Skip to content
Easymob Addons

Security & API Reference

Technical details on the MCP Server’s security layer and API endpoints.

API Endpoints

Section titled “API Endpoints”

The server implements the Model Context Protocol (MCP) 2024-11-05 specification.

EndpointMethodAuthDescription
/mcpGETBearerEstablish SSE stream for async communication
/mcpPOSTBearerSend JSON-RPC messages and tool calls
/mcpOPTIONSCORS pre-flight request
/mcp/healthGETPublic health check (no auth required)
/mcp/sseGETBearerLegacy SSE endpoint (deprecated)
/mcp/messagesPOSTBearerLegacy message endpoint (deprecated)

Security Architecture

Section titled “Security Architecture”

The MCP Server acts as an authenticated bridge but never bypasses your Odoo security rules.

1. Always Blocked Models

Section titled “1. Always Blocked Models”

These core Odoo models are permanently blocked from all MCP access for security:

  • ir.rule — Access control rules
  • ir.model.access — Model permissions
  • ir.config_parameter — System configuration
  • mcp.api.key — API key storage
  • res.users — User accounts
  • res.groups — Permission groups
  • ir.cron — Scheduled actions
  • ir.module.module — Addon management
  • ir.ui.view — UI definitions
  • ir.attachment — File storage
  • ir.actions.server — Server actions
  • ir.actions.act_window — Window actions

2. Method Blocklist

Section titled “2. Method Blocklist”

The execute_method tool blocks dangerous methods:

  • CRUD Methods: unlink, write, create, copy
  • Context Methods: sudo, with_user, with_context, with_env, with_company
  • Data Methods: export_data, load, import_data
  • Private Methods: All methods starting with _

3. Per-Model Access Control

Section titled “3. Per-Model Access Control”

Define which models agents can access:

  1. Go to MCP Server → Security → Model Access.
  2. Click New to add a rule.
  3. Select model, then choose allowed CRUD operations: Create, Read, Update, Delete.
  4. If no rule exists for a model, access follows Odoo’s standard ACLs and Record Rules.

4. API Key Best Practices

Section titled “4. API Key Best Practices”
  • Generate a unique key per AI agent.
  • Set expiry dates on temporary keys.
  • Use IP Whitelisting if agents run from fixed IP addresses.
  • Rotate keys regularly.

Upgrade Notes

Section titled “Upgrade Notes”
  • Buyer-facing changes are tracked in CHANGELOG.md.
  • Before upgrading:
    1. Back up your database and addons directory.
    2. Validate upgrade in staging first.
    3. Re-check /mcp/health, API key auth, and tool execution.
  • After upgrading:
    1. Review MCP settings defaults and limits.
    2. Reconfirm model access rules for least privilege.

License

Section titled “License”

LGPL-3