Skip to Content

REST API Builder Pro

by
Odoo

69.10

v 18.0 Third Party
Availability
Odoo Online
Odoo.sh
On Premise
Odoo Apps Dependencies Discuss (mail)
Lines of code 5577
Technical Name ld_api_gateway
LicenseOPL-1
Websitehttps://lutfi.dev
You bought this module and need support? Click here!
Availability
Odoo Online
Odoo.sh
On Premise
Odoo Apps Dependencies Discuss (mail)
Lines of code 5577
Technical Name ld_api_gateway
LicenseOPL-1
Websitehttps://lutfi.dev
ODOO 18 · REST API BUILDER

Build a Production REST API for Odoo
in 3 Clicks — No Code

A complete REST gateway in one module: 3-step wizard, 30 model presets, OAuth2 server, scoped API keys, session tokens, sliding-window rate limits, and a webhook dispatcher with retry.

✓ 60 automated tests ✓ OPL-1 licensed ✓ EN + ID translations ✓ Lifetime 18.0 updates
REST API Builder Pro for Odoo 18 - dashboard with active resources, API keys, OAuth apps and request volume counters plus three onboarding cards

Stop writing controllers. Ship REST APIs.

Hand-coding a single REST endpoint in Odoo costs hours of routing, auth, serialization, pagination, and error handling. This module turns that into a 3-click wizard.

Speed lightning icon

Save 40+ hours per project

Replace hundreds of lines of controller code with a 3-click wizard. Any Odoo model exposed in minutes.

Security shield icon

Secure by default

Scope enforcement, IP whitelist, rate limiting, and field whitelist. Block leaks before they happen.

Mobile device icon

Mobile-ready

A single endpoint exchanges Odoo login for a session bearer token. Skip the OAuth2 redirect dance.

A guided start, not a manual

The first thing you see after install is a Getting Started page that walks you through every onboarding flow with live KPI counters.

REST API Builder Pro Getting Started page in Odoo 18 with KPI counters and three onboarding cards

Model to live REST endpoint — in 3 clicks

Choose a model · pick operations · set authentication. The resource is generated as a draft, ready for one-click activation.

1 Open the wizard
Step 1 of the Create API Resource wizard with empty Odoo Model dropdown and operation toggles
2 Pick model + operations
Create API Resource wizard filled with model auto-generated resource name API path slug and operations enabled
3 Activate the resource
Newly created REST API resource in Draft state with Activate button status pipeline and 3-step setup checklist banner

Everything you need, in one module

Most REST API modules stop at basic CRUD. This bundle ships every production essential.

Builder tool icon
No-Code REST Resource Builder

One api.resource record = one REST resource. Pick a model, toggle CRUD — zero Python.

OAuth2 lock icon
OAuth2 Provider with PKCE

Authorization Code with PKCE, Client Credentials, Refresh Token grants. Consent page included.

API key icon
API Key Management with Scopes

Read/write/delete scopes as checkboxes. IP whitelist. Zero-downtime rotation with 24h grace period.

Rate limiter gauge icon
Sliding-Window Rate Limits

Per-user, per-key, or per-IP windows. Returns 429 with a Retry-After header.

Webhook broadcast icon
Webhook Dispatcher with HMAC

Deliver to any URL with HMAC signature. Exponential backoff retry. Full delivery log.

Field whitelist icon
Field Whitelist & Read-Only

Pick which fields each resource exposes. Mark fields read-only against POST/PUT.

Audit log icon
Full Request Audit Log

Method, path, auth identity, status, latency. Search and filter in standard Odoo list view.

Tests passing icon
60 Automated Tests

Key rotation, OAuth2 handshake, webhook retry, scope enforcement — all covered.

One form, six tabs — every knob in reach

Model selection, operation toggles, authentication, endpoint overrides, advanced behavior, sandbox tester — all on one resource form.

Quick Setup tab on the API resource form with toggles for GET POST PUT DELETE operations and Generate Endpoints button

Quick Setup tab — toggle CRUD operations, click Generate Endpoints.

Endpoints tab listing Login Logout Refresh Token endpoints with HTTP method badges path suffix full path auth method and active state

Endpoints tab — every HTTP method as a row, with per-endpoint auth override.

REST API resource form Model and Fields tab with Odoo Model picker Base Path slug Domain Filter and Field Visibility plus Write Protection panels

Model & Fields

Auth and Security tab with Auth Method radio API Key OAuth2 Session Token Public and Pagination defaults

Auth & Security

Granular API key & token management

Every server-to-server integration gets its own scoped key. Rotate without downtime, whitelist IPs, expire on a schedule, audit usage.

