MCP Server for Odoo (ets_mcp_server)
Turn your Odoo database into a Model Context Protocol (MCP) server. AI assistants and agent tools (Claude, Claude Code, and any MCP-capable client) connect over streamable HTTP and work with your Odoo data — search, read, create, update, report — strictly bounded by the connecting user's own Odoo access rights.
Elevator pitch
Key features
- Standards-based: implements MCP over streamable HTTP (
POST /mcp, JSON-RPC 2.0) with OAuth 2.1 authorization — PKCE (S256) mandatory, dynamic client registration, refresh tokens, and a consent screen inside Odoo. - 19 tools covering the full ORM surface: search/read/read_group, create/write/unlink, method calls, attachments (round-trip with chunking), model/field introspection.
- Security first: every tool executes as the authenticated Odoo user with superuser mode off — ACLs, record rules, and field-level security all apply. Private/ORM-primitive methods are refused; tokens are stored hashed; expired credentials are pruned automatically; registration and payload sizes are rate-bounded.
- No external services: the server runs inside your Odoo instance. Data goes only to the MCP client the user explicitly authorized.
Configuration
1. Install the module; enable the MCP feature toggle in Settings. 2. Point an MCP client at https://<your-odoo>/mcp — the OAuth flow opens an Odoo login + consent page; no manual API-key handling required. 3. Optional config parameters bound dynamic client registration and payload caps for hardened deployments.
Limitations / notes for buyers
- Connecting an MCP client means that client (and any AI model behind it) can read whatever the authorizing user can read — treat client authorization like granting user access, and disconnect unused clients.
- A method invoked via the call-method tool enforces the same access model as Odoo's own XML-RPC: public model methods that internally elevate privileges behave exactly as they would for that user via standard RPC.
- Screenshots: TODO (capture from a staging build).
Tests
Automated suite covers the MCP protocol handshake, per-user identity binding, attachment round-trips, private-method refusal, the full OAuth code+refresh flow (single-use codes, PKCE mismatch, unknown redirect), expiry, and input-cap enforcement.
Built and maintained by ETS.inc — support via the address on this listing.
| Availability |
Odoo Online
Odoo.sh
On Premise
|
| Lines of code | 1270 |
| Technical Name |
ets_mcp_server |
| License | OPL-1 |
| Website | https://www.ets.inc |
Odoo Proprietary License v1.0 This software and associated files (the "Software") may only be used (executed, modified, executed after modifications) if you have purchased a valid license from the authors, typically via Odoo Apps, or if you have received a written agreement from the authors of the Software (see the COPYRIGHT file). You may develop Odoo modules that use the Software as a library (typically by depending on it, importing it and using its resources), but without copying any source code or material from the Software. You may distribute those modules under the license of your choice, provided that this license is compatible with the terms of the Odoo Proprietary License (For example: LGPL, MIT, or proprietary licenses similar to this one). It is forbidden to publish, distribute, sublicense, or sell copies of the Software or modified copies of the Software. The above copyright notice and this permission notice must be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Please log in to comment on this module