| Availability |
Odoo Online
Odoo.sh
On Premise
|
| Odoo Apps Dependencies |
Discuss (mail)
|
| Lines of code | 8691 |
| Technical Name |
atliis_rest_api |
| License | OPL-1 |
| Website | https://www.atliis.com/ |
| Versions | 18.0 19.0 |
REST API Toolkit
The most complete REST API layer for Odoo 19
Launch mobile apps, portals, dashboards, middleware, and AI workflows on top of Odoo data with
secure REST endpoints, OAuth2 client credentials, field-level access rules, atomic batch operations,
upsert/external ID sync, delta change feed, record copy endpoint, multi-company context via
X-Company-Id
header, response language via Accept-Language,
X-Request-ID end-to-end tracing, X-RateLimit-* headers on every response, webhook delivery queue
with HMAC signing and one-click secret rotation, request/response audit logging, admin token
management API, downloadable JS/Python/PHP SDKs, dynamic OpenAPI spec, and Swagger documentation —
all managed from the Odoo backend.
Production-ready REST APIs for Odoo data
Expose allowed Odoo models through clean JSON endpoints with model-level controls, bearer authentication, relational expansion, batch operations, and consistent response envelopes.
REST Core
CRUD endpoints, PATCH partial updates, count, batch (partial or
atomic), upsert with external ID sync, delta change feed, record copy
(POST /copy), hard delete (?force=true), and archive and restore
support.
Authentication & Key Permissions
Session login, bearer API keys, OAuth2 client credentials, and Basic auth. Admins create API keys and assign per-key model access — choosing exactly which models each key can reach and which CRUD operations are allowed. Add field-level allowlists, blocklists, rate limits, and expiry dates per key.
Admin Control
Configure model allow-lists, CRUD toggles, per-model domain restrictions, caller origins,
CORS, and log retention from Odoo. Scope requests to a specific company via the
X-Company-Id header. Set response language via Accept-Language or
?lang=. View per-key usage graphs and pivot tables, and clear all logs in one
action.
Developer Experience
Swagger UI, dynamic OpenAPI spec with concrete model paths, Postman collection, and
downloadable SDK files for JavaScript, Python, and PHP. Every response includes an
X-Request-ID tracing header and X-RateLimit-Limit,
X-RateLimit-Remaining, and X-RateLimit-Reset headers — no
guessing when to back off.
See it in action
API Settings & Model Access Control
API Key Management
Request Audit Logs
Analytics Dashboard
Swagger / OpenAPI Documentation
A packaged integration layer on top of Odoo
Odoo provides powerful external APIs. REST API Toolkit adds clean REST-style routes, backend controls, Swagger documentation, request logs, and frontend-friendly JSON without building that layer from scratch.
Frontend Friendly
Pagination, sorting, field selection, filtering, relational expansion, and consistent JSON envelopes make mobile and portal work simpler.
Odoo Security First
Requests respect standard Odoo ACLs and record rules, with optional model domains and per-key model scopes for extra control.
Operational Visibility
Request logs capture method, path, user, IP, origin, API key, status,
duration, error details, and the X-Request-ID for end-to-end tracing. The
Analytics dashboard breaks down traffic by endpoint and API key in bar graphs and pivot
tables. Admins can clear all logs instantly when needed.
Configure access and start calling APIs
Enable the models you want to expose, authenticate through session login or API keys, then use versioned REST routes for reads, writes, batch operations, and metadata discovery.
Endpoint Snapshot
Authentication
Use /api/v1/auth/login, /api/v1/auth/logout,
/api/v1/user/me, API
key generation, password change, and password reset endpoints.
Model Routes
Call /api/v1/<model>,
/api/v1/<model>/<id>, count, archive, restore, batch,
and field metadata endpoints.
Documentation
Open interactive Swagger UI at /api/docs or fetch OpenAPI JSON from
/api/swagger.json.
Integration Ready
Use the Swagger page to inspect request bodies, response structures, authentication headers, model routes, and query parameters before connecting your client application.
Install and Enable the Module
Copy atliis_rest_api into your Odoo addons path, update the app list, install REST API Toolkit, and restart Odoo if your deployment
requires it.
The module is designed for Odoo 19 deployments including Community, Enterprise, Odoo.sh, and on-premise environments.
Allow Models and Operations
In the REST API configuration, add the Odoo models you want to expose. Enable read, create, update, delete, archive, and restore behavior only where your integration needs it.
Add optional domain restrictions to limit exposed records, configure allowed origins for browser clients, and set log retention based on your production policy.
Create API Keys with Model-Level Permissions
Admins create and manage bearer API keys directly from the REST API backend menu — no external API call or CLI needed. Each key is independently configured with its own access rules before it is issued to a client.
