API Tokens
O.D.I.N. provides three authentication mechanisms for API access. Scoped API tokens are the recommended option for automation, integrations, and CI/CD pipelines.
Authentication Methods Comparison
| Method | Format | Expiry | Scope | Use Case |
|---|---|---|---|---|
| System API Key | Static key set on install | Never | Full API access | Internal services, monitors |
| Session JWT | Authorization: Bearer <jwt> | 24 hours | Full user role access | Interactive API clients |
| Scoped Token | odin_... prefix | Configurable | Per-route granular scopes | Automation, third-party tools |
Creating a Scoped Token
- Go to Settings → Account → API Tokens
- Click New Token
- Enter:
- Name — a descriptive label (e.g., "Grafana read-only", "CI/CD deploy")
- Scopes — select one or more from the available scopes table
- Expiry — leave blank for no expiry, or set a date
- Click Create
- Copy the token immediately — it will not be shown again
The full token value is displayed only at creation time. O.D.I.N. stores only a bcrypt hash of the token. If you lose it, delete the token and create a new one.
Available Scopes
Operator scopes (per-resource)
| Scope | Access |
|---|---|
read:printers | Read printer status, telemetry, filament slots |
write:printers | Create, update, delete printers |
read:jobs | Read job queue and job details |
write:jobs | Create, update, cancel jobs |
read:spools | Read spool inventory |
write:spools | Create, update, delete spools |
read:models | Read model library |
write:models | Upload and manage models |
read:analytics | Read analytics and reports |
read:orders | Read orders and invoices |
write:orders | Create and update orders |
read:users | Read user list (admin-level scope) |
Agent scopes (v1.8.9+)
For AI-agent-driven operation via the MCP server or equivalent. These scopes grant a curated slice of the operator surface designed to be safe for autonomous use.
| Scope | Access |
|---|---|
agent:read | Dashboard visibility — printers, jobs, queue, alerts, spools, filaments, maintenance tasks, orders. No state changes. |
agent:write | agent:read + queue/cancel/approve/reject jobs, pause/resume printers, manage spools & alerts, log maintenance. |
Agent scopes do not grant access to auth / license / backup / user-CRUD / SMTP config / RBAC management. Those stay humans-only regardless of token scope.
Grant the narrowest scope that works for the agent's job. agent:read is the recommended starting scope while evaluating an agent; upgrade to agent:write after verification.
Using a Token
Include the token in the Authorization header using the Bearer scheme.
Read-Only Example (Fetching Printer Status)
curl -H "Authorization: Bearer odin_abc123def456..." \
https://your-odin-host/api/printers
Write Example (Creating a Job)
curl -X POST \
-H "Authorization: Bearer odin_abc123def456..." \
-H "Content-Type: application/json" \
-d '{"model_id": 42, "printer_id": 1, "priority": "normal"}' \
https://your-odin-host/api/jobs
Tokens with insufficient scope for an endpoint receive a 403 Forbidden response.
Revoking Tokens
- Go to Settings → Account → API Tokens
- Click Revoke next to the token you want to delete
- The token is immediately invalidated
Tokens are stored by hash — revoking deletes the hash record, blocking all future requests with that token.
Token Prefix and Identification
All scoped tokens are prefixed with odin_. The first 8 characters after the prefix form the token prefix (token_prefix column), which is displayed in the token list so you can identify which token corresponds to which integration without exposing the full secret.
See Also
- API Overview — REST API structure and authentication
- API Endpoints — full endpoint reference
- Session Management — session-based authentication
- Webhooks — outbound notifications that use separate secrets