Skip to Content

Secure API - REST APIs with OAuth 2.0 & JWT authentication

by
Odoo

66.73

v 14.0 Third Party 2
Availability
Odoo Online
Odoo.sh
On Premise
Lines of code 5289
Technical Name secure_api
LicenseOPL-1
Websitehttps://minhng.info
Versions 14.0 15.0 16.0 17.0 18.0 19.0
You bought this module and need support? Click here!
Availability
Odoo Online
Odoo.sh
On Premise
Lines of code 5289
Technical Name secure_api
LicenseOPL-1
Websitehttps://minhng.info
Versions 14.0 15.0 16.0 17.0 18.0 19.0

Secure API

Expose your Odoo data through secure, customizable REST APIs with OAuth 2.0 & JWT authentication.

Dynamically expose API

▸ Click on the feature to expand or collapse details.

Core Feature: Secure API Exposure

Back to Contents
Expose Any Model as REST API — Create secure REST API endpoints for any Odoo model in minutes (include custom models). Full control over which models, fields, and operations are exposed. Each API is configured via form view in Odoo with customizable routes, authentication, and permissions.

Supported Operations

Operation HTTP Method Description
Search GET /route Search records with domain filters, pagination, and ordering
Read GET /route/:id Retrieve a single record by ID
Create POST /route Create new records
Update PATCH /route/:id Update existing records
Delete DELETE /route/:id Remove records

Requests

# Authenticate
curl -X POST -H "Content-Type: application/json" -c cookies.txt \
    -d '{"jsonrpc": "2.0", "params": {"db": "YOUR_DATABASE", "login": "USER@EXAMPLE.COM", "password": "YOUR_USER_PASSWORD"}}' \
    https://your-odoo-instance.com/web/session/authenticate

# Search
curl -s -X GET -H "Content-Type: application/json" -b cookies.txt \
    -d "domain=[(\"id\",\">\",0)]&limit=5ℴ=id" \
    "https://your-odoo-instance.com/api/partner/rest"

# Create
curl -s -X POST -H "Content-Type: application/json" -b cookies.txt \
    -d '{"name": "Test Partner (CRUD Demo Bash)"}' \
    "https://your-odoo-instance.com/api/partner/rest"

# Read
curl -s -X GET -H "Content-Type: application/json" -b cookies.txt \
    "https://your-odoo-instance.com/api/partner/rest/NnRZn"

# Update
curl -s -X PATCH -H "Content-Type: application/json" -b cookies.txt \
    -d '{"name": "Test Partner (CRUD Demo Bash) (Updated)"}' \
    "https://your-odoo-instance.com/api/partner/rest/NnRZn"

# Delete
curl -s -X DELETE -H "Content-Type: application/json" -b cookies.txt \
    "https://your-odoo-instance.com/api/partner/rest/NnRZn"

Reponses

// SEARCH Response:
{
    "jsonrpc": "2.0",
    "id": null,
    "result": {
        "length": 36,
        "records": [
            {
                "id": "NnRZn",
                "email": "brandon.freeman55@example.com",
                "image_128": "/api/image/2/res.partner/NnRZn/image_128",
                "name": "Brandon Freeman"
            },
            ...
        ]
    }
}

// CREATE Response:
{
    "jsonrpc": "2.0",
    "id": null,
    "result": {
        "id": "P2y3b",
        "company_id": [],
        "email": "",
        "image_1024": "",
        "image_128": "",
        "name": "Test Partner (CRUD Demo Bash)",
        "phone": ""
    }
}

// READ Response:
{
    "jsonrpc": "2.0",
    "id": null,
    "result": {
        "id": "8blEP",
        "company_id": [],
        "email": "azure.Interior24@example.com",
        "image_1024": "/api/image/2/res.partner/8blEP/image_1024",
        "image_128": "/api/image/2/res.partner/8blEP/image_128",
        "name": "Azure Interior",
        "phone": "(870)-931-0505"
    }
}

// UPDATE Response:
{
    "jsonrpc": "2.0",
    "id": null,
    "result": {
        "id": "8blEP",
        "company_id": [],
        "email": "azure.Interior24@example.com",
        "image_1024": "/api/image/2/res.partner/8blEP/image_1024",
        "image_128": "/api/image/2/res.partner/8blEP/image_128",
        "name": "Test Partner (CRUD Demo Bash) (Updated)",
        "phone": "(870)-931-0505"
    }
}

// DELETE Response:
{
    "jsonrpc": "2.0",
    "id": null,
    "result": [
        "NnRZn"
    ]
}

API configuration interface

Authentication & Authorization

Back to Contents
OAuth 2.0 Opaque Tokens — Secure your APIs with industry-standard OAuth 2.0 authentication. Create client applications with unique client_id and client_secret credentials. Tokens are stored securely and support configurable expiration.

