Odoo Connector Tokens: Secure API Integration for Partners
Stop sharing admin passwords for integrations. Learn how connector tokens provide scoped, revocable API access for your Odoo instances.
One of the most common security anti-patterns in Odoo integrations is sharing the admin user's credentials with third-party tools, monitoring services, and custom scripts. Every shared credential is a permanent, unscoped, irrevocable attack surface.
The Problem with Shared Credentials
- All-or-nothing access: Admin credentials provide access to every model, every record, every operation
- No revocability: Changing the admin password breaks all integrations simultaneously
- No audit trail: All API actions appear as the admin user — you can't distinguish monitoring from manual operations
- Credential rotation: When was the last time you rotated the password used by your monitoring tool?
How Connector Tokens Work
NonaGuard connector tokens provide scoped API access:
- Create a dedicated Odoo user with minimal permissions (read-only access to models NonaGuard needs)
- Generate an API key for that user in Odoo (Settings → Users → API Keys)
- Register the connector token in NonaGuard with the instance URL, database, and API key
- The token can be revoked at any time without affecting other integrations or user accounts
Step-by-Step Setup Guide
1. Create a Dedicated Service User in Odoo
Never reuse an existing admin or employee account. Create a purpose-built service user:
🤖 NonaGuard uses AI-powered analysis to turn scan findings into prioritized, step-by-step remediation plans — with effort estimates and cost projections.
# Via Odoo shell (odoo shell -d your_db)
from odoo import api, SUPERUSER_ID
env = api.Environment(cr, SUPERUSER_ID, {})
service_user = env['res.users'].create({
'name': 'NonaGuard Scanner',
'login': 'nonaguard-scanner@yourcompany.com',
'groups_id': [(6, 0, [
env.ref('base.group_user').id,
])],
})
print(f"Created user ID: {service_user.id}")
2. Assign Minimal Read-Only Permissions
The scanner needs read access to a specific set of models. Create an access control list that grants only what's required:
# Models NonaGuard needs to read:
# - ir.module.module (installed modules, versions, state)
# - res.users (user list, groups, 2FA status)
# - ir.cron (scheduled actions, run status)
# - ir.config_parameter (system parameters)
# - ir.model.access (access control lists)
# - ir.rule (record rules)
# - base.module.update (available updates)
# Grant via XML data file in a custom module:
<record id="access_nonaguard_modules" model="ir.model.access">
<field name="name">NonaGuard - Module Read</field>
<field name="model_id" ref="base.model_ir_module_module"/>
<field name="group_id" ref="your_module.group_nonaguard_scanner"/>
<field name="perm_read" eval="True"/>
<field name="perm_write" eval="False"/>
<field name="perm_create" eval="False"/>
<field name="perm_unlink" eval="False"/>
</record>
3. Generate an API Key (Odoo 14+)
From Odoo 14 onwards, API keys are the recommended authentication method for programmatic access:
# Navigate to: Settings → Users → Select scanner user → API Keys tab
# Click "New API Key" → Label: "NonaGuard Production" → Copy the key
# Test the key via XML-RPC (Python):
import xmlrpc.client
url = "https://your-odoo.com"
db = "production"
api_key = "your-generated-api-key"
common = xmlrpc.client.ServerProxy(f"{url}/xmlrpc/2/common")
uid = common.authenticate(db, "nonaguard-scanner@yourcompany.com", api_key, {})
print(f"Authenticated as UID: {uid}") # Should print a valid user ID
models = xmlrpc.client.ServerProxy(f"{url}/xmlrpc/2/object")
modules = models.execute_kw(db, uid, api_key, 'ir.module.module', 'search_read',
[[('state', '=', 'installed')]],
{'fields': ['name', 'installed_version', 'state'], 'limit': 5})
print(f"Found {len(modules)} installed modules (showing first 5)")
4. Register in NonaGuard
In the NonaGuard dashboard, navigate to Connectors → Add Instance. Enter your instance URL, database name, the service user's email, and the API key. The connection test runs automatically and confirms read access to the required models.
Security Best Practices for Connector Tokens
- One user per integration — Never share credentials between tools. If you also use a backup service, create a separate service user for it
- Minimum permissions — Grant only the access required. NonaGuard needs read access; it never modifies your data
- Rotate API keys quarterly — Generate a new key, update NonaGuard, then revoke the old key
- Monitor API key usage — Check
res.users.logentries for the scanner user to verify only expected activity - Use IP restrictions — If your reverse proxy supports it, restrict the scanner user's XML-RPC access to NonaGuard's IP ranges
Revoking Access
When you need to revoke NonaGuard access (e.g., switching providers or decommissioning an instance):
# 1. Revoke the API key in Odoo:
# Settings → Users → Scanner user → API Keys → Delete key
# 2. Deactivate the service user:
env['res.users'].browse(scanner_uid).write({'active': False})
# 3. Remove the connector in NonaGuard dashboard
Because the connector uses a dedicated user with its own API key, revoking access is instant and doesn't affect any other integration or user account.
Troubleshooting Connection Issues
Common issues when setting up connectors:
- "Authentication failed" — Verify the API key hasn't expired and the service user is active. Test with the XML-RPC script above
- "Access denied on model X" — The service user is missing read access to a required model. Check
ir.model.accessfor the user's groups - "Connection timeout" — Your firewall may be blocking NonaGuard's IP. Check reverse proxy logs for blocked requests to
/xmlrpc/2/ - "SSL certificate error" — Ensure your Odoo instance uses a valid, non-expired SSL certificate. Self-signed certs are not supported
Set up your secure connector in under 2 minutes.
⚡ See NonaGuard in Action
200+ automated checks, AI-powered insights, branded PDF reports, and continuous monitoring — all designed specifically for the Odoo ecosystem.