API Key form with Generate Key Rotate Key Revoke buttons identity user database fields scope checkboxes for GET Read POST PUT Write DELETE

API Key form — one-click Rotate, scope checkboxes, hard expiry, IP whitelist.

What you get vs the alternatives

REST API BUILDER PRO · $69

Bundled, in this module

  • ✓ 3-step wizard + 30 presets
  • ✓ OAuth2 (Auth Code + PKCE)
  • ✓ API key management + rotation
  • ✓ Session tokens for mobile apps
  • ✓ Rate limiting per user/key/IP
  • ✓ Webhook dispatcher + retry + HMAC
  • ✓ API Playground / sandbox
  • ✓ Full request audit log
  • ✓ Config-file-free setup
OTHER MODULES

Typically require add-ons

  • — Manual JSON config (no wizard)
  • — OAuth2 only on premium tiers
  • — Manual key rotation
  • — Mobile login via OAuth2 only
  • — No rate limiting
  • — No webhook dispatcher
  • — No sandbox
  • — Partial audit log
  • — Edits to odoo.conf required

6 real-world scenarios you can ship today

Every scenario below has a working end-to-end recipe in the module documentation.

Mobile icon Mobile field-team app

Field team logs in with Odoo credentials, browses customers, creates quotations.

Setup: auth=session_token, read-only.

Code icon No-code automation tool

External form submissions become Odoo leads via webhook-based automation tools.

Setup: auth=api_key, write-only scope.

Database icon External BI dashboard

Any analytics tool pulls business data on schedule. Field whitelist hides PII.

Setup: auth=api_key, read-only, field whitelist.

Rate limiter icon IoT device telemetry

Factory gateway posts sensor readings every 30 seconds. IP-restricted to LAN.

Setup: service-account key + IP CIDR whitelist.

CORS icon Headless product catalog

Modern JS frontend lists products without authentication. Rate limit prevents scraping.

Setup: auth=public, CORS=*.

Security icon Admin tool with scope gating

Internal admin can delete; auditors can only read. Same endpoint, different keys.

Setup: full CRUD resource, two keys with different scopes.

A real request, end to end

Two curl commands — that is the whole onboarding for a mobile client.

1. Exchange login for token
curl -X POST https://your-odoo.com/api/auth/token \
  -H "Content-Type: application/json" \
  -d '{"grant_type":"password","login":"user@co.com","password":"..."}'

# Response
{"access_token":"st_kXpqY...","token_type":"Bearer","expires_in":86400}
2. Use the token
curl https://your-odoo.com/api/partners \
  -H "Authorization: Bearer st_kXpqY..."

# Response
{"count":145,"limit":80,"offset":0,"records":[
  {"id":1,"name":"Acme Inc.","email":"info@acme.example","is_company":true}
]}

Frequently asked questions

Does Odoo 18 have a built-in REST API?

Odoo exposes XML-RPC and JSON-RPC, not proper REST. No API keys, no OAuth2, no rate limiting, no webhook dispatcher. This module adds all of that without modifying Odoo core.

Can I expose custom models?

Yes. Any model in the Odoo registry — core, OCA, or custom — appears in the model picker. Zero Python changes in your module.

How do I rotate a key without breaking integrations?

Click Rotate Key. The previous token stays valid for a 24-hour grace period while clients pick up the new one. After the grace window, the old token is auto-revoked.

Does it slow down my Odoo instance?

The dispatcher reuses Odoo's standard ORM path — same cost as a regular RPC. Rate limiting uses an indexed sliding-window counter. Typical overhead: <2 ms per request.

Supported standards
  • RFC 6749 — OAuth 2.0
  • RFC 7636 — PKCE
  • RFC 7519 — JWT-style bearer tokens
  • HTTP/1.1 & HTTP/2 (werkzeug)
  • CORS & HMAC-SHA256 signatures
Requirements
  • Odoo 18 Community or Enterprise
  • Python 3.10+
  • PostgreSQL 12+
  • No external services required
  • No internet at runtime

Built by Lutfi Dev

Active Odoo 18 developer since 2023, specialized in multi-branch warehouse and backend integrations. All modules ship with automated tests, English + Indonesian translations, and long-term maintenance.

Support: hello@lutfi.dev

REST API Builder Pro

Version:18.0.2.0.0
License:OPL-1
Author:Lutfi Dev
Support:hello@lutfi.dev

Expose any Odoo model as a production-ready REST API in under 5 minutes — no code required. All-in-one gateway with OAuth2, API keys, session tokens, rate limiting, and webhooks.

