As soon as I create a resource query in a workflow, where the resource has an authentication flow attached, it isn't run when running the entire workflow. When I run the specific query in the workflow it works as expected.
The same resources are used in "apps" and it works fine there.
when looking at the logs for the workflow i receive this error: " Error evaluating query2: {"statusCode":401,"message":"invalid_token","errors":[{"code":"invalid_token","message":"invalid_token"}],"error":"invalid_token"}"
How do i ensure a workflow is triggering all authentication steps on resources when the webhook for the workflow is triggered or is being run?
This is something that's being tracked on our end. What kind of authentication are you using for your resource? One solution has been to enable shared credentials on resources that use OAuth, for instance (see this post). If that doesn't apply would you mind sharing more about your setup?
The authentication method is a custom auth implementation. Where it has one step reaching out to an API, and two steps where it saves the access and refresh tokens into env variables i then use in the Authorization header of the resource
That sounds like it should work, I'm interested in any screenshots of the setup you might be able to share just in case there's something I'm missing from your description
One step I've often taken to debug requests in custom auth is to use a service like Pipedream to see the actual requests being sent by Retool and mock responses, similar to how I'd use the networking tab or postman echo for queries. If you're noticing anything out of the ordinary with something like that it would be great to know as well.
I had the same error happening to me but only after I updated the credentials on the resource.
I'm using custom auth with Bearer token.
When I run the specific query in the workflow it works as expected but the workflow fails when calling it. I get invalid token.
I fixed it by removing the code block in the workflow and adding it again. I wonder if there is some form of caching going on.
Hi @fs20 Glad you found a workaround! I'd be curious to see your auth set up if you're able to share
To provide an update on user based authentication in Retool, we still don't support user auth in Workflows. For now, resources with user based authentication shouldn't be selectable in blocks. I'll reach out if we ship more auth options in Workflows
Seems kinda huge that we cannot update fx Google sheet rows via scheduled runs in workflows. I get the “Error evaluating updateSheet: Access forbidden. Resources with user authentication cannot be called in workflows invoked outside of Agents, Apps, and direct workflow runs." when trying to automatically run my scheduled workflow.
For you Google Sheets use case, you have to options for setting that up with Workflows!
Option 1: Enable "Share Credentials" on the Google Sheets resource (easiest)
This is the quickest fix. In your Google Sheets resource settings, toggle on the Share credentials option. When enabled, all users share the same credentials and do not need to complete authentication themselves — all queries from Retool are made on behalf of the same authenticated user. Google Sheets Docs
This means the resource authenticates once (as whoever set it up), and the workflow can use those shared credentials without needing any per-user interactive login. This was confirmed as the fix for the exact "Auth not supported" error in workflows by a Retool team member in the community forum.
Option 2: Use a Service Account (most robust for workflows)
Retool recommends service account authentication when you need to share credentials across users. This method authenticates via a Google Cloud service account rather than a user's personal OAuth flow, restricting Retool's access to only the APIs or data shared with the service account email address. Retool
The setup involves:
Creating a service account in Google Cloud Console
Granting it access to the specific Google Sheets you need
Configuring the Retool Google Sheets resource to use service account auth instead of OAuth
This is the cleanest long-term solution for workflows since there's no token expiry or re-authentication risk tied to a specific user's Google session.
I'd be curious to see your auth set up if you're able to share