GenAI

The GenAI surface exposes a single endpoint defined by GenAIController.java. It is gated by the genai.enabled configuration flag; the route is mounted unconditionally, but the underlying service rejects every request with BadUserRequestException ("Gen AI is disabled", HTTP 400) when the flag is off. For the configuration keys (genai.enabled, genai.url, genai.request_timeout) and the external AI service contract, see Configure ODD Platform → GenAI Configuration; for the feature description, the external-service request shape, and the operator caveats around enabling GenAI, see Active platform features → GenAI assistant.

Request body (application/json — GenAIRequest):

{ "body": "<question text>" }

Response body (application/json — GenAIResponse):

{ "body": "<answer text>" }

Status codes:

• 200 OK — the external AI service returned an answer.

• 400 Bad Request (BadUserRequestException body "Gen AI is disabled") — genai.enabled=false. Enable the flag and restart the platform to use the endpoint.

• 500 Internal Server Error (GenAIException) — the external AI service timed out (message "Gen AI request take longer that {minutes} min", where {minutes} is the configured genai.request_timeout) or returned a non-2xx response. The platform does not retry; a single attempt per request.

genai.request_timeout is the outbound wait-for-model-response timeout, in minutes — the time the platform waits for the external AI service to reply before raising the 500 above. It is wired into the genAiWebClient as responseTimeout = Duration.ofMinutes(genai.request_timeout) and read once at startup, so changing it requires a Platform restart. Because the underlying value is a Java int with no default, leaving it unset makes it 0 — Duration.ofMinutes(0) is a zero timeout, so every request fails immediately before the external service can answer. Always set an explicit non-zero genai.request_timeout when enabling GenAI; see Configure ODD Platform → GenAI Configuration.

Authentication and authorisation today. The route is not enumerated in the platform's authorization rules — SecurityConstants has no /api/genai/** entry. Under LOGIN_FORM / OAUTH2 / LDAP, the endpoint falls through to the catch-all "any authenticated user" rule; under auth.type=DISABLED, it is reachable anonymously. There is no per-user quota, no rate limit, and no in-platform audit of who asked what. Any caller who reaches the endpoint can drive arbitrary cost on the operator's external LLM account. Operators enabling GenAI should treat the platform as a permissive proxy and protect the upstream cost surface at the network perimeter (rate-limiting reverse proxy, API gateway, restrictive auth mode). The full platform-to-user posture caveat list is on the feature page's Platform-to-user security posture section.

See also

• API Reference hub — the full per-feature index.

• Active platform features → GenAI assistant — feature description, the platform → external AI service contract, the known limitations, and the platform-to-user security caveats.

• Configure ODD Platform → GenAI Configuration — genai.* configuration keys plus the silent-misconfiguration warning when enabled=true is set without url and request_timeout.