Hello!
My usecase is the following: I have a public app that must communicate with my backend server to list some information. The authentication of the backend for these endpoints is an API-Key sent trough the request headers.
My question is: Is this safe at all? will my public app never leak the API Key to the web client?
I found this topic but it is not clear at all on this matter: Sanitize resource headers
Thanks for your Help!
1 Like
Hi @Whitman_Bohorquez,
No, it is not safe to expose your API key in a public Retool app if that key is included in frontend-executed queries. Retool public apps can expose sensitive headers if you’re not careful.
A couple ideas as a workaround:
Option 1: Retool Workflows or Backend APIs
- Set up a Retool Workflow or a custom endpoint on your own server that your public app can safely call.
- The Workflow handles communication with your secure API (with the API key), so it’s never exposed to the user.
Option 2: Retool Resource with Server-side Only Headers
- In the resource settings:
- Go to your REST API Resource
- Add your API key in the “Headers” section. This should keep headers out of the browser.
Double Check: Is My Key Leaking?
You can test this yourself:
- Open the public app in an incognito window
- Open browser DevTools → Network tab
- Trigger the query
- Look at the outgoing request → if you see your API key there, it's a problem.
Also use Retool’s “Environment Variables” to store keys securely.
- Avoid using
{{ app.variable }}
or any user-accessible JS to inject sensitive data into headers in a public app.
1 Like