Security of Public Apps: API Key

Hello!

My usecase is the following: I have a public app that must communicate with my backend server to list some information. The authentication of the backend for these endpoints is an API-Key sent trough the request headers.

My question is: Is this safe at all? will my public app never leak the API Key to the web client?

I found this topic but it is not clear at all on this matter: Sanitize resource headers

Thanks for your Help!

1 Like

Hi @Whitman_Bohorquez,

No, it is not safe to expose your API key in a public Retool app if that key is included in frontend-executed queries. Retool public apps can expose sensitive headers if you’re not careful.

A couple ideas as a workaround:

Option 1: Retool Workflows or Backend APIs

  • Set up a Retool Workflow or a custom endpoint on your own server that your public app can safely call.
  • The Workflow handles communication with your secure API (with the API key), so it’s never exposed to the user.

Option 2: Retool Resource with Server-side Only Headers

  • In the resource settings:
    1. Go to your REST API Resource
    2. Add your API key in the “Headers” section. This should keep headers out of the browser.

Double Check: Is My Key Leaking?

You can test this yourself:

  1. Open the public app in an incognito window
  2. Open browser DevTools → Network tab
  3. Trigger the query
  4. Look at the outgoing request → if you see your API key there, it's a problem.

Also use Retool’s “Environment Variables” to store keys securely.

  • Avoid using {{ app.variable }} or any user-accessible JS to inject sensitive data into headers in a public app.
1 Like