Novel authentication - token generation or IP/dns restricted access?

Hello - I have several brick and mortar locations with staff that need access to various apps built in Retool. These are hourly staff members who need access a customer records in Retool, accessed via a link in our POS/Retail CRM. Access is via a shared PC/terminal and team members don't have company issued email and, even if they did, because PCs/Terminals are shared - it would make things more complicated. I can't make applications public due to sensitive customer data so authentication is a given. The intended outcome is for employees with access a shared terminal can click a link which then opens an authenticated retool app.

Shared terminals require local authentication so I trust these points of entry as a means to then access the retool app. This in mind, I'm looking at the following scenarios... are any of these possible with retool?

  1. Token / URL generation from PC/terminal? Employee clicks a link/button which opens a browser, authenticates the user automatically which allows access to the app.
  2. IP or DNS restricted access? Local PCs/Terminals are part of a local DNS and share the same public IP... though, we don't have a static IP so this will change from time to time when we have Comcast Business or power outages.

Hey @cjharlin! The best option for you will likely be #1 - Token / URL generation from PC/terminal.

Using our embed product you can generate an authenticated link to a Retool app which can be opened in the browser.

We don't currently offer any IP or DNS restricted access. Though if you self host Retool vs using the Cloud offering, you can set this up yourself via security rules on the virtual machine.