Per-key settings available to administrators:
- Model access: choose exactly which Odoo models the key can reach — the key is silently rejected for any model not on its list.
- CRUD toggles per model: independently enable or disable read, create, update, delete, archive, and restore for each allowed model.
- Domain restriction per model: add an Odoo domain filter to limit which records within a model the key can see or modify.
- Field-level rules: allowlist the fields a key may read or write, or blocklist specific sensitive fields, per model.
- Rate limit: set a maximum number of requests per minute for the key.
- Expiry date: keys automatically stop working after the configured date.
The generated key value is shown once after creation with a copy widget. Use the Clear Key button to remove it from the database once it has been saved securely by the client.
Send the key with the Authorization: Bearer <token> header. All requests still
respect the underlying Odoo user's ACL and record rules — the key permissions narrow access further
but can never grant more than the Odoo user already has.
Read and Write Odoo Records
Use GET for lists and records, POST for creates, PATCH for
partial updates, PUT for full updates, and DELETE where deletion is
allowed. Duplicate any record with POST /api/v1/<model>/<id>/copy —
pass an optional JSON body to override fields on the copy. Use ?force=true on DELETE
to permanently remove records that would otherwise be archived.
Query parameters support limit, page, offset,
sort, fields, filter, expand, and
lang for nested relational data and localized field values.
Use Advanced Features
Use atomic batch for all-or-nothing grouped operations with PostgreSQL savepoint rollback. Use
upsert to create-or-update by external ID or unique field. Use the change feed
(/changes?since=) for efficient incremental sync without polling all records. Subscribe
to outbound webhooks and manage them via the REST API — rotate the HMAC signing secret at any time
with the Rotate Secret button in the webhook form. Download ready-to-use SDK files for JavaScript,
Python, and PHP from the Developer Exports section.
Send X-Company-Id to scope any request to a specific company in multi-company
deployments. Send Accept-Language (or ?lang=) to receive field values
in a specific language. Every response returns an X-Request-ID for tracing and
X-RateLimit-Limit / X-RateLimit-Remaining / X-RateLimit-Reset
headers so clients know exactly when to back off. Review request and response audit logs in Odoo
filtered by API key, user, method, or status. The Analytics dashboard shows traffic broken down by
endpoint and API key. Clear all logs in one action when needed.
Shape API output for each client
Fetch only the data your integration needs, then expand related records when the client needs richer nested JSON.
Pagination and Sorting
Use limit, page, offset, and
sort for list screens and large datasets.
Field Selection
Use fields to return only the columns required by a mobile
app, portal page, or integration job.
Relational Expansion
Use expand to include related records directly in the
response, including nested expansion up to 4 levels deep.
Binary Output
Use optional binary data URL output when frontend clients need image or attachment data in a directly consumable format.
Everything included in REST API Toolkit
A full view of what is available in REST API Toolkit for Odoo 19.
| Feature | REST API Toolkit |
|---|---|
| Core CRUD | |
| CRUD endpoints for allowed models | ✓ |
| Pagination, sorting, field selection, filter | ✓ |
| Relational expansion (nested, up to 4 levels) | ✓ |
Bulk read by ID list (/bulk) |
✓ |
| Archive / restore support | ✓ |
| Batch create / update / delete | ✓ |
| Atomic batch (PostgreSQL savepoint rollback) | ✓ |
Upsert / external ID sync (/upsert) |
✓ |
Delta change feed (/changes?since=) |
✓ |
Record copy / duplicate (POST /api/v1/<model>/<id>/copy) |
✓ |
Hard delete bypass for archived records (?force=true) |
✓ |
| Authentication & Security | |
| Session login / logout | ✓ |
| Bearer API keys | ✓ |
| OAuth2 client credentials flow | ✓ |
| Basic auth | ✓ |
| Per-key model scopes (CRUD toggles + domain) | ✓ |
| Field-level access rules (allowlist + blocklist per key/client) | ✓ |
| Idempotency key support | ✓ |
Multi-company context via X-Company-Id request header |
✓ |
Response language via Accept-Language header or ?lang= param
|
✓ |
| Webhooks | |
| Outbound webhook delivery | ✓ |
| HMAC-SHA256 signing secret | ✓ |
| Retry queue with configurable delay | ✓ |
| Webhook management via REST API (CRUD + test) | ✓ |
| Webhook signing secret rotation (one-click in admin form) | ✓ |
| Admin & Observability | |
| Request log (method, path, user, IP, status, duration) | ✓ |
| Per-key usage analytics dashboard | ✓ |
| Request payload + response summary audit logging | ✓ |
| Admin token management REST API (keys, OAuth clients, tokens) | ✓ |
X-Request-ID tracing on every response — auto-generated or client-supplied,
stored in log |
✓ |
| Developer Experience | |
Swagger UI at /api/docs |
✓ |
| OpenAPI 3.0 JSON | ✓ |
| Dynamic OpenAPI spec (concrete paths for configured models) | ✓ |
| Postman collection download | ✓ |
| SDK downloads (JavaScript, Python, PHP) | ✓ |
| Rate limiting (database-shared across workers + memory fallback) | ✓ |
Rate limit headers on every response (X-RateLimit-Limit,
X-RateLimit-Remaining, X-RateLimit-Reset)
|
✓ |
| Custom endpoints (admin-configured search / server action) | ✓ |
| Allow-listed model method calls | ✓ |
| Report rendering (PDF, HTML, text) | ✓ |
| Attachment upload / download | ✓ |
Common questions
Which Odoo versions are supported?
