section on OAuth 2.0 might be particularly helpful.