Retool migration to new AWS account – license and configuration questions

1. My goal
   1. Move our Retool deployment to a different AWS account as part of an infrastructure migration
2. Retool version & hosting setup (Docker, K8s, cloud provider, etc.):
   1. Version: 3.52.3
   2. Hosting setup
      1. as-is: Docker
      2. to-be: K8s

Hello Retool Team,

We are currently using the Business plan and have a few questions for migration.

Our migration plan is:

1. Create a PostgreSQL snapshot from the current environment and copy it to the new AWS account
2. Restore the database and launch Retool in the new account

My questions are:

1. Is it allowed to use the same license key on both environments for a short period of time (1–2 days) during the migration?
2. If we reuse the same license key, should the JWT secret and encryption key also remain the same between the two environments?
3. Are there any additional considerations or risks we should be aware of when following this migration plan?

Hey @summer

Thank you for reaching out to the Retool community. Let me address each of your questions below.

1. License Key — Using it on both environments during migration

Yes, this is fully supported. There is no limit to the number of separately deployed instances you can spin up with a single license key. Users are de-duplicated by email address, so running both environments simultaneously during your 1–2 day migration window will not affect your user count or licensing.

2. ENCRYPTION_KEY and JWT_SECRET

• ENCRYPTION_KEY — Must remain the same. This key encrypts sensitive data in the PostgreSQL database (e.g., resource credentials, SSH keys). Per the docs: "If you change this key, you will lose access to all resources that were created before the change". Since you're restoring a snapshot of the existing database, the new environment must use the exact same ENCRYPTION_KEY to decrypt stored credentials.

• JWT_SECRET — Should remain the same. This key signs authentication tokens. If changed, all active user login sessions are invalidated. Keeping it the same allows users to remain logged in during cutover. Changing it won't cause data loss but will force all users to re-authenticate.

3. Additional considerations

• Keep the same Retool version (3.52.3) on the new K8s deployment initially. This avoids introducing database migration changes during the infrastructure move. Upgrade after confirming the new environment is stable.

• Keep the same PostgreSQL version on the new database to reduce the risk of unforeseen issues. You can upgrade PostgreSQL separately after the migration is validated.

• Retool Database (if applicable): If you use Retool Database, it is separate from the platform database and requires its own migration and configuration via the RETOOLDB_POSTGRES_* environment variables.

• Carry over all environment variables: Beyond ENCRYPTION_KEY and JWT_SECRET, ensure all other env vars from your Docker setup ( SSO, custom domains, cookie settings, source control, etc ) are replicated in your K8s Helm values.yaml or Kubernetes secrets.

Please let us know if you have any follow-up questions! I would be happy to help further.

Regards,
John | Retool Support

It was very helpful. Thank you for your reply!!