Create, test, and manage the secure keys that let AI tools connect to your Odoo data.
Overview
An API key is like a password that an AI tool uses to talk to Odoo. Each key has a name, a secret token, and a linked Odoo user. When Claude asks “show me open sales orders,” Odoo runs that search as the linked user – with exactly that user’s permissions.
You can create multiple keys for different teams, tools, or purposes. For example, one key for Claude (read-only sales data) and another for an internal automation bot (inventory updates).
How It Works
When you create a new API key, Odoo automatically generates a secure random token. The token is shown once on screen – copy it immediately. Odoo stores only a scrambled version internally, so nobody (not even admins) can see the full token again later.
The AI tool sends this token with every request. Odoo verifies it, checks expiry and IP rules, applies access restrictions, performs the action, and writes an audit log entry.
If you need to change the token (for example, if it was accidentally shared), use Rotate Token. The old token keeps working for a grace period you define, so connected tools do not break instantly.
Step-by-Step Guide
Go to Odoo MCP Connection → API Keys and click New.
Enter a Name that describes the purpose (e.g. “Claude – Customer Support”).
Select the Odoo User the AI should act as. Pick a user with only the access that AI needs.
Optionally set an Expires On date for temporary access.
Click Save. Copy the token immediately from the Token section.
Open the API Console tab. Copy the MCP Endpoint URL – this is what you paste into your AI tool.
Choose a test method (e.g. tools/list) and click Run API Test. Confirm the status shows Success.
Set up App Access and Model Access tabs to limit what this key can do (see the Access Control chapter).
Fields Table
| Field Name | Description | Example |
|---|---|---|
Name |
A label so you recognize this key later |
Claude – Sales Read Only |
Odoo User |
Which Odoo account the AI acts as |
Sales Manager (Jane Smith) |
Active |
Turn off to block this key without deleting it |
Checked (on) |
Expires On |
Date after which the key stops working |
31 Dec 2026 |
Token Prefix |
First few characters of the token (for identification) |
aB3xK9mQ |
Token (plain) |
The secret key – copy when first shown |
Long random string (shown once) |
Notes |
Internal reminders about this key |
Used by marketing team’s ChatGPT plugin |
IP Allowlist |
Only allow requests from these IP addresses |
203.0.113.10 |
IP Denylist |
Block requests from these IP addresses |
198.51.100.5 |
Rate Limit / Second |
Max requests per second (0 = use global default) |
5 |
Rate Limit / Minute |
Max requests per minute (0 = use global default) |
60 |
Rotation Grace Days |
How long old tokens stay valid after rotation |
7 days |
Last Used |
When this key was last used (read-only) |
12 Jun 2026, 10:30 AM |
Use Count |
Total number of requests made with this key |
1,247 |
MCP Endpoint |
URL your AI tool connects to (API Console tab) |
https://mycompany.odoo.com/mcp?db=production |
Health URL |
Quick check URL to verify the server is running |
https://mycompany.odoo.com/mcp/health?db=production |
Test Method |
Which test to run from the API Console |
tools/list |
Last Test Status |
Result of your most recent API test |
Success |
Field Explanations
Name
Helps you tell keys apart in lists and audit logs. Use names that include the tool and team, not generic names like “Key 1”.
Odoo User
The most important security setting. The AI can only do what this user can do in Odoo. Create a dedicated user with limited rights when possible.
Active
Uncheck to instantly disable a key – useful when someone leaves the team or you suspect the token was leaked. The key record stays for audit history.
Expires On
Set an end date for contractors or trial periods. After this date, requests are rejected even if the key is still marked active.
Token Prefix
Lets you match audit log entries to a key without exposing the full secret. Useful when reviewing logs with your team.
Token (plain)
The actual secret you give to the AI tool. It disappears after you navigate away. Treat it like a password – never email it or post it in chat.
Notes
Free text for your team. Record who owns this key, which AI product uses it, and when it should be reviewed.
IP Allowlist
One IP address or range per line. If filled in, only those locations can use this key. Leave empty to allow from anywhere.
IP Denylist
Block specific IPs before the allowlist is checked. Use to block a known bad address quickly.
Rate Limit / Second & / Minute
Prevent a runaway AI from flooding your server. Set to 0 to use the defaults from System Settings.
Rotation Grace Days
When you rotate a token, the previous one still works for this many days. Gives you time to update all AI tools without interruption.
Last Used & Use Count
Help you spot unused keys (safe to archive) or heavily used keys (may need tighter limits).
MCP Endpoint & Health URL
Ready-to-copy connection addresses. Always use the full URL including ?db= on multi-database servers.
Test Method & Last Test Status
Built-in connection checker. Run a test after setup or after changing permissions to confirm everything still works.
Tips
- Click the stat button Audit Logs on the key form to jump straight to activity for just that key.
- The Token History tab shows every past token version – helpful during rotation to confirm old tokens have expired.
- Use Create OAuth Client on the key form if you plan to connect Claude – it links OAuth and the API key automatically.
Common Mistakes
- Linking the Administrator user: The AI inherits admin power. Always use a normal user with scoped permissions.
- Skipping the API test: A failed test before go-live saves hours of troubleshooting in the AI tool later.
- Rotating without updating AI tools: After rotation, update every tool within the grace period or they will start getting access denied errors.