Securely identifying the Retool user

Jack_Coates · February 27, 2025, 12:27pm

Goal:
Securely identifying the Retool user

Details:
I have a resource and my desire is to have all requests share the details of the user making the request to allow us to handle authorisation. I have not been able to find a way to securely do this though. Any reference to the current_user, such as placing it in the headers, could be manipulated.

Is this something that is possible? Issuing cookies or similar does not seem to be an option unless we go down the self hosted route.

Darren · March 5, 2025, 12:42am

Hey @Jack_Coates! Welcome back to the community and thanks for reaching out.

While it's true that opting for a self-hosted deployment would definitely give you additional options, I don't think it's specifically necessary for your proposed use case. We already specifically validate any references made to the current_user object from within resource queries. It's not a long article, but you can see some additional context in our docs.

Let me know if you have any additional questions!

Topic		Replies	Views
How to get retool user id? 💬 Account & User Management	6	5905	May 14, 2023
Pass permissions to REST API 💬 Queries and Resources	4	213	August 29, 2024
How to Securely Display Company-Specific Data in Retool for External User 💬 External Apps	2	47	April 21, 2025
Use current_user object in the resources 💬 Queries and Resources	2	63	December 16, 2024
Variable tokens for GraphQL resources 💬 Queries and Resources	2	1141	August 2, 2023

Securely identifying the Retool user

Related topics