Overview

REST API Builder Pro replaces hand-written controllers with a point-and-click resource builder. One record in api.resource defines the full CRUD surface on any Odoo model — core (res.partner, sale.order), OCA, or custom.

Key differentiators vs the rest of the Apps Store:

  • No-code resource builder — 3-click wizard
  • All-in-one — REST + OAuth2 + API keys + session tokens + rate limiting + webhooks
  • Scope enforcement — read / write / delete as separate Boolean gates
  • Session tokens — mobile-friendly password grant (/api/auth/token)
  • Blue-ocean feature: rate limiting — no competitor on apps.odoo.com offers this

Installation

  1. Download or clone into your addons path.
  2. Update the Odoo apps list (Settings → Apps → Update Apps List).
  3. Search "REST API Builder Pro" and click Install.
  4. Open the new API Resources menu in the top bar.

Dependencies

  • base, mail, web (all ship with Odoo 18)

No external services required. No internet connection needed at runtime.

Quick Start

Expose res.partner as a REST API in under 2 minutes.

Step 1 — Open the wizard

Navigate to API Resources → Create API. A 3-step wizard opens.

Step 2 — Configure the resource

  • Model: pick res.partner
  • Operations: toggle List, Get by ID, Create
  • Authentication: choose API Key
  • Click Create Resource

The URL path is auto-generated as /api/res_partner.

Step 3 — Generate an API key

Go to API Keys → New. Give it a name, assign a user, pick scopes (read, write, delete), and click Generate Key. The raw key is shown once — copy it immediately.

Step 4 — Call your API

# List partners
curl https://your-odoo.example.com/api/res_partner \
  -H "Authorization: Bearer sk_..."

# Get one
curl https://your-odoo.example.com/api/res_partner/42 \
  -H "Authorization: Bearer sk_..."

# Create
curl -X POST https://your-odoo.example.com/api/res_partner \
  -H "Authorization: Bearer sk_..." \
  -H "Content-Type: application/json" \
  -d '{"name": "Acme Inc.", "email": "info@acme.example"}'

Authentication Modes

Four authentication modes, configured per resource.

Mode Header When to use
public (none) Public catalogs, product listings, read-only content
api_key Authorization: Bearer sk_... Server-to-server (automation tools, cron jobs, BI tools)
session_token Authorization: Bearer st_... Mobile apps / SPAs after login with username+password
oauth2 Authorization: Bearer at_... Third-party apps that need user-consent flow

Session tokens (password grant)

Exchange an Odoo login for a bearer token:

curl -X POST https://your-odoo.example.com/api/auth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "password",
    "login": "user@example.com",
    "password": "..."
  }'

Response (200):

{
  "access_token": "st_kXpqY...",
  "token_type": "Bearer",
  "expires_in": 86400,
  "user_id": 42
}

Revoke a session token:

curl -X POST https://your-odoo.example.com/api/auth/revoke \
  -H "Authorization: Bearer st_kXpqY..."

OAuth2 provider

Supported grant types:

  • Authorization Code + PKCE — for mobile apps and SPAs
  • Client Credentials — for server-to-server
  • Refresh Token — transparent token renewal

Authorization endpoint: /oauth/authorize Token endpoint: /oauth/token

Configure applications at Configuration → OAuth2 Applications.

Scope Enforcement

Every API key and session token has three Boolean scopes:

Scope HTTP Methods Default
read GET on
write POST, PUT, PATCH off
delete DELETE off

A read-only key that tries to POST receives:

HTTP/1.1 403 Forbidden
Content-Type: application/json

{
  "error": "insufficient_scope",
  "error_description": "Scope \"write\" is required for POST requests. This token has: read",
  "required_scope": "write"
}

Rate Limiting

Configure limits at Configuration → Rate Limit Rules.

Each rule specifies:

  • Scope — per user, per key, or per IP
  • Requests per period — e.g. 100
  • Period — minute, hour, day
  • Action — block (429) or log only
  • Applies to — a path pattern (/api/orders/*)

When a limit is exceeded, the dispatcher returns:

HTTP/1.1 429 Too Many Requests
Retry-After: 23
Content-Type: application/json

{
  "error": "rate_limit_exceeded",
  "retry_after": 23
}

Webhook Dispatcher

Subscribe to Odoo model events and deliver JSON to any URL.

Create a subscription at Configuration → Webhooks:

  1. Set a target URL (e.g. https://your-app.example.com/hooks/partner-created)
  2. Pick events to subscribe (Partner Created, Sale Order Confirmed, etc.)
  3. Set a signing secret (for HMAC-SHA256 signature on X-Webhook-Signature header)
  4. Configure retry policy: max attempts + backoff

Delivery logs show status, response body, and latency for each attempt.