The module is designed for Odoo 19 deployments including Odoo.sh and on-premise environments.
Does it support custom models?
Yes. Generic model-driven endpoints work with both standard and custom Odoo models after those models are allowed in the REST API configuration.
Does it enforce Odoo ACL permissions?
Yes. API requests follow standard Odoo ACL and record rules automatically, with optional model domains and API key scopes for added control. Admins can create, revoke, and delete keys directly from the backend, and view per-key usage analytics in the Analytics dashboard. After creating a key, the generated value is stored temporarily so admins can copy it — use the Clear Key button to remove it from the database once copied. The key field is only accessible to users with System Administrator rights.
Does the API support relational data expansion?
Yes. Use the expand query parameter to include related records directly
inside the response without performing multiple API calls.
Can relational expansion go multiple levels deep?
Yes. Nested relational expansion supports up to 4 levels deep for hierarchical data retrieval in a single request.
Can I apply filters inside relational expansion?
Yes. Each expanded relational field can include filtering, sorting, pagination, and field selection rules to reduce payload size and improve performance.
Does the API support pagination and field selection?
Yes. List endpoints support limit, page,
offset, sort, fields, and filter.
Can the API be used with Flutter or React Native apps?
Yes. Responses are JSON-based and suitable for Flutter, React Native, Next.js, Vue.js, Angular, and other modern frontend clients.
Does the API work on Odoo.sh and cloud deployments?
Yes. The module is compatible with Odoo.sh, on-premise installations, and cloud-hosted Odoo deployments. HTTPS is recommended for production.
How does rate limiting work in multi-worker deployments?
Two backends are available: Database (the default) stores counters in PostgreSQL and enforces limits across all Odoo workers — effective for multi-worker and Odoo.sh deployments. Memory mode keeps counters per worker and is faster but not shared across processes. For strict global limits at the network edge, a reverse proxy can complement either mode. Per-key usage is tracked in the request log and visible in the Analytics dashboard.
Change Log
Version-by-version record of new features, improvements, and fixes.
New
- Record copy endpoint —
POST /api/v1/<model>/<id>/copywith optional field overrides - Multi-company context — send
X-Company-Idheader to scope any request to a specific company - Response language — send
Accept-Languageor?lang=to receive translated field values - Webhook signing secret rotation button in the admin form
Improved
X-Request-IDheader on every response — auto-generated if not supplied by the client, stored in the request log- Rate limit headers (
X-RateLimit-Limit,X-RateLimit-Remaining,X-RateLimit-Reset) on every response, not just 429 - CORS
Access-Control-Expose-Headersadded so browsers can read tracing and rate limit headers - Pagination accepts
pageandoffsetas canonical names;page_numberandskipremain as aliases
Fixed
- API key, OAuth client, and webhook counter updates are now atomic SQL increments — no race conditions under concurrent load
- Log cleanup and analytics recompute now use direct SQL — no OOM risk on large log tables
- Request log indexes added on
user_idandmodel_namecolumns
New
- Admin token management REST API for keys, OAuth clients, and tokens
- Field-level access rules — allowlist and blocklist per API key or OAuth client
- Custom endpoints configurable via admin search or server action
- Idempotency key support for safe retries on create and update requests
Improved
- Request payload and response summary now captured in audit logs
- Analytics dashboard shows traffic broken down by endpoint and API key
- Dynamic OpenAPI spec generates concrete model paths from live configuration
- Webhook management fully accessible via REST API (CRUD and test)
Fixed
- Rate limit counter correctly shared across all Odoo workers in database mode
- Clear Key button now removes the token from the database without a page reload
- SDK downloads include correct base URL for Odoo.sh and multi-domain setups
New
- Delta change feed endpoint (
/changes?since=) for incremental sync - Upsert endpoint (
/upsert) for create-or-update by external ID - Atomic batch operations with PostgreSQL savepoint rollback
- Downloadable SDK files for JavaScript, Python, and PHP
Improved
- Nested relational expansion now supports up to 4 levels deep
- Each expanded relational field accepts its own filter, sort, and pagination rules
- Postman collection download reflects the full live API configuration
Fixed
- Batch partial mode correctly returns per-record errors without aborting the full batch
- Archive and restore endpoints now respect per-model domain restrictions
New
