API Keys for AI Access

Updated 11 July 2026

Create, test, and manage the secure keys that let AI tools connect to your Odoo data.

Overview

An API key is like a password that an AI tool uses to talk to Odoo. Each key has a name, a secret token, and a linked Odoo user. When Claude asks “show me open sales orders,” Odoo runs that search as the linked user – with exactly that user’s permissions.

You can create multiple keys for different teams, tools, or purposes. For example, one key for Claude (read-only sales data) and another for an internal automation bot (inventory updates).

How It Works

When you create a new API key, Odoo automatically generates a secure random token. The token is shown once on screen – copy it immediately. Odoo stores only a scrambled version internally, so nobody (not even admins) can see the full token again later.

The AI tool sends this token with every request. Odoo verifies it, checks expiry and IP rules, applies access restrictions, performs the action, and writes an audit log entry.

If you need to change the token (for example, if it was accidentally shared), use Rotate Token. The old token keeps working for a grace period you define, so connected tools do not break instantly.

Step-by-Step Guide

Go to Odoo MCP Connection → API Keys and click New.

Enter a Name that describes the purpose (e.g. “Claude – Customer Support”).

Select the Odoo User the AI should act as. Pick a user with only the access that AI needs.

Optionally set an Expires On date for temporary access.

Click Save. Copy the token immediately from the Token section.

Open the API Console tab. Copy the MCP Endpoint URL – this is what you paste into your AI tool.

Choose a test method (e.g. tools/list) and click Run API Test. Confirm the status shows Success.

Set up App Access and Model Access tabs to limit what this key can do (see the Access Control chapter).

Fields Table

Field Explanations

Name

Helps you tell keys apart in lists and audit logs. Use names that include the tool and team, not generic names like “Key 1”.

Odoo User

The most important security setting. The AI can only do what this user can do in Odoo. Create a dedicated user with limited rights when possible.

Active

Uncheck to instantly disable a key – useful when someone leaves the team or you suspect the token was leaked. The key record stays for audit history.

Expires On

Set an end date for contractors or trial periods. After this date, requests are rejected even if the key is still marked active.

Token Prefix

Lets you match audit log entries to a key without exposing the full secret. Useful when reviewing logs with your team.

Token (plain)

The actual secret you give to the AI tool. It disappears after you navigate away. Treat it like a password – never email it or post it in chat.

Notes

Free text for your team. Record who owns this key, which AI product uses it, and when it should be reviewed.

IP Allowlist

One IP address or range per line. If filled in, only those locations can use this key. Leave empty to allow from anywhere.

IP Denylist

Block specific IPs before the allowlist is checked. Use to block a known bad address quickly.

Rate Limit / Second & / Minute

Prevent a runaway AI from flooding your server. Set to 0 to use the defaults from System Settings.

Rotation Grace Days

When you rotate a token, the previous one still works for this many days. Gives you time to update all AI tools without interruption.

Last Used & Use Count

Help you spot unused keys (safe to archive) or heavily used keys (may need tighter limits).

MCP Endpoint & Health URL

Ready-to-copy connection addresses. Always use the full URL including ?db= on multi-database servers.

Test Method & Last Test Status

Built-in connection checker. Run a test after setup or after changing permissions to confirm everything still works.

Tips

Common Mistakes

Image