Skip to Content

MCP Security

by ,
Odoo

92.82

v 19.0 Third Party
Availability
Odoo Online
Odoo.sh
On Premise
Odoo Apps Dependencies Discuss (mail)
Community Apps Dependencies
Lines of code 4390
Technical Name praetorx_security
LicenseOPL-1
Websitehttps://praetorx.net
You bought this module and need support? Click here!
Availability
Odoo Online
Odoo.sh
On Premise
Odoo Apps Dependencies Discuss (mail)
Community Apps Dependencies
Lines of code 4390
Technical Name praetorx_security
LicenseOPL-1
Websitehttps://praetorx.net

MCP Security

API Security — Rate Limiting, Audit Logging & Access Control for Odoo 19

v19.0.1.2.1 Community Enterprise Odoo.sh MCP Protocol OPL-1

Secure your Odoo data when integrating with Model Context Protocol (MCP) clients. API key authentication, granular model permissions, IP whitelisting, rate limiting, audit logging, and real-time security alerts — all enforced on a dedicated /xmlrpc/2/mcp endpoint.

praetorx.net | Syntax & Sabotage

API Key Management

Hashed Key Storage

Keys are hashed with PBKDF2-SHA512 (6 000 rounds) and never stored in plaintext. A one-time wizard displays the key at creation — after that, only the hash remains.

Expiration & Auto-Rotation

Set an expiration date per key. Enable auto-rotation and a daily cron generates replacement keys before expiry, sends email notifications, and keeps the old key active until its date passes.

Scope Restrictions

Assign scopes (read, write, create, delete) as a Many2many selection. Keys without scopes get full access; keys with scopes are limited to the selected operations only.

Model-Level Restrictions

Optionally restrict each key to specific Odoo models. If set, the key can only operate on those models — all others are denied regardless of permissions.

Access Control & Permissions

Whitelist-Based Permissions

Deny-by-default: only models with an explicit praetorx.permission record are accessible. Each record defines per-model CRUD flags (read, write, create, delete) and optional group restrictions.

IP Whitelisting

Restrict access by IP address. Supports IPv4, IPv6, and CIDR notation (e.g. 192.168.1.0/24). Validated via Python’s ipaddress module. Handles X-Forwarded-For for reverse proxies.

Rate Limiting

In-memory sliding-window rate limiter with a 60-second window. Configurable max requests per minute per API key. Returns HTTP 429-style XML-RPC faults with X-RateLimit-* headers. No external dependencies.

Endpoint Enforcement

When enabled, PraetorX API keys are blocked from /xmlrpc/2/object and must use the secured /xmlrpc/2/mcp endpoint. Uses indexed key-prefix lookup for fast detection with minimal overhead.

Monitoring & Audit

Audit Logging

Every MCP operation is logged with user, timestamp, model, method, record ID, success/failure, and IP address. Export to CSV or JSON with date-range filtering. Configurable retention with automatic cleanup.

Security Alerts

Automatic alerts for failed authentication, rate-limit breaches, blocked IPs, and suspicious activity. Four severity levels (low to critical). Email notifications with configurable thresholds. Resolve/reopen workflow via mail.thread.

Session Tracking

Tracks active MCP sessions per API key with configurable timeout and concurrent-session limits. Automatic cleanup of expired sessions via cron. Manual termination from the session list view.

Emergency Key Revocation

Revoke all active API keys at once via a confirmation wizard. Requires admin group, a written reason, and explicit confirmation. Sends email notifications to all affected users and creates a critical security alert.

How the Security Pipeline Works

Request → API Key Auth → Session Check → IP Whitelist → Rate Limit → Scope Check → Model Restriction → Permission Check → Execute → Audit Log

Additive to Odoo ACL

PraetorX permissions are checked in addition to standard ir.model.access. Both must allow the operation.

6 scheduled actions

Audit log cleanup (daily), expired key cleanup (daily), rate limiter cleanup (5 min), auto key rotation (daily), session cleanup (15 min), old session deletion (daily).

3 security groups

User (read-only), Manager (manage keys, permissions, view logs), Admin (full control including emergency revocation).

Technical Reference

ComponentDetails
praetorx.api.keyAPI key lifecycle — PBKDF2 hash, expiration, scope (Many2many), model restrictions, usage tracking, auto-rotation, regeneration
praetorx.api.scopePredefined operations (read, write, create, delete) — prevents typos, uses many2many_tags widget
praetorx.permissionPer-model CRUD whitelist — one record per model, optional group restrictions, additive to ir.model.access
praetorx.audit.logOperation log — user, timestamp, model, method, record ID, success/failure, IP address, CSV/JSON export
praetorx.security.alertSecurity events — 7 alert types, 4 severity levels, mail.thread, email notifications, resolve/reopen
praetorx.sessionSession tracking — timeout, concurrent limits, request count, automatic cleanup
praetorx.rate.limiterAbstract model — in-memory sliding window, thread-safe, no external dependencies
/xmlrpc/2/mcpSecured endpoint — full security pipeline, drop-in replacement for /xmlrpc/2/object

Screenshots

API Key Management

API Key Management — key list with expiration, scope, usage count, and last-used timestamp

Permission Configuration

Permission Configuration — per-model CRUD whitelist with optional group restrictions

Audit Logs

Audit Logs — operation history with user, model, method, success/failure, and IP address

Security Alerts

Security Alerts — failed auth tracking, severity levels, resolve/reopen workflow

Settings

Settings — rate limiting, IP whitelist, session management, key rotation, audit configuration

Setup Guide

  • Odoo 19.0 (Community or Enterprise)
  • Python 3.10+
  • Required modules: praetorx_base (free), mail, rpc
  • No external Python dependencies
  • No external services or API keys

No Enterprise dependency. Works on Community, Enterprise, and Odoo.sh.

