Skip to content

Authentication

Odoo 19 JSON-2 uses an API key as a bearer token. The key acts with the identity, groups, company access, and record rules of the user that owns it.

Create an API key

In Odoo, open Preferences > Account Security > New API Key. Give the key a purpose-specific name and the shortest practical lifetime. Odoo displays the value once; store it immediately in a secrets manager.

Authorization: bearer <API_KEY>

The official Odoo 19 JSON-2 documentation describes API-key generation, expiration, rotation, and revocation.

Select the database

Send X-Odoo-Database when a hostname can resolve to multiple databases:

X-Odoo-Database: accountify_v19_clone_21.06.2026

The header is harmless when the host already selects a single database, but retaining it makes environment selection explicit.

Integration-user policy

  • Use a dedicated user, not a personal administrator account.
  • Grant only the applications and companies the integration needs.
  • Keep separate keys for development, staging, and production.
  • Rotate keys before expiry and revoke replaced keys after validation.
  • Never place a key in browser code, source control, screenshots, or documentation.
  • Log the integration identity and request correlation ID, not the API key.

Verify identity and context

POST /json/2/res.users/context_get
Authorization: bearer <API_KEY>
Content-Type: application/json

{}

This confirms that the key is accepted and returns context such as language, timezone, and allowed companies. It does not prove access to every model.

Authentication failures

Status Typical cause Action
401 Missing, expired, revoked, or invalid key Rotate or correct the key
403 Authenticated user lacks permission Review groups, companies, and record rules
404 Wrong model, method, or route Verify the JSON-2 URL and runtime model name