I've just had a great conversation with Odoo Support that confirmed something I'd been hoping wasn't the case:
"Odoo counts every user in the system, including bot or service accounts, as a billable user. API keys are always tied to a user, so they inherit that user's access rights. There is currently no built-in way to create scoped API tokens with limited permissions independent of a user."
I'm posting this because I'd love to hear how other implementation partners and customers are handling the same problem in practice.
The use cases I'm dealing with on a single Odoo instance:
- AI assistant via MCP Pro (ChatGPT / Claude) — read-heavy, occasional writes on sale.order and crm.lead
- Public website form — must only create on crm.lead, with specific extra fields
- Cron job that syncs some stats from our SaaS into Odoo daily
- n8n workflow that comments on new partners after enrichment
- A Python script for one-off data imports — full access, but only run on-demand
Each one needs a different scope. Principle of least privilege says they should each have minimal permissions. Native Odoo gives me two options:
- One technical user per integration — clean separation, but each one is a billable user (≈€30-40/month in our region). Five integrations = €150-200/month extra, purely for governance — the bot uses no UI, no email, no chat, no calendar, no human-seat features.
- One shared "integration user" cheap, but every call collapses to the same user_id in the audit log. No way to distinguish "who did what" between five very different consumers. Not great when something goes wrong.
For enterprise customers I find option 1 economically unviable and option 2 weak on governance. Both feel wrong.
My questions to the community:
- Have you found a way to scope API keys (per-model, per-method, per-IP, per-time-window) without spinning up additional billable users? OCA modules, custom modules, anything?
- For per-call attribution on a shared user, are you doing anything beyond inspecting auditlog.http.request.user_context for self-asserted tags? I'm exploring patching res.users.apikeys._check_credentials to carry the matched key id forward into request.session — then the audit log can show which key called, not just which user. Curious if anyone has done this in production.
- Has anyone successfully negotiated a non-billable "integration user" / "service account" exception with Odoo SA for headless automation?
- Is there a planned change in Odoo 20 to either (a) allow API key scoping or (b) introduce a non-billable service-account user type? I haven't seen anything in the Odoo Experience 2025 keynote or the 20 preview material, but maybe I missed it.
I'm building an open-source AI governance module (pan_mcp_pro_governance, free on the App Store) and want to make sure I'm not solving a problem someone has already cracked. Patches and ideas very welcome.
Thanks
For a system that positions itself as a serious business platform with strong integration capabilities, proper service accounts or scoped API tokens should not be a luxury. Not every technical access is a human user, and not every API key should inherit the rights of a full account.