Get Access Token

# Request
curl -X POST \
  -F client_id=your_client_id \
  -F client_secret=your_secret \
  https://your-odoo-instance.com/api/oauth2/token

# Response
{
    "access_token": "q88Oj31Vc9OnpT85X7CjIsHpI4BI36L4Hfv...",
    "token_type": "Bearer",
    "expires_in": 1800,
    "scope": "create read update delete search rpc"
}

Use Access Token

# Request
curl -X GET \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer q88Oj31Vc9OnpT85X7CjIsHpI4BI36L4Hfv..." \
  https://your-odoo-instance.com/api/partner/rest
JWT (JSON Web Tokens) — For stateless authentication, use JWT tokens. Tokens are signed with configurable algorithms (HS256, HS384, HS512) and contain embedded payload data. No database lookup required for validation.

JWT Token Endpoint

# Request
curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"client_id": "your_client_id", "client_secret": "your_secret"}' \
  https://your-odoo-instance.com/api/jwt/token

# Response
{
    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "token_type": "Bearer",
    "expires_in": 1800,
    "scope": "create read update delete search rpc"
}

Use Access Token

# Request
curl -X GET \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  https://your-odoo-instance.com/api/partner/rest

Support standard OAuth2.0 and JWT authentication

Security Features

Back to Contents

Field-Level Access Control — Control exactly which fields are exposed. Search fields can be independently configured to limit which fields are available for filtering.

Domain Filters — Server-side record filtering for restricted access. Users can only access records matching the configured domain, regardless of the domain they provide in requests.

ID Obfuscation — Protect sensitive database IDs from enumeration attacks. Integer IDs are automatically encoded into random-looking strings using the Hashids algorithm. API consumers never see the real database IDs, preventing unauthorized guessing of records.

Example

# Without ID Obfuscation
{"id": 42, "name": "John Doe"}

# With ID Obfuscation enabled
{"id": "gY5kp8", "name": "John Doe"}
Permission Scopes — Fine-grained permission control for client applications. Each application can be granted specific scopes that determine which operations are allowed.

Available Scopes

  • create - Create new records
  • read - Read individual records
  • update - Update existing records
  • delete - Delete records
  • search - Search and list records
  • rpc - Call custom methods (RPC)

Advanced Features

Back to Contents

RPC Method Calls — Expose custom model methods as API endpoints. Work with custom models as well.

Default Field Values — Configure default values for fields when creating records via API. Default values are automatically applied if the field is not provided in the request. Supports dynamic values like fields.Date.today() and record references.

Binary Field Handling — Return images and files as URLs or Base64

Bulk Operations — Process multiple records in a single API request. Allow processing multiple records at once, improving efficiency for batch operations.

Example: Bulk Create

# Request
POST /api/partners
Content-Type: application/json

[
    {"name": "Partner A", "email": "a@example.com"},
    {"name": "Partner B", "email": "b@example.com"}
]

# Response: Array of created records
[
    {"id": "abc123", "name": "Partner A", "email": "a@example.com"},
    {"id": "def456", "name": "Partner B", "email": "b@example.com"}
]

Example: Bulk Update

# Update multiple records with same values
PATCH /api/partners
{"ids": ["abc123", "def456"], "active": false}

# Update multiple records with different values
PATCH /api/partners
[
    {"id": "abc123", "phone": "123-456-7890", "active": false},
    {"id": "def456", "phone": "098-765-4321", "active": false}
]
Field Aliases — Rename fields in API requests and responses without modifying the underlying model.

Example

# Database field: partner_id
# Alias: customer

# API Request can use alias:
POST /api/orders
{"customer": "gY5kp8", "order_total": 150.00}

# API Response uses alias:
{"customer": "gY5kp8", "order_total": 150.00}
Related Model Fields — Include related model data in API responses. Configure which fields from many2one, one2many, and many2many relations should be expanded and returned with the main record data.

Example

# Without related fields:
{"id": "abc123", "country_id": 42}

# With related fields configured (country_id fields: name, code):
{"id": "abc123", "country_id": [42, {"name": "United States", "code": "US"}]}

API Export

Back to Contents

Export to Postman Collection — Export your APIs as a Postman Collection JSON file that can be directly imported into Postman. The wizard generates a complete collection with all endpoints, headers, and request templates organized by API folders.

Export to Swagger/OpenAPI — Export your APIs as an OpenAPI 3.0 specification JSON file. Compatible with Swagger UI, Swagger Editor, and any OpenAPI-compatible tool for documentation and testing.

Monitoring & Statistics

Back to Contents

API Usage Statistics — Track API usage with built-in statistics. Monitor success rates, error counts, and average execution times for each API endpoint.

API Usage Statistics

Organization & Management

Back to Contents

Categories — Organize APIs into logical categories for easier management. Categories help group related APIs and provide quick access

Tags — Apply custom tags to APIs for flexible organization and filtering. Tags provide an additional layer of categorization beyond categories.

API Lifecycle States —Manage APIs through a clear lifecycle with three states: Draft (development), Active (published and accessible), and Inactive (disabled but preserved).