Resource Configuration

Each api.resource has these fields:

Field Purpose
base_path URL path prefix (must start with /api/)
model_id Odoo model to expose
op_list / op_get / op_create / op_update / op_delete Individual operation toggles (5 booleans)
auth_method public / api_key / session_token / oauth2
domain ORM domain restricting which records are accessible
field_ids Whitelisted fields returned in responses (empty = all)
readonly_field_ids Fields that cannot be set via POST/PUT
default_limit / max_limit Pagination controls
cors_allowed_origins CORS configuration (* or specific domain)

Use Cases

Mobile Sales App

  • auth_method=session_token, read-only resource
  • domain=[('is_company', '=', True)]
  • Mobile app calls POST /api/auth/token to login, then lists customers

No-Code Automation Tool Integration

  • auth_method=api_key, create-only resource (op_list=False, op_get=False)
  • API key scope = write only (cannot read or delete)
  • External form trigger -> automation tool -> POST /api/leads

BI Dashboard

  • auth_method=api_key, op_list=True, all other ops = False
  • Field whitelist: ['id', 'name', 'amount_total', 'date_order', 'state']
  • Rate limit: 60 requests/minute per key

IoT Device Telemetry

  • API key with user_id=False (service account)
  • IP whitelist: 127.0.0.1, 10.0.0.0/8
  • Factory gateway posts sensor readings every 30 seconds

Public Product Catalog

  • auth_method=public, list + detail only
  • domain=[('sale_ok', '=', True)]
  • CORS: * (or specific frontend domain)

Admin Tool with Scope Gating

  • Full CRUD resource with auth_method=api_key
  • Two keys issued: one with delete scope, one without
  • Same endpoint, different permission surface per key

Testing

The module ships with 60 automated tests covering:

  • API key generation, rotation, revocation
  • OAuth2 authorization code + PKCE flow
  • Client Credentials grant
  • Refresh token rotation
  • Webhook delivery with retry & HMAC
  • Rate limit sliding window
  • Scope enforcement (403 on insufficient scope)

Run tests:

odoo-bin -c odoo.conf --test-enable -u ld_api_gateway -d your-db --stop-after-init

Troubleshooting

Resource returns 404
Ensure the resource state is active (not draft or inactive).
Bearer token rejected
Check that the key's state is active (not revoked or expired). Session tokens expire after 24h — issue a new one via /api/auth/token.
CORS errors in browser
Set cors_allowed_origins on the resource to * or your specific domain.
Webhook deliveries stuck
Check Delivery Logs on the subscription. Failed deliveries retry with exponential backoff up to retry_max_attempts.

Changelog

18.0.2.0.0 (2026-04)

  • NEW: api.resource model — no-code REST builder (replaces per-method api.endpoint)
  • NEW: Session tokens — POST /api/auth/token password grant
  • NEW: Scope enforcement — read/write/delete as Boolean gates on keys & tokens
  • NEW: Resource wizard — 3-step quick setup dialog
  • CHANGED: API key UI — scope checkboxes replace free-text scopes field
  • CHANGED: All strings now English with Indonesian translation
  • Legacy api.endpoint records still supported (backward-compatible)

18.0.1.3.0 (2026-02)

  • OAuth2 provider with Authorization Code + PKCE, Client Credentials
  • API key management with rotation
  • Rate limiting (sliding window)
  • Webhook manager with retry & HMAC

License

OPL-1 (Odoo Proprietary License v1.0). One paid license per Odoo database. Lifetime updates for Odoo 18. Support via hello@lutfi.dev.

Odoo Proprietary License v1.0

This software and associated files (the "Software") may only be used (executed,
modified, executed after modifications) if you have purchased a valid license
from the authors, typically via Odoo Apps, or if you have received a written
agreement from the authors of the Software (see the COPYRIGHT file).

You may develop Odoo modules that use the Software as a library (typically
by depending on it, importing it and using its resources), but without copying
any source code or material from the Software. You may distribute those
modules under the license of your choice, provided that this license is
compatible with the terms of the Odoo Proprietary License (For example:
LGPL, MIT, or proprietary licenses similar to this one).

It is forbidden to publish, distribute, sublicense, or sell copies of the Software
or modified copies of the Software.

The above copyright notice and this permission notice must be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.

Please log in to comment on this module

  • The author can leave a single reply to each comment.
  • This section is meant to ask simple questions or leave a rating. Every report of a problem experienced while using the module should be addressed to the author directly (refer to the following point).
  • If you want to start a discussion with the author or have a question related to your purchase, please use the support page.