oCoreoCore Docs
Admin Guide

MCP Invites

Create and manage MCP invite links to give external developers scoped access to your organization's Odoo instances through AI tools.

MCP invite links provide a way to grant external developers MCP access to your organization without sharing API keys or requiring them to go through the full OAuth consent flow. An admin creates a link with specific permissions; the recipient opens it, logs in, and receives an mcp_only API key scoped to the invite's permissions.

MCP Invites

Create and manage invite links for MCP access.

Open in Dashboard

Navigate to Settings > MCP Invites and click Create Invite.

Select the MCP permissions (scopes) to grant. You can only grant permissions that you yourself have -- scope escalation is prevented.

Set the maximum uses (how many people can accept this invite).

Set an expiration (default: 3 days). After this time, the link stops working.

Optionally set a key name preset -- the API key created for each acceptor will use this name.

Click Create. Copy the invite URL and share it with the intended recipients.

# Create an invite via API
curl -X POST https://ocore.example.com/api/org/mcp/invites \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "scopes": ["mcp:orm", "mcp:search", "mcp:metadata"],
    "max_uses": 5,
    "expires_in": "72h",
    "key_name_preset": "External Dev MCP Key"
  }'

The response includes the invite URL:

{
  "invite_url": "https://ocore.example.com/oauth/invite/abc123...",
  "expires_at": "2026-03-21T12:00:00Z",
  "max_uses": 5,
  "current_uses": 0
}

How Invites Work

When a recipient opens an invite link:

oCore validates the invite token (hashed with SHA-256 and looked up in the database).

The recipient logs into oCore (or creates an account if they don't have one).

oCore shows the invite details: organization name, granted permissions, and expiration.

The recipient accepts. oCore atomically increments the invite's usage counter (preventing race conditions with concurrent accepts).

An mcp_only API key is created for the recipient in the invite's organization with the invite's scoped permissions.

If the recipient is not already a member of the organization, they are automatically added as a Viewer.

Organization Membership

Accepting an invite link does not grant full dashboard access. The recipient is added as a Viewer (the lowest privilege role) and receives only MCP tool access through the created API key.

Scope Escalation Prevention

When creating an invite, oCore validates that every scope in the invite is a subset of the admin's own MCP permissions. This prevents privilege escalation:

  • An admin with orm, search, and metadata permissions cannot create an invite that includes shell or sql.
  • If the admin's own permissions change after creating the invite, the invite's permissions remain fixed at creation time.
Error: requested scopes exceed admin's own permissions

Revoking Invites

To revoke an invite before it expires or reaches its max uses:

Navigate to Settings > MCP Invites.

Find the invite and click Revoke. The invite link immediately stops working.

# Revoke an invite via API
curl -X DELETE https://ocore.example.com/api/org/mcp/invites/{inviteId} \
  -H "Authorization: Bearer $TOKEN"

Existing Keys Are Not Revoked

Revoking an invite does not revoke API keys already created from it. To remove access from users who already accepted the invite, revoke their individual API keys in Settings > API Keys.

Monitoring Invites

The invite list shows:

FieldDescription
ScopesMCP permissions the invite grants
Max usesMaximum number of times the invite can be accepted
Current usesHow many times it has been accepted
Expires atWhen the invite link stops working
Created byThe admin who created the invite

Use Case: External Developer MCP Access

A common scenario is granting an external developer or consultant read-only MCP access to your Odoo instances:

Create an invite with mcp:orm, mcp:search, mcp:metadata scopes and max_uses: 1.

Send the invite URL to the developer via a secure channel (email, Slack DM).

The developer opens the link, creates an oCore account (if needed), and accepts.

The developer configures their AI tool with the created API key and connects to the MCP server.

When the engagement ends, revoke the developer's API key in Settings > API Keys.

Required Permissions

ActionPermission
Create MCP invitesmanage:org_settings
View MCP invitesmanage:org_settings
Revoke MCP invitesmanage:org_settings
Was this page helpful?
Edit on GitHub

OAuth Clients

View and manage OAuth clients that connect AI assistants to oCore through the MCP authorization flow.

Audit Logs

Track user actions, login events, and system changes for compliance and security monitoring.

On this page

Creating an Invite LinkHow Invites WorkScope Escalation PreventionRevoking InvitesMonitoring InvitesUse Case: External Developer MCP AccessRequired Permissions