Testing & Development

Back to Contents

Live API Testing — Test your APIs directly from the Odoo interface without external tools. The built-in test feature generates cURL commands and displays responses, making development and debugging faster.

Test Mode — Sandbox environment for development. Enable Test Mode for APIs or client applications to work in a sandbox environment. Perfect for development and testing without affecting production data.

Auto-Generated Endpoints — When an API is published, endpoints are automatically generated based on the configured operations. Each endpoint can be individually activated or deactivated.

Configuration Options

Back to Contents

CORS Configuration — Configure Cross-Origin Resource Sharing (CORS) per API.

Multi-Model APIs — Expose multiple models through a single API route. When enabled, the model name becomes part of the URL path, allowing dynamic model selection.

Example

# Single API for multiple models
GET /api/:model

# Access different models:
GET /api/res.partner
GET /api/sale.order
GET /api/product.product
Authentication Modes — Public or user-based request execution

Choose between two authentication modes for each API:

Mode Description
Public Requests execute under a configured "Run as User" account
User Requests require authentication and execute under the authenticated user's permissions
Pagination & Ordering — Built-in support for pagination with configurable default limit. Search results include total count and support ordering by any field.

Query Parameters

Parameter Description Example
domain Filter records [("active","=",True)]
offset Skip first N records 20
limit Maximum records to return 10
order Sort order name asc, id desc

Error Handling

Back to Contents

Response Types & Status Codes — Understand API responses and error patterns. Error handling in the API follows two main patterns: HTTP status codes and JSON response structure. A successful request will return a 200 status code with a "result" key in the response data, while errors can manifest either as non-200 HTTP status codes or as 200 responses containing an "error" key instead of a "result" key.

Response Type HTTP Status Response Structure How to Handle
Successful Response 200 OK Contains "result" key with requested data Process the data in the "result" object
Application Error 200 OK Contains "error" key with error details Check for "error" key before processing and handle the error message
HTTP Error 4xx or 5xx May contain error details in response body Handle based on status code (401 for authentication, 403 for permissions, 404 for not found, etc.)

Update History

Back to Contents
February 03, 2026 (*.0.0.6) - New Feature
  • Added RPC Response Encode feature: allows users to choose how RPC response IDs are encoded (Manual, By Suffix, or By Model definition) when Id Obfuscation is enabled
January 25, 2026 (*.0.0.5) - Performance Optimization & Bug Fixes
  • Optimized statistics collection mechanism to use periodic batch updates instead of real-time synchronous updates, eliminating concurrent write conflicts and improving system throughput
  • Fixed rendering issue when "Usage Statistics" checkbox was unchecked in the configuration form
January 05, 2026 (*.0.0.4) - New Features
  • Added ability to configure field alias in API
  • Added support for JWT authentication
December 21, 2025 (*.0.0.3) - New Features, Improvements & Bug Fixes
  • Added new feature: Export API to Swagger
  • Added "api_id" and "app_id" to context
  • Improved obfuscated API data decoding to only apply on relation fields
  • Improved GET and DELETE requests to no longer require the "Content-Type: application/json" header
  • Fixed a command injection vulnerability in the "domain" parameter of search API
  • Fixed a bug where data rollback was not working correctly on error
  • Fixed bug: nested child data causes error when using "web_search_read" on Odoo 17+
December 10, 2025 (*.0.0.2) - Bug Fixes
  • Fixed a bug where the API Management menu was missing in Settings on Odoo 17, 18, and 19
  • Fixed a coding error in "secure_api/controllers/api_binary.py"
  • Fixed a bug where disabled client applications could still generate access tokens
  • Fixed an issue where expired access tokens displayed an incorrect state
July 12, 2025 (*.0.0.1) - Initial Release
  • First version of the addon

Technical Support

Back to Contents

Need help with the Secure API module? Contact our technical support team for assistance with installation, configuration, customization, or any questions.

For test purposes before buying, please contact:

Channel Contact
Email sales@minhng.info
Telegram @minhng92

Secure API for Odoo — Secure, flexible, and powerful API management. 

Odoo Proprietary License v1.0

This software and associated files (the "Software") may only be used (executed,
modified, executed after modifications) if you have purchased a valid license
from the authors, typically via Odoo Apps, or if you have received a written
agreement from the authors of the Software (see the COPYRIGHT file).

You may develop Odoo modules that use the Software as a library (typically
by depending on it, importing it and using its resources), but without copying
any source code or material from the Software. You may distribute those
modules under the license of your choice, provided that this license is
compatible with the terms of the Odoo Proprietary License (For example:
LGPL, MIT, or proprietary licenses similar to this one).

It is forbidden to publish, distribute, sublicense, or sell copies of the Software
or modified copies of the Software.

The above copyright notice and this permission notice must be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.

Please log in to comment on this module

  • The author can leave a single reply to each comment.
  • This section is meant to ask simple questions or leave a rating. Every report of a problem experienced while using the module should be addressed to the author directly (refer to the following point).
  • If you want to start a discussion with the author or have a question related to your purchase, please use the support page.