Skip to Content
This question has been flagged
securityAPIAI
1 Reply
433 Views
Avatar
Rutger Hofste

I've just had a great conversation with Odoo Support that confirmed something I'd been hoping wasn't the case:

"Odoo counts every user in the system, including bot or service accounts, as a billable user. API keys are always tied to a user, so they inherit that user's access rights. There is currently no built-in way to create scoped API tokens with limited permissions independent of a user."

I'm posting this because I'd love to hear how other implementation partners and customers are handling the same problem in practice.

The use cases I'm dealing with on a single Odoo instance:

  1. AI assistant via MCP Pro (ChatGPT / Claude) — read-heavy, occasional writes on sale.order and crm.lead
  2. Public website form — must only create on crm.lead, with specific extra fields
  3. Cron job that syncs some stats from our SaaS into Odoo daily
  4. n8n workflow that comments on new partners after enrichment
  5. A Python script for one-off data imports — full access, but only run on-demand

Each one needs a different scope. Principle of least privilege says they should each have minimal permissions. Native Odoo gives me two options:

  • One technical user per integration — clean separation, but each one is a billable user (≈€30-40/month in our region). Five integrations = €150-200/month extra, purely for governance — the bot uses no UI, no email, no chat, no calendar, no human-seat features.
  • One shared "integration user" cheap, but every call collapses to the same user_id in the audit log. No way to distinguish "who did what" between five very different consumers. Not great when something goes wrong.

For enterprise customers I find option 1 economically unviable and option 2 weak on governance. Both feel wrong.

My questions to the community:

  1. Have you found a way to scope API keys (per-model, per-method, per-IP, per-time-window) without spinning up additional billable users? OCA modules, custom modules, anything?
  2. For per-call attribution on a shared user, are you doing anything beyond inspecting auditlog.http.request.user_context for self-asserted tags? I'm exploring patching res.users.apikeys._check_credentials to carry the matched key id forward into request.session — then the audit log can show which key called, not just which user. Curious if anyone has done this in production.
  3. Has anyone successfully negotiated a non-billable "integration user" / "service account" exception with Odoo SA for headless automation?
  4. Is there a planned change in Odoo 20 to either (a) allow API key scoping or (b) introduce a non-billable service-account user type? I haven't seen anything in the Odoo Experience 2025 keynote or the 20 preview material, but maybe I missed it.

I'm building an open-source AI governance module (pan_mcp_pro_governance, free on the App Store) and want to make sure I'm not solving a problem someone has already cracked. Patches and ideas very welcome.

Thanks

Avatar
Discard
Benjamin Ruoff
I completely agree with this.

The way Odoo currently handles this feels pretty absurd to me. For API access, automation, and integrations, scoped permissions and proper attribution should be basic platform capabilities. Tying every API key directly to a full user account is, in my opinion, a questionable architectural decision. It does not really fit modern expectations around least privilege, auditability, and governance.

I find Viveks suggetion with the OCA plugin great but what makes it even more frustrating is that even if someone builds a proper solution as a custom module, you cannot install it on Odoo Online without moving to Odoo.sh. At some point, it really starts to feel less like a technical limitation and more like an upsell trap.  

For a system that positions itself as a serious business platform with strong integration capabilities, proper service accounts or scoped API tokens should not be a luxury. Not every technical access is a human user, and not every API key should inherit the rights of a full account.

Avatar
Vivek Kundaliya
Best Answer

This is an excellent question that highlights a real gap in Odoo's current architecture. Unfortunately, there is no native built-in solution for scoped API keys without additional billable users in Odoo.


The workarounds are exactly what you've described: either multiple billable users (expensive) or a shared integration user (weak audit trail).


For OCA modules, check: https://github.com/OCA/server-auth - there may be something in the "auth" modules that can help with key-level attribution.


I can provide a custom module that implements scoped API key management for Odoo - allowing you to create API keys with specific model/method restrictions, IP whitelisting, and per-key audit logging without requiring additional billable users. Reach me at custom@trewac.com

Avatar
Discard
Rutger Hofste
Author

Great suggestion. The OCA community indeed has great repos. However there was no support for v19 and api keys were linked to users, not scopes (user roles). I merged two oca repos (user roles and audit), and added functionality so you can optionally limit the scope for your api key (and therefore mcp) without adding new users and without changing what the user can do. https://github.com/pantalytics/odoo-mcp-pro-governance

Rutger Hofste
Author

Perhaps you can check out if your modules could improve this one (feel free to do a PR)

Related Posts Replies Views Activity
AI governance (Data governance)
security AI
Avatar
Avatar
1
May 26
605
OdooPilot v0.1.0 — free open-source AI agent for Odoo (Telegram + WhatsApp, Claude/GPT-4/Groq/Ollama) — feedback and feature requests welcome
AI
Avatar
0
Apr 26
26
Introducing AI tools which can be used in Odoo version 17, 18 and 19
AI
Avatar
0
Apr 26
813
Local Odoo 19 Database: Inventory not showing on Hand?
security
Avatar
0
Apr 26
5
Database stock product names are different than in the Odoo UI
API
Avatar
Avatar
1
Mar 26
704