API Keys
Create scoped API keys for programmatic access, manage rotation, and revocation.
API keys provide programmatic access to the oCore API without requiring interactive authentication. They are ideal for CI/CD pipelines, automation scripts, and third-party integrations. Each API key is scoped to an organization and can be configured with specific permissions.
API Key Management
Create and manage API keys for your organization.
Creating an API Key
Navigate to Settings > API Keys and click Create API Key.
Enter a name that describes the key's purpose (e.g., "CI/CD Pipeline", "Monitoring Script").
Select the permissions to grant this key. Follow the principle of least privilege -- only grant permissions the key actually needs.
Optionally set an expiration date.
Click Create. The key value is displayed once. Copy and store it securely.
curl -X POST https://ocore.example.com/api/api-keys \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "CI/CD Pipeline",
"permissions": ["manage:instances", "view:servers"],
"expiresAt": "2027-01-01T00:00:00Z"
}'ocore api-key create \
--name "CI/CD Pipeline" \
--permissions manage:instances,view:serversStore the Key Securely
The API key value is shown only once at creation time. Store it in a secure location (e.g., a secrets manager, encrypted vault). If you lose the key, you must create a new one.
Using API Keys
Authentication Header
Include the API key in the Authorization header with a Bearer prefix:
curl https://ocore.example.com/api/servers \
-H "Authorization: Bearer ocore_key_abc123..."API Key vs JWT Token
| Feature | API Key | JWT Token |
|---|---|---|
| Duration | Long-lived (until revoked/expired) | Short-lived (expires in hours) |
| Use case | Automation, CI/CD, integrations | Interactive user sessions |
| Permissions | Scoped to selected permissions | Based on user's role |
| 2FA required | No (key is the credential) | Yes (if enabled for user) |
| Refresh | Not needed | Requires refresh token |
Organization Context
API keys are scoped to a specific organization. The organization context is automatically set based on the key -- you do not need to provide an organization header or parameter.
Managing API Keys
Listing Keys
curl https://ocore.example.com/api/api-keys \
-H "Authorization: Bearer $TOKEN"Each key entry shows:
- Name and description
- Created date
- Last used date
- Expiration date
- Permission summary
- Status (active, expired, revoked)
Key Values Are Hidden
For security, the full key value is never returned in list or detail responses. Only the key's prefix (first 8 characters) is shown for identification.
Revoking a Key
Immediately revoke an API key to prevent further use:
curl -X DELETE https://ocore.example.com/api/api-keys/{keyId} \
-H "Authorization: Bearer $TOKEN"ocore api-key revoke <key-id>Revocation is immediate -- any in-flight requests using the key will fail with 401 Unauthorized.
Best Practices
Key Rotation
Regularly rotate API keys to limit the impact of potential key exposure:
Create a new API key with the same permissions as the old one.
Update your CI/CD pipeline or integration to use the new key.
Verify the new key works correctly.
Revoke the old key.
Least Privilege
Grant only the permissions each key actually needs:
| Use Case | Recommended Permissions |
|---|---|
| Deployment automation | view:projects, manage:deployments |
| Monitoring script | view:servers, view:instances |
| Backup management | view:environments, manage:environments |
| Read-only dashboard | view:servers, view:instances, view:projects |
| Full automation | All permissions (use sparingly) |
Security Guidelines
- Never commit API keys to version control
- Use environment variables or secret managers to store keys
- Set expiration dates on keys used for temporary integrations
- Monitor the "last used" date -- revoke unused keys
- Use separate keys for separate integrations (do not share keys)
- Enable audit logging to track API key usage
Required Permissions
| Action | Permission |
|---|---|
| View API keys | Any authenticated member |
| Create API keys | manage:org_settings |
| Update API keys | manage:org_settings |
| Revoke API keys | manage:org_settings |
OAuth-Created API Keys
When users connect an AI client (Claude Desktop, ChatGPT) through the OAuth consent flow, oCore automatically creates an API key linked to the resulting OAuth token. These keys are flagged with mcp_only: true and exist solely to back MCP sessions -- they cannot be used for general API access.
How OAuth Consent Creates API Keys
During the OAuth consent flow, the user can either:
- Auto-create a new key: oCore generates a new
mcp_onlyAPI key scoped to the selected organization. The key name defaults to the OAuth client's name (e.g., "Claude Desktop"). - Link an existing key: If the user already has MCP API keys in the selected organization, the consent form offers a picker to reuse one. No new key is created.
The auto-created key inherits its MCP permissions from the OAuth scopes and the user's consent form selections.
Permission Configuration During OAuth Consent
The consent form gives users fine-grained control over what the connected AI client can do:
| Setting | Description |
|---|---|
| Preset | Quick-select permission templates (e.g., "Read Only", "Developer", "Full Access") |
| Categories | Individual MCP tool categories (orm, sql, shell, metadata, etc.) |
| Instance scoping | Restrict the key to specific Odoo instances |
| Tool allowlist/denylist | Per-tool filtering with allow or deny mode |
| Read-only mode | Block all write and destructive operations |
These settings are stored on the authorization code and applied to the auto-created API key when the code is exchanged for tokens.
How MCP Tools Are Filtered
When an OAuth-backed MCP session starts, tools are filtered based on the linked API key's permissions:
- The OAuth access token is resolved to its linked API key.
- The key's
mcp_permissionslist determines which tool categories are available. - The key's
mcp_allowlist_modeandmcp_tool_allowlistfurther filter individual tools. - The key's
mcp_instance_idsrestricts which instances appear in the session. - If
mcp_read_onlyis set, all write and destructive tools are removed.
An empty permissions list means unrestricted access to all categories, identical to manually-created keys.
Revoking OAuth Authorizations
When an OAuth token is revoked (via POST /oauth/revoke or from the dashboard), the auto-created API key is cleaned up:
- If the key was auto-created (
auto_created_key: true) and no other active OAuth tokens reference it, the key is soft-deleted. - If the user linked an existing key during consent, the key is left untouched since it existed before the OAuth flow.
- Revoking all tokens for a client effectively disconnects that AI tool from oCore.
Organization-level logout can also revoke all OAuth tokens for a user across the organization, cleaning up any auto-created keys that are no longer referenced.
Troubleshooting
API key returns 401 Unauthorized
- Verify the key value is correct (check for trailing whitespace)
- Check that the key has not been revoked
- Check that the key has not expired
- Ensure the
Authorization: Bearerprefix is included
API key returns 403 Forbidden
- The key does not have the required permission for the requested endpoint
- Create a new key with the necessary permissions or update the existing one
Cannot find the key value
- API key values are shown only once at creation time
- If you lost the key, create a new one and revoke the old one
- Store new keys in a secure location immediately after creation
Key shows "expired" status
- Create a new key with the same permissions
- Set a longer or no expiration for keys used in long-running integrations
- Consider using key rotation schedules rather than fixed expiration dates