Security of Public Apps: API Key

Hello!

My usecase is the following: I have a public app that must communicate with my backend server to list some information. The authentication of the backend for these endpoints is an API-Key sent trough the request headers.

My question is: Is this safe at all? will my public app never leak the API Key to the web client?

I found this topic but it is not clear at all on this matter: Sanitize resource headers

Thanks for your Help!

Hi @Whitman_Bohorquez,

No, it is not safe to expose your API key in a public Retool app if that key is included in frontend-executed queries. Retool public apps can expose sensitive headers if you’re not careful.

A couple ideas as a workaround:

Option 1: Retool Workflows or Backend APIs

• Set up a Retool Workflow or a custom endpoint on your own server that your public app can safely call.
• The Workflow handles communication with your secure API (with the API key), so it’s never exposed to the user.

Option 2: Retool Resource with Server-side Only Headers

• In the resource settings:
  1. Go to your REST API Resource
  2. Add your API key in the “Headers” section. This should keep headers out of the browser.

Double Check: Is My Key Leaking?

You can test this yourself:

1. Open the public app in an incognito window
2. Open browser DevTools → Network tab
3. Trigger the query
4. Look at the outgoing request → if you see your API key there, it's a problem.

Also use Retool’s “Environment Variables” to store keys securely.

• Avoid using {{ app.variable }} or any user-accessible JS to inject sensitive data into headers in a public app.