Goal:
Make REST API aware of retool user's permissions
Details:
I'd like my REST API to control authorisation to various endpoints based on the user permissions that have been assigned in Retool. The API would need to know what level of access (Use/Edit/Own) they have against either the permission group or the app/folder, as configured in Retool's Permissions section.
In a "normal" app this information would ordinarily be passed to the REST endpoint via the bearer token. Is there a way of doing this or something equivalent?
current_user appears to be an object stored in the retool app. I'd like user's permissions/roles to be sent to the REST API in a verifiable way.
In a normal web app, a signed bearer token normally contains this information. Is there a way for retool to send a signed auth header with these claims?
I see there are some APIs that I could potentially use but it makes the middleware a bit more complicated than I'd hoped as the API would need to start talking to retool to check group memberships, etc.
For clarity: It sounds like you want to have a user login, which (automatically?) generates a bearer token for that user based on (Retool?) permissions, and then uses that bearer token with your REST API to (which?) resource.