Storing tokens in custom auth

Hello - I've read the other forum posts on this topic and am still having issues which I believe arise when I try and assign a token to a variable. I was having success in my app previously simply calling our authentication service and leveraging the tokens it responded with in the headers of the app calls, i.e. "Authorization" : "Bearer" {token from service}.

I want to move to custom auth as this seems more secure. Here's where I am:

  1. I have implemented a 3 step process to gather and (attempt to) assign a token to a variable. I can see my process is successfully retrieving the token:


  1. This is how I am attempting to assign the token:

  1. This is where I am putting the token in the Admin API Call:

  1. In my app, I'm getting 401's as nothing is being supplied in the call headers.

I implemented the authLogin button object correctly; I get a success message when I supply it with valid credentials.

Two thing to confirm -

  1. Should the headers be blank in the calls in the app?

  2. Do we need the admin api resource in the app?

Any help would be greatly appreciated!!

Hey @723clementina!

From the first screenshot posted it looks like you may need to drop the json part of the path to your token i.e. {{ http2.body.authorizationToken }} instead of {{ http2.body.json.authorizationToken }}. Does that work?


I tried with the following and am seeing the same behavior:


I added an authLogin button to my app and associated it with the aforementioned admin API. When I supply the modal with credentials I get a message indicating success.

However, when I try and use the variable "AUTHTOKEN" with other APIs in my app (passing it as a bearer token in the header of the calls) I receive an "unauthorized" message as if there's no token/the incorrect token.

Thanks for your help! If there is other information I can provide let me know; lots of moving pieces here.

I see, are you running the authentication in a separate resource from the APIs you're querying?

At the moment, saved variables are defined on a per-resource basis. People have requested for the ability to share them before, there currently aren't plans for including that functionality, but I can let you know here if it does get included!

In the meantime, you might be able to store a value in localStorage (docs) that allows for easier authentication of the other resources :thinking:

Got it - so to confirm, for any given API call I want to make in my app that leverages a token based auth flow I have to enter credentials to make every single call? And each of those API resources would need this custom auth flow individually embedded in it?

This adds a fair amount of complexity, as there might be one call to read data then several calls to affect several updates as part of one operation. At a minimum we'd be making 5 calls to do basic tasks. To your point around localStorage, are there other ways to solve this? What do most people do?

Appreciate the help!

You wouldn't need credentials for every single call but each resource would need to be authenticated individually, e.g. ----- Admin API - Devel and Get Policy - Devel would have independent auth flows. You can have multiple queries use the same resource though, and even specify different base URLs in the query itself.

I'm curious to know more about the difference between ----- Admin API - Devel and Get Policy - Devel :thinking: it may be easier to parametrize those differences and set them at the query level.

If you're finding that you need to re-authenticate each time you make a request to the same resource then I'm happy to look at that with you!

Kabirdas - thanks! The original problem I was trying to solve was how to use secrets in retool. I didn't want to have API credentials baked in plain text in the app setup. I also don't want users to have to enter the same API credentials repeatedly to use APIs which point to the same service.

I'm attempting to use one API to read data, then another API call to update some date. Both APIs could use the same resource but would act as separate queries (from Retool's perspective).

If one uses a single, base resource with the custom auth flow above across multiple queries, are the tokens obtained in the custom auth flow persisted across the queries?

Would love to connect and talk you through what I'm trying to achieve.

Yes! If you use a single, base resource with custom auth flow across multiple queries the tokens obtained will be persisted across the queries.

If you're specifically looking to have secret management there's a beta feature mentioned here that might be useful - let me know if it sounds interesting :slightly_smiling_face:

It would also be great to hear more about your use case generally, would you be open to chatting about it with folks during Office Hours?

Got it. Yes, I'd like to access the private beta. What would be a good next step?


I am trying to set some permissions received from previous authentication step to the local storage but is keeps saying Javascript Request in Step 4 failed : ReferenceError: localStorage is not defined

Hey @Debdut_Goswami!

If you were to use localStorage it would need to be from within an app, sorry for not being more clear here! When custom auth runs it's done from Retool's backend instead of in the frontend context so the JavaScript you run doesn't have access to all of the same APIs.

One other thing you might consider here is setting up a Workflow as part of your custom auth flow. Since workflows can be triggered via webhooks you can run one as an API request step which may give you some more modularity with your auth flows in certain cases.

Curious to hear more about your setup :thinking:

I think this How to set custom permissions in local storage? would be helpful for you to understand the set-up that we are trying to achieve.
Happy to know if there's any way around to this which might better suit our usecase.