Pass permissions to REST API

  • Goal:
    Make REST API aware of retool user's permissions

  • Details:
    I'd like my REST API to control authorisation to various endpoints based on the user permissions that have been assigned in Retool. The API would need to know what level of access (Use/Edit/Own) they have against either the permission group or the app/folder, as configured in Retool's Permissions section.

In a "normal" app this information would ordinarily be passed to the REST endpoint via the bearer token. Is there a way of doing this or something equivalent?

Hi @Hoi - welcome to the forums! Does current_user.groups have enough information for you to accomplish this, or are you looking for something else?

Hi @jg80,

current_user appears to be an object stored in the retool app. I'd like user's permissions/roles to be sent to the REST API in a verifiable way.

In a normal web app, a signed bearer token normally contains this information. Is there a way for retool to send a signed auth header with these claims?

I see there are some APIs that I could potentially use but it makes the middleware a bit more complicated than I'd hoped as the API would need to start talking to retool to check group memberships, etc.

For clarity: It sounds like you want to have a user login, which (automatically?) generates a bearer token for that user based on (Retool?) permissions, and then uses that bearer token with your REST API to (which?) resource.

For your use case, where are the user's permissions/roles stored and what constitutes verifiable? Did you go through Custom API authentication | Retool Docs and Configure permission controls | Retool Docs?

1 Like