I am running a self-hosted instance of Retool deployed on Northflank, and I am encountering a critical issue with the Settings > Permissions page.
When I navigate to the Permissions page, I see the message: "No groups exist for your organization yet." The list is completely blank—I cannot see the default "Admin" or "All Users" groups, nor any custom groups I attempt to create.
When I check the internal database, I see many groups with associated users, but none of these groups appear on the frontend.
Thanks for reaching out, I’m sorry to hear you’re hitting this issue! To help us troubleshoot this further, please can you come back to me on the below:
In the network tab of your browser dev tools, there should be a permissions request when you load the permissions page. What is the response?
There should also be an x-request-id header for the request, please can you grab this and use it to filter your container logs. These should throw some more light on what’s causing the permissions request to fail.
Were any changes made to your deployment prior to this happening (eg upgrading Retool versions)?
What Retool version are you on?
Have you noticed any other adverse behaviour, such as users having incorrect access to apps/workflows/resources etc?
Thanks for replying. Here are the things you asked:
I have attached screenshot of network.
error log from container is 2026-01-13T09:53:27.257637496Z stdout F {"errorType":"UNCAUGHT_ERROR","level":"error","message":"Global uncaught error","msg":"error:1C800064:Provider routines::bad decrypt","organization":{"id":1,"name":"chaitanya@sully.ai"},"pid":211,"requestId":"76033b96-e374-419b-b1aa-9703672e2fbc","sequelizeConnectionCount":1,"sequelizeCount":33,"stack":"Error: error:1C800064:Provider routines::bad decrypt\n at Decipher.final (node:internal/crypto/cipher:193:29)\n at EIs (/retool_backend/bundle/main.js:134:40342)\n at toc (/retool_backend/bundle/main.js:134:40116)\n at ioc (/retool_backend/bundle/main.js:134:44587)\n at Wl (/retool_backend/bundle/main.js:134:43165)\n at Wi.get (/retool_backend/bundle/main.js:1591:40978)\n at Wi.get (/retool_backend/node_modules/.pnpm/sequelize@6.31.0_patch_hash=dk6qy5gyzbjysuc4vxu23jnkrm_mysql2@2.3.3_oracledb@5.3.0_snowflake-_geltwdb3fqjepyd2eep3x2qxtu/node_modules/sequelize/lib/model.js:2168:41)\n at Wi.get (/retool_backend/node_modules/.pnpm/sequelize@6.31.0_patch_hash=dk6qy5gyzbjysuc4vxu23jnkrm_mysql2@2.3.3_oracledb@5.3.0_snowflake-_geltwdb3fqjepyd2eep3x2qxtu/node_modules/sequelize/lib/model.js:2190:33)\n at ref.Model.toJSON (/retool_backend/bundle/main.js:5726:53291)\n at JSON.stringify (<anonymous>)\n at stringify (/retool_backend/node_modules/.pnpm/express@4.21.2/node_modules/express/lib/response.js:1160:12)\n at ServerResponse.json (/retool_backend/node_modules/.pnpm/express@4.21.2/node_modules/express/lib/response.js:271:14)\n at ServerResponse.json (/retool_backend/node_modules/.pnpm/dd-trace@3.58.0_graphql@0.13.2/node_modules/dd-trace/packages/datadog-instrumentations/src/express.js:35:17)\n at ServerResponse.send (/retool_backend/node_modules/.pnpm/express@4.21.2/node_modules/express/lib/response.js:162:21)\n at /retool_backend/bundle/main.js:9385:1632\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)","startTime":2435635978.35147,"timestamp":"2026-01-13T09:53:27.257Z","user":{"email":"toolshed-founders@sully.ai","sid":"user_da7236c3fb6f4bc29a224124fc9e05ef"}}
Thanks! This error indicates a decryption failure. We typically see this when there is an ENCRYPTION_KEY mismatch - the ENCRYPTION_KEY environment variable doesn't match the key used to encrypt the data originally. This commonly happens after:
Redeploying with a different/regenerated key
Migrating databases without copying the encryption key
Did you change the ENCRYPTION_KEY recently? Or make any changes to your internal database?
Can you run queries, reset password, other encryption related functionality?
I personally did not change the ENCRYPTION_KEY recently, but this Retool instance was self-hosted by another engineer who has since left the company. I don’t yet have full historical context on whether the ENCRYPTION_KEY was rotated, regenerated, or lost during any past redeployments or database migrations.
To answer your questions:
I am able to run SQL queries directly against the internal Postgres database.
I have not yet tested password resets or other encryption-dependent functionality.
Given this situation, I’d appreciate guidance on the recommended recovery paths if the original encryption key cannot be recovered.
If this error suddenly started happening today and the ENCRYPTION_KEY wasn't changed just prior, then an encryption key mismatch may not be the root cause. Additionally, if the encryption key had been changed, I would expect resource queries that require authentication to fail, since Retool encrypts resource secrets (like passwords) in the database using the encryption key.
When I asked about running queries, I meant running resource queries within Retool itself—apologies for the confusion! When you query the internal Postgres database directly, you're just retrieving raw data where encrypted blobs remain encrypted.
Please can you test and confirm whether resource queries are working in Retool? For example, try querying a database resource that requires a password, or an API resource with authentication credentials.
Are other Admin users having the same issue as you?
Have any records been updated or inserted into the internal Postgres database directly?
We've encountered as similar issue before where a specific record in the db was encrypted with an incorrect or different encryption key. In that case, we identified the problematic records by manually attempting to decrypt values from the database.
I’d like to isolate whether this is:
A general encryption key issue (if other encryption-dependent functionalities are also failing, this points to a problem with the encryption key itself), OR
Specific records encrypted incorrectly (if only the permissions page fails but resources work fine, this suggests corrupted/incorrectly encrypted records in the database).
I have some resources connected to PostgresDB and BigQuery and those are working fine within Retool.
However, I ran into issues when trying to authenticate Google Sheets as the authentication failed. I am also facing persistent Retool Storage issues. File uploads consistently fail with the error “Unknown error while uploading file.”
Both the Google Sheets authentication issue and the Retool Storage issue have been present since the start of development. They were not blocking earlier, but now that we need to work with permission groups, these issues have become critical, which is why I am contacting support now.
The Permissions Groups page is not showing any groups, while other parts of the app continue to work.
Is this a relatively new instance that you've spun up? If so, did you import any data from a previous instance directly into the application database? Or potentially even reuse the previous database? That might explain why you're seeing an issue with the encryption key. The most likely culprits are the resources or workflow tables, but I suspect the former.
Regardless, the best path forward is to purge the database of the malformed data, whether it be plaintext or encrypted with the wrong key.
This instance is not new, and to my knowledge, no recent changes have been made. I haven’t imported data from any previous instance or reused any prior database.