Install from the Odoo Apps menu. Search for “MCP Security” or “PraetorX Security”.

Dependencies (praetorx_base, mail, rpc) are installed automatically.

  1. Navigate to PraetorX → Security → API Keys
  2. Click New and enter a descriptive name
  3. Select scope restrictions and optionally limit to specific models
  4. Set an expiration date (or leave empty for no expiry)
  5. Click Save — the key is displayed once in a popup wizard
  6. Copy the key immediately; it cannot be retrieved later
  1. Navigate to PraetorX → Security → Permissions
  2. Click New, select the Odoo model to allow access to
  3. Enable the required operations (Read, Write, Create, Delete)
  4. Optionally restrict to specific user groups
  5. Click Save

Without a permission record, MCP access to that model is denied (whitelist mode).

  1. Go to Settings → PraetorX Security
  2. Toggle Enable Rate Limiting and set max requests per minute (default: 60)
  3. Enter allowed IPs in the IP Whitelist field (comma-separated, CIDR supported)
  4. Configure session timeout and concurrent session limits
  5. Click Save

Leaving the IP whitelist empty allows all IP addresses.

User: Read-only access to permissions, audit logs, alerts, and sessions.

Manager: Manage API keys and permissions, view audit logs and alerts. Implies User.

Admin: Full control including emergency key revocation and alert management. Admin user is assigned by default. Implies Manager.

FAQ

It is a dedicated XML-RPC endpoint that provides the same execute_kw interface as the standard /xmlrpc/2/object, but runs every request through the full security pipeline: API key authentication, IP whitelist, rate limiting, scope check, model restriction, permission check, and audit logging. MCP clients use this endpoint instead of the standard one.
No. PraetorX permissions are additive to Odoo’s standard ir.model.access and record rules. Both layers must allow the operation. MCP Security adds an extra security gate specifically for MCP/API traffic without affecting normal Odoo access.
Keys are hashed with PBKDF2-SHA512 (6 000 rounds with a random 16-byte salt), following the same pattern as Odoo’s res.users.apikeys. The plaintext key is never stored in the database — it is shown once via a wizard at creation time. A prefix (first 8 characters) is stored separately for fast indexed lookups during enforcement.
Yes. Rate limiting and IP whitelisting are both disabled by default. You can use the module purely for API key authentication, permissions, and audit logging. Enable additional security layers as needed from the Settings page.
The endpoint returns an XML-RPC fault with code 429 and includes X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, and Retry-After headers. A security alert is also created if alert monitoring is enabled.
Disabled by default. When enabled in Settings, a daily cron checks for keys within the rotation window (configurable, default 7 days before expiry). It generates a new key with extended expiration, sends an email with the new key to the user, and leaves the old key active until its original expiry date. No downtime for the client.
Yes. MCP Security depends only on praetorx_base, mail, and rpc — all available in Community Edition. There is no dependency on any Enterprise-only module.

Release History

v19.0.1.2.1 — March 2026

Current Release

  • Endpoint enforcement: block PraetorX keys from /xmlrpc/2/object when secured endpoint is required
  • Key prefix indexing for fast enforcement lookups
  • Security groups migrated to praetorx_base with backward-compatible XML IDs

v19.0.1.2.0

  • Export audit logs: CSV and JSON with date-range filtering
  • Emergency revoke-all-keys wizard with confirmation, email notifications, and security alert

v19.0.1.1.0

  • Auto key rotation with daily cron and email notifications
  • Session management: timeout enforcement, concurrent session limits, cleanup crons

v19.0.1.0.0

  • API key scope validation (Many2many with predefined scopes)
  • IP whitelist with IPv4/IPv6 and CIDR support
  • Sliding-window rate limiting with HTTP 429-style responses
  • Security alerts with severity levels and email notifications

v19.0.0.1.0 — Initial Release

  • API key authentication with PBKDF2-SHA512 hashing
  • Whitelist-based model permissions (per-model CRUD)
  • Comprehensive audit logging
  • Secured /xmlrpc/2/mcp endpoint

You May Also Like

PraetorX Base Required

Shared security groups, menus, and technical patterns for all PraetorX modules.

Free
PraetorX Roles

Role-based user group management with date-gated assignments and automatic sync.

Free
PraetorX Shell

Branded backend theme with sidebar, home tiles, activity dashboard, and per-role color theming.

Free
Cockpit

Role-based tile dashboard — counters, queues, charts, actions, and real-time updates.

Free

Made with by Syntax & Sabotage

© 2026 Syntax & Sabotage, Lars Weiler. All rights reserved. OPL-1.

Impressum · support@syntaxandsabotage.io

Odoo Proprietary License v1.0

This software and associated files (the "Software") may only be used (executed,
modified, executed after modifications) if you have purchased a valid license
from the authors, typically via Odoo Apps, or if you have received a written
agreement from the authors of the Software (see the COPYRIGHT file).

You may develop Odoo modules that use the Software as a library (typically
by depending on it, importing it and using its resources), but without copying
any source code or material from the Software. You may distribute those
modules under the license of your choice, provided that this license is
compatible with the terms of the Odoo Proprietary License (For example:
LGPL, MIT, or proprietary licenses similar to this one).

It is forbidden to publish, distribute, sublicense, or sell copies of the Software
or modified copies of the Software.

The above copyright notice and this permission notice must be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.

Please log in to comment on this module

  • The author can leave a single reply to each comment.
  • This section is meant to ask simple questions or leave a rating. Every report of a problem experienced while using the module should be addressed to the author directly (refer to the following point).
  • If you want to start a discussion with the author or have a question related to your purchase, please use the support page.