Configuration¶
This page covers manual configuration — managing resources, credentials, and global settings outside the setup wizard.
Global Settings¶
Go to Settings > General Settings, scroll to (or search for) the Alpenglow MCP section, and toggle Enable MCP Access.
This section also has controls for:
| Setting | Default | Range | Description |
|---|---|---|---|
| Default Read-Only | Off | — | New resources default to read-only mode |
| Max Records per Request | 500 | 10 – 10,000 | Caps a single response |
| Max Search Limit | 1,000 | 100 – 50,000 | Caps the limit parameter on searches |
| Rate Limiting | On | — | Toggle on/off (see Rate Limiting) |
| Requests per Minute | 300 | — | General API rate limit |
| Aggregation per Minute | 60 | — | Aggregation query rate limit |
| Audit Logging | On | — | Toggle on/off (see Audit Logging) |
| Log Retention | 30 days | — | How long audit entries are kept |
Quick-action buttons link to the Resources, Credentials, Audit Log, and Sessions screens.
Managing Resources¶
Navigate to Settings > Alpenglow MCP > Resources.
Each resource maps one Odoo model to a set of MCP permissions:
| Field | Description |
|---|---|
| Model | The Odoo model (e.g., res.partner) |
| Read-Only | Overrides all operation toggles below; only read operations allowed |
| Can Read | Allow search/read operations |
| Can Create | Allow record creation |
| Can Write | Allow record updates |
| Can Delete | Allow record deletion |
| Field Policy | All (default), Allowlist, or Denylist |
| Fields | When using allowlist/denylist, select specific fields |
| Record Filter | An Odoo domain expression that restricts which records are visible (e.g., [('active', '=', True)]) |
Bulk enablement¶
Use the Add Resources wizard (accessible from the Resources list view) to enable multiple models at once with the same permission set.
Unique constraint¶
Each model can only be registered once per company.
Creating Credentials¶
To create credentials outside the wizard, you need to do two things:
1. Generate an Odoo API key¶
Go to Settings > Users & Companies > Users, open the user who will own the credential, then navigate to the Preferences tab. Under API Keys, click New API Key, give it a description, and copy the generated key.
2. Create an Alpenglow credential record¶
Go to Settings > Alpenglow MCP > Credentials and click New. Fill in:
| Field | Description |
|---|---|
| Label | A human-readable name (e.g., "Claude Desktop — John"). Appears in audit logs. |
| User | The Odoo user who owns the API key. The AI assistant operates under this user's permissions. |
| Scope | Full Access or Read-Only. |
| Expires On | (Optional) Date after which the credential is automatically rejected. Leave blank for no expiration. |
| Company | In multi-company setups, the company this credential belongs to. |
The API key handles authentication (proving who the caller is). The Alpenglow credential controls authorization (what scope is allowed) and tracks usage (last used, IP address, request count).
Note
If an API key authenticates successfully but no matching Alpenglow credential is found for that user, the request still proceeds — it just won't have scope restrictions or usage tracking. For full control, always create both.
Revoking credentials¶
To revoke a credential, open it and click the Revoke button. This permanently deactivates it.
Multi-Company¶
Resources and credentials are scoped per company. A resource created in Company A is only visible to users of Company A. Set the company field to blank to make a resource available across all companies.
Record rules enforce company isolation at the database level — there is no way for a user in one company to access another company's MCP resources or credentials through the API.
Scheduled Actions¶
The module registers three cron jobs:
| Job | Interval | Description |
|---|---|---|
| Audit Log Cleanup | Daily | Deletes audit entries older than the configured retention period |
| Session Cleanup | Hourly | Marks sessions as inactive after a period of no activity |
| Rate Limit Cleanup | Hourly | Purges expired entries from the rate limit tracking table |