Aidoo
Configuration

Security & permissions

Aidoo's security architecture: OAuth & API key authentication, role-based access control, credential encryption and logging.

Security architecture

Aidoo applies a defense-in-depth security approach. Every MCP request flows through the Express backend, which handles authentication, access control, encryption and logging before reaching Odoo.

AI Assistant → MCP Server → Aidoo Backend → Odoo XML-RPC
                              ├─ Auth (JWT / API Key)
                              ├─ Permission control
                              ├─ Logging
                              └─ Credential encryption

Authentication

Aidoo offers three authentication methods depending on the usage context.

OAuth 2.1 (Claude.ai, ChatGPT, Claude Desktop, Claude Code — recommended)

For clients that support OAuth (Claude.ai, ChatGPT, Claude Desktop, Claude Code), authentication is handled through a standard OAuth 2.1 flow:

  • No API key to handle on the user side, so no secret to leak
  • The access token is short-lived and refreshed automatically
  • Authorization is scoped to a company: the user explicitly picks which Aidoo organization they authorize
  • Revocation is immediate from the Aidoo dashboard

This is the default recommended method for most users. See the Connecting with Claude guide.

API keys (IDEs without OAuth)

For IDEs that don't support OAuth (Cursor, Windsurf, etc.), API keys authenticate programmatic requests. Every key:

  • Is hashed with SHA-256 before storage (the plaintext key is never kept)
  • Carries an aid_live_ prefix for quick identification
  • Is tied to a user and a company
  • Can be revoked instantly from the dashboard

See the API keys and Local clients guides for full management details.

JWT (dashboard sessions)

Web dashboard sessions use JWT tokens:

  • Access token: 15-minute lifetime, sent via the Authorization header
  • Refresh token: 30-day lifetime, sent via a secure httpOnly cookie
  • Renewal is automatic and transparent to the user

Roles and access control

Aidoo uses a three-tier role system, applied per company. The same user can have different roles depending on the company.

RoleScope
OwnerFull control: company management, members, API keys, billing and Odoo connection
AdminAdministration: management of all members' API keys, access to all logs, Odoo configuration
MemberLimited access: management of their own API keys only, viewing of their own logs

Concrete examples

ActionOwnerAdminMember
Create an API key for selfYesYesYes
Revoke another member's keyYesYesNo
View all logsYesYesNo
Edit the Odoo connectionYesYesNo
Invite a new memberYesYesNo
Manage billingYesNoNo
Transfer ownershipYesNoNo

Multi-tenant isolation

Every request is scoped to a company. A user can only access resources from companies they belong to. The middleware systematically checks membership before any operation.

Encryption of Odoo credentials

The Odoo connection credentials (URL, database, password) are encrypted at rest in the database.

Algorithm

  • AES-256-GCM (Galois/Counter Mode): authenticated encryption that guarantees both confidentiality and integrity of the data
  • Initialization vector (IV): 16 random bytes generated for each encryption operation
  • Authentication tag: 16 bytes to detect any tampering with the encrypted data

How it works

  1. When an Odoo connection is saved, sensitive credentials are encrypted on the server side
  2. The result is stored in the format IV:TAG:CIPHERTEXT (hexadecimal)
  3. On each request to Odoo, credentials are decrypted in memory for the duration of the call
  4. The encryption key is a server environment variable, never exposed to the client

Odoo credentials never travel in plaintext between the browser and the MCP server. Only the backend has the decryption key.

Request logging

Every MCP call is recorded with a level of detail that enables full auditing.

Recorded data

FieldDescription
MCP toolName of the tool called (query, read, create, etc.)
ParametersRequest input data
ResultOutput data (success) or error message
Statussuccess, error or timeout
DurationExecution time in milliseconds
UserUser identity and API key used
SessionSession identifier to group related calls

Data retention

Logs are automatically deleted after 90 days via a MongoDB TTL index. This duration provides enough history for auditing while respecting data minimization principles.

Filtering and viewing

From the Logs page in the dashboard, you can filter by:

  • MCP tool used
  • Request status (success, error, timeout)
  • User
  • Date range

Owners and admins see all the company's logs. Members only see their own requests.

Recommendations

  • Encryption key: use a 32-character random key for ENCRYPTION_KEY
  • Token rotation: JWT access tokens expire automatically every 15 minutes
  • Minimum permissions: only grant the necessary permissions to each API key
  • Monitoring: regularly review logs to detect any unusual activity
  • Quick revocation: if a compromise is suspected, immediately revoke the affected key