Hi,

When using Odoo.sh, API keys are tied to user accounts, not the instance itself. This means that whenever a testing environment is rebuilt, any manually created keys will be lost unless you migrate them. For that reason, it’s important to plan how API users and keys are managed across production, staging, and testing.

The best practice is to create a dedicated technical user for API access instead of using the default admin account. This makes it easier to control permissions, audit usage, and revoke or rotate keys when needed. Ideally, you should maintain separate API users for production and for testing/staging, so production data is never exposed during development.

In Odoo.sh testing environments, it’s not reliable to create keys manually since they won’t persist after rebuilds. Instead, keys should either be injected through environment variables or automatically provisioned using a bootstrap script or module that creates the API user and key during deployment. This ensures your developers always have consistent test credentials without manual setup.

Finally, the staging branch is the most suitable place for realistic API testing, because it contains a persistent copy of the production database. The testing branch, being short-lived, should only be used with injected or automatically created test credentials. This approach keeps production keys safe while still enabling stable API access for testing and development.

Hope it helps