Authentication¶
Odoo 19 JSON-2 uses an API key as a bearer token. The key acts with the identity, groups, company access, and record rules of the user that owns it.
Create an API key¶
In Odoo, open Preferences > Account Security > New API Key. Give the key a purpose-specific name and the shortest practical lifetime. Odoo displays the value once; store it immediately in a secrets manager.
The official Odoo 19 JSON-2 documentation describes API-key generation, expiration, rotation, and revocation.
Select the database¶
Send X-Odoo-Database when a hostname can resolve to multiple databases:
The header is harmless when the host already selects a single database, but retaining it makes environment selection explicit.
Integration-user policy¶
- Use a dedicated user, not a personal administrator account.
- Grant only the applications and companies the integration needs.
- Keep separate keys for development, staging, and production.
- Rotate keys before expiry and revoke replaced keys after validation.
- Never place a key in browser code, source control, screenshots, or documentation.
- Log the integration identity and request correlation ID, not the API key.
Verify identity and context¶
POST /json/2/res.users/context_get
Authorization: bearer <API_KEY>
Content-Type: application/json
{}
This confirms that the key is accepted and returns context such as language, timezone, and allowed companies. It does not prove access to every model.
Authentication failures¶
| Status | Typical cause | Action |
|---|---|---|
401 |
Missing, expired, revoked, or invalid key | Rotate or correct the key |
403 |
Authenticated user lacks permission | Review groups, companies, and record rules |
404 |
Wrong model, method, or route | Verify the JSON-2 URL and runtime model name |