Hello! I'm building a Retool now that is embedded in a Django template behind vanilla Django auth.
I would like to inject a Django token (tied to the user's session) into the Retool to be used for GraphQL queries, and currently have to pass the token as a variable in the GraphQL query as opposed to being able to programmatically change the Bearer token associated with that particular GraphQL resource.
Is there a reason you don't allow the auth credentials to be dynamically changed by a given Retool? If so, could you share the security reasoning?
Cleaning up this old thread for posterity-
Retool’s existing security/authentication protocols are built around the core use-case of users logging into their Retool accounts and using the apps inside of the organization. The farther we get from that supported setup, the less supported and secure the options will become. Like Ryan found here, the only real option is a less secure method of passing in the token as a variable and potentially exposing it to the users.
Resource credentials in Retool are stored server side, and any queries are routed through that server so that the credentials don’t need to be exposed to any users. If you need to pass in credentials from the client, hey will inherently be insecure.