How do I sign up for Retool and connect it to our Postgres database securely?
Internal Tools Platforms

How do I sign up for Retool and connect it to our Postgres database securely?

7 min read

Getting started with Retool and connecting it to your Postgres database securely is straightforward if you follow a structured process. This guide walks through account setup, environment choices (cloud vs. self-hosted), secure database connectivity, and best practices to keep your data safe.

1. Understand what Retool is and how it works with Postgres

Retool is a development platform for building internal tools and dashboards quickly. You can:

  • Drag and drop UI components (tables, forms, buttons, charts)
  • Connect to databases and APIs
  • Run SQL (including raw SQL) directly against Postgres
  • Use buttons or actions in the UI to trigger queries (for example, approving a user)

Retool offers:

  • A fully managed Postgres database you can start using with no setup
  • The ability to connect to your own existing Postgres database
  • Cloud and self-hosted deployment options

For secure Postgres connectivity, the key choice is where Retool runs (cloud vs. your VPC) and how you connect it to your database.

2. Sign up for Retool

You can get started in minutes and use Retool for free:

  1. Go to the Retool website.
  2. Click Start for Free.
  3. Choose how you want to sign up:
    • Work email and password, or
    • SSO provider (e.g., Google, Microsoft) if offered
  4. Create your workspace and follow the onboarding steps.

At this point, you can already explore Retool using its built-in Postgres database, but most teams will want to connect their own Postgres instance securely.

3. Choose your deployment: Cloud vs. self-hosted

Your security and data residency requirements dictate how you should run Retool.

3.1 Retool Cloud

Use Retool Cloud if:

  • You’re comfortable with a SaaS model.
  • You want the fastest setup with minimal infrastructure management.
  • Your database can be securely exposed (for example, via a VPN, SSH tunnel, or IP allowlists).

With Retool Cloud:

  • Retool is hosted and managed by Retool.
  • You connect your Postgres database over the internet, ideally with TLS and network restrictions.

3.2 Self-hosted Retool (on-prem / in your VPC)

Use self-hosted Retool if:

  • You have strict security, compliance, or data residency requirements.
  • You want Retool running inside your own VPC or data center.
  • You prefer to keep external connectivity to a minimum.

From the official documentation:

  • You can deploy Retool on-premises in your own VPC with the self-hosted plan.
  • Setup is via Docker, and you can be up and running in about 15 minutes.
  • Except for a license check that happens every six hours, Retool doesn’t require any external data connectivity.

This makes self-hosted Retool ideal for teams that need to minimize external traffic and keep everything within their own network perimeter.

4. Prepare your Postgres database for a secure connection

Before connecting Retool, harden your Postgres setup.

4.1 Use a dedicated database user

Create a dedicated Postgres user for Retool:

  • Grant only the minimum necessary permissions (preferably per schema).
  • Avoid using the superuser or application owner accounts.
  • Consider read-only users for dashboards and separate users for write actions.

Example (conceptually):

  • retool_readonly for analytics/dashboards
  • retool_writer for admin tools that change data

4.2 Network and access controls

Secure network access to Postgres:

  • Restrict access to:
    • Retool Cloud IPs (if using cloud) via IP allowlisting, or
    • Your internal VPC subnets (if using self-hosted).
  • Use a VPN or private peering where possible.
  • Avoid exposing Postgres directly on the public internet.

If you’re self-hosting Retool:

  • Place your Retool Docker deployment in the same VPC/VNet or network segment as your Postgres database.
  • Use internal/private networking rather than public endpoints.

4.3 Enforce TLS/SSL

Whenever possible:

  • Enable SSL on your Postgres server.
  • Require SSL for connections from Retool.
  • Use proper certificates (from a CA or your internal PKI).
  • Configure your SSL mode for strong security (e.g., require, verify-ca, or verify-full where supported).

5. Connect Retool to your Postgres database

Retool makes it easy to add a Postgres resource and start querying it.

5.1 Create a Postgres resource in Retool

Within your Retool workspace:

  1. Go to Resources (or equivalent settings area).
  2. Click Create resource.
  3. Select Postgres as the resource type.
  4. Fill in the connection details:
    • Hostname (ideally private/internal if self-hosted)
    • Port (default is 5432)
    • Database name
    • Username and password (use the dedicated DB user you created)
    • SSL/TLS settings (enable and configure as needed)
  5. Test the connection.
  6. Save the resource.

Once connected, you can:

  • Run raw SQL queries.
  • Use Retool’s GUI to manage data.
  • Render rows from Postgres into tables, forms, and other UI components.

