Skip to main content

General environment variables

Reference documentation for general environment variables.

General environment variables available for use with Self-hosted Retool deployments.

Only configure environment variables when needed. You can configure many environment variables from your organization's Settings rather than directly editing your deployment's configuration file.

You must restart your instance after setting any variables for them to take effect.

ADMIN_API_ACCESS_TOKEN

string

If non-empty, Retool creates an API access token with the provided string value. Requires ADMIN_USER_EMAIL to be set to a valid email address of an admin user.

Example
ADMIN_API_ACCESS_TOKEN=token

ADMIN_API_ACCESS_TOKEN_SCOPES

string

Comma-separated list of scopes to be assigned to the API access token created using ADMIN_API_ACCESS_TOKEN env variable.

Example
ADMIN_API_ACCESS_TOKEN_SCOPES=source_control:read,source_control:write,groups:read,groups:write,spaces:read,spaces:write,folders:read,folders:write,permissions:all:read,permissions:all:write

ADMIN_USER_EMAIL

string

If non-empty, Retool creates an admin user with the provided email in the Admin Space.

ALLOW_SAME_ORIGIN_OPTION

boolean

Whether to use allow-same-origin for iframes and custom components. If this is not true, custom components are heavily restricted in their behavior. Refer to the configure same-origin and sandbox guide to learn more.

Default value is false.

Example
ALLOW_SAME_ORIGIN_OPTION=false

API_CALLS_PER_MINUTE

number

Retool uses a point system for rate limiting where endpoint requests cost a certain number of points. The default is 300 points in a 60 second window. If you exceed this, Retool blocks any subsequent API calls for 60 seconds. You can increase the number of points with the API_CALLS_PER_MIN environment variable.

Default value is 300.

Example
API_CALLS_PER_MINUTE=300

BASE_DOMAIN

string

The full URL of your Retool deployment for user invitations and password resets. This also needs to be set if you dynamically set callback URLs on protected resources.

Example
BASE_DOMAIN=retool.example.com

CREATE_FIRST_ORG

boolean

If set to true, Retool automatically creates the first organization on the instance. This is useful for automated provisioning of Retool instances.

Default value is false.

Example
CREATE_FIRST_ORG=true

CUSTOM_RETOOL_SANDBOX_RESTRICTIONS

enum

The JavaScript sandbox restrictions to allow. Specify space-separated values for multiple restrictions. Only configure custom sandbox restrictions if you are comfortable with the security implications.

Example
CUSTOM_RETOOL_SANDBOX_RESTRICTIONS=allow-downloads

DEBUG

number

Whether to enable verbose logging for debugging purposes.

Default value is 0.

Example
DEBUG=1

DISABLE_IMAGE_PROXY

boolean

Whether to disable the proxy used for publicly embedded apps.

Default value is false.

Example
DISABLE_IMAGE_PROXY=true

DISABLE_INTERCOM

boolean

Disable Retool's support widget in the frontend. Refer to the Retool Support page to learn how to contact Retool.

Default value is false.

Example
DISABLE_INTERCOM=true

DISABLE_MEMORY_AND_CPU_USAGE_LOGGING

boolean

Whether to disable logging of memory and CPU usage.

Default value is false.

Example
DISABLE_MEMORY_AND_CPU_USAGE_LOGGING=true

DISABLE_PUBLIC_PAGES

boolean

Whether to disable public access to Retool apps. If set to true, also set DISABLE_IMAGE_PROXY to true to fully disable public access.

Default value is false.

Example
DISABLE_PUBLIC_PAGES=true

DOMAINS

string

The domains to use for EntityID in SAML requests and obtaining SSL certificates when setting up HTTPS.

Example
DOMAINS=retool.your-domain.com -> http://api:3000

HIDE_PROD_AND_STAGING_TOGGLES

boolean

Whether to hide the Production and Staging toggles in the Retool interface.

Default value is false.

Example
HIDE_PROD_AND_STAGING_TOGGLES=true

HOST_HEADER_NAME

string

Retool backend expects Host header to contain the host used in the original request. This is important for Spaces to work properly. If your self-hosted instance has a proxy or load-balancer in front of the Retool backend, you can specify a different header that contains the original host.

Default value is HOST_HEADER_NAME.

Example
HOST_HEADER_NAME=x-forwarded-host

HTML_ESCAPE_RETOOL_EXPRESSIONS

boolean

Whether to escape HTML in {{ }} expressions. If set to true, all HTML in expressions is escaped.

Default value is false.

Example
HTML_ESCAPE_RETOOL_EXPRESSIONS=true

HTTP_PROXY

string

The HTTP proxy to use for all HTTP requests.

Example
HTTP_PROXY=http://proxy.example.com:8080

LICENSE_KEY

string

The license key for your Retool deployment.

Example
LICENSE_KEY=key_1234567890

NO_PROXY

string

A comma-separated list of hosts that should not be proxied.

Example
NO_PROXY=localhost,*.service.company

NODE_TLS_REJECT_UNAUTHORIZED

number

Whether to reject unauthorized TLS certificates. This setting is insecure and not recommended for production instances

Example
NODE_TLS_REJECT_UNAUTHORIZED=0

NUM_WORKERS

number

The number of worker threads for the api container. The default value is Math.min(Math.max(1, numCPUs), 3), where numCPUs is the number of logical CPU cores on the machine determined by Node.js.

Example
NUM_WORKERS=4

RETOOL_ENVIRONMENT

string

The environment for SCIM provisioning and Source Control alerts.

Default value is production.

Example
RETOOL_ENVIRONMENT=production

RETOOL_EXPOSED_{NAME}

string

Use the RETOOL_EXPOSED_ prefix to store secrets that you can use when configuring resources. Only underscores and alphanumeric characters are supported.

Example
RETOOL_EXPOSED_{NAME}=RETOOL_EXPOSED_DB_USERNAME=db_user

SANDBOX_DOMAIN

string

The sandbox domain to use.

Example
SANDBOX_DOMAIN=https://not-your-primary-domain.com

SERVICE_TYPE

enum

Comma-separated list of Retool services to run within a container. If unset, all services run in the same container.

Example
SERVICE_TYPE=MAIN_BACKEND,JOBS_RUNNER

USAGE_API_TOKEN

string

The access token to enable Usage Analytics. Please reach out to your Retool account manager to obtain this token.

Example
USAGE_API_TOKEN=accessToken