- OAuth2 client credentials flow for machine-to-machine integrations
- Outbound webhook delivery with HMAC-SHA256 signing and retry queue
- Per-key usage analytics dashboard with bar graphs and pivot tables
- Configurable log retention and one-action log clear for administrators
Improved
- API key form shows the generated token once with a copy widget and a Clear Key action
- Per-key model scope now supports independent CRUD toggles and domain restrictions
- Rate limiting backend configurable between Database and Memory modes
Fixed
- CORS preflight requests handled correctly for browser-based clients
- Request log captures IP address reliably behind reverse proxies
Initial release for Odoo 19
- Versioned REST routes at
/api/v1/<model>for all allowed models - Session login, bearer API key, and Basic auth support
- CRUD endpoints with pagination, sorting, field selection, filter, and relational expansion
- Model allow-list, CRUD toggles, domain restrictions, and CORS configuration from the Odoo backend
- Swagger UI at
/api/docsand OpenAPI 3.0 JSON at/api/swagger.json - Request audit log with method, path, user, IP, origin, API key, status, and duration
- Report rendering, attachment upload and download, and allow-listed model method calls
Other modules you might like
Get in touch with us
| Availability |
Odoo Online
Odoo.sh
On Premise
|
| Odoo Apps Dependencies |
Discuss (mail)
|
| Lines of code | 8691 |
| Technical Name |
atliis_rest_api |
| License | OPL-1 |
| Website | https://www.atliis.com/ |
Atliis REST API Toolkit
Atliis REST API Toolkit adds secure, versioned REST endpoints to Odoo 19 so implementation teams can connect mobile apps, portals, dashboards, middleware, and AI services without building custom controllers for each model.
What is included
- Versioned CRUD endpoints under /api/v1.
- Session-cookie authentication using Odoo users.
- Bearer API keys generated and revoked from the API.
- Per-key model scopes, operation permissions, domain filters, and rate limits.
- Allow-list configuration for exposed Odoo models.
- Caller origin restrictions and CORS preflight support.
- Field metadata endpoint for dynamic clients.
- Pagination, sorting, field selection, domain filtering, count endpoints, batch operations, and relational expansion.
- User profile endpoints for authenticated users.
- API request logs, usage dashboard views, optional success-only/error-only logging, and automatic cleanup.
- Queued webhook subscriptions for create, update, delete, and restore events.
- Postman collection and JavaScript, Python, and Flutter snippets in static/description.
- Interactive Swagger/OpenAPI documentation at /api/docs.
Typical use cases
- Build Flutter, React Native, or web frontends on top of Odoo data.
- Connect external portals to sales, CRM, inventory, helpdesk, or custom models.
- Synchronize Odoo with middleware, ETL jobs, reporting systems, or SaaS tools.
- Give integration teams a consistent JSON API instead of XML-RPC.
Configuration
- Install the module.
- Open the REST API settings menu.
- Add only the Odoo models that should be exposed.
- Configure allowed origins if browser-based clients will call the API directly.
- Optionally create scoped API keys for each integration.
- Optionally add webhooks for outbound create/update/delete/restore events.
- For high-volume APIs, disable successful-request logging or set clients to omit total counts when they do not need them.
- Confirm the target users have the right Odoo access rights and record rules.
- Use /api/docs to test authentication and endpoint behavior.
Security notes
The API respects standard Odoo access rights and record rules. Model exposure is controlled by an allow-list, so administrators can choose exactly which models are available through the REST API. HTTPS is recommended for every production deployment.
Support
For support requests, use the support channel linked from your Odoo Apps purchase or contact helpdesk@atliis.com.
Odoo Proprietary License v1.0 This software and associated files (the "Software") may only be used (executed, modified, executed after modifications) if you have purchased a valid license from the authors, typically via Odoo Apps, or if you have received a written agreement from the authors of the Software (see the COPYRIGHT file). You may develop Odoo modules that use the Software as a library (typically by depending on it, importing it and using its resources), but without copying any source code or material from the Software. You may distribute those modules under the license of your choice, provided that this license is compatible with the terms of the Odoo Proprietary License (For example: LGPL, MIT, or proprietary licenses similar to this one). It is forbidden to publish, distribute, sublicense, or sell copies of the Software or modified copies of the Software. The above copyright notice and this permission notice must be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Please log in to comment on this module