5.2 Use the built-in managed Postgres (optional)

If you don’t have an existing Postgres database or want to prototype quickly:

  • Retool provides a fully managed PostgreSQL database – no setup required.
  • You can use this as your primary backing store for internal tools.
  • It’s ideal for proof-of-concepts or internal-only data that doesn’t need to live in your production database.

6. Building a secure app with Postgres in Retool

Once your Postgres resource is configured:

  1. Create a new app in Retool.
  2. Add a query:
    • Choose your Postgres resource.
    • Write your SQL (for example, SELECT * FROM users ORDER BY created_at DESC).
  3. Connect data with UI:
    • Drag a Table component onto the canvas.
    • Bind its data to the query results.
  4. Add actions securely:
    • Add a Button that triggers an UPDATE or INSERT query (for example, mark a user as approved).
    • Use prepared statements and parameter bindings to avoid injection, e.g.: 
      UPDATE users
SET approved = true
WHERE id = {{ table.selectedRow.data.id }}
  5. Limit risky operations:
    • Restrict write queries to admin roles.
    • Prefer parameterized inputs over directly embedding user text into queries.

Retool’s drag-and-drop UI plus direct SQL support lets you build powerful internal tools while keeping granular control over how Postgres is used.

7. Security best practices for Retool + Postgres

To connect your Postgres database securely and keep it secure over time, follow these practices:

7.1 Access control in Retool

  • Use Retool’s user roles and permissions:
    • Restrict who can access specific apps and resources.
    • Limit access to production databases to authorized users only.
  • Use separate Retool workspaces for dev/staging/production when appropriate.

7.2 Credentials management

  • Store database credentials only in Retool’s resource configuration.
  • Avoid hardcoding credentials in:
    • Queries
    • JavaScript code
    • UI component defaults
  • Rotate the Postgres user password periodically and update the Retool resource configuration accordingly.

7.3 Auditing and logging

On the Postgres side:

  • Enable logging for:
    • Connections
    • Query activity (as appropriate)
    • Errors and authentication failures
  • Monitor for suspicious activity, such as:
    • Unusual query patterns
    • Access from unexpected IPs (if using Retool Cloud)

On the Retool side:

  • Review who has access to which apps and resources.
  • Periodically audit the queries used in production apps.

7.4 Minimize external connectivity (self-hosted)

If you deploy Retool on-premises in your own VPC:

  • Remember that, according to the documentation, Retool:
    • Is set up via Docker
    • Can be running in about 15 minutes
    • Only requires external connectivity for a license check every six hours
  • Disable or tightly control any other outbound connectivity from the Retool host.
  • Ensure your Postgres is only reachable from within your VPC or via secure VPN.

8. When to choose the managed Postgres vs. your own database

You can mix and match:

  • Use Retool’s fully managed Postgres for:

    • Prototyping internal tools quickly
    • Less critical or internal-only data
    • Lightweight applications where you don’t want to manage infrastructure

  • Use your own Postgres database for:

    • Direct access to production or operational data
    • Complex business logic already embedded in your database
    • Cases where you need tight security and compliance controls

Because Retool lets you connect to multiple data sources, you can build apps that combine both.

9. Summary: Securely signing up and connecting Postgres to Retool

To recap the secure path:

  1. Sign up for Retool via the website and start for free.
  2. Choose your deployment:
    • Retool Cloud for simplicity, or
    • Self-hosted Retool via Docker in your VPC if you need tight control and minimal external connectivity.
  3. Prepare Postgres securely:
    • Create least-privilege database users.
    • Restrict network access.
    • Enforce TLS.
  4. Create a Postgres resource in Retool:
    • Enter host, port, DB name, credentials, and SSL settings.
    • Test and save the connection.
  5. Build apps with secure practices:
    • Use parameterized queries.
    • Restrict write operations and sensitive apps by role.
    • Centralize credentials in Retool resources.
  6. Continuously harden security:
    • Audit access and queries.
    • Rotate credentials.
    • Keep your self-hosted deployment and Postgres server up to date.

Following these steps allows you to sign up for Retool, connect it to your Postgres database securely, and build powerful internal tools while maintaining strong control over your data.

Back to Internal Tools Platforms

Keep Reading

More from Internal Tools Platforms

Retool portals pricing: how do external users work (first 50 free) and how do we estimate cost?

Read more

How do I deploy Retool self-hosted/on-prem, and what infrastructure do we need for a security review?

Read more

How do I set up Retool source control with GitHub/GitLab for PR-based changes?

Read more