Skip to Content

JWT Auth API for Odoo

by
Odoo

49.92

v 19.0 Third Party
Availability
Odoo Online
Odoo.sh
On Premise
Lines of code 634
Technical Name jwt_auth_api
LicenseAGPL-3
You bought this module and need support? Click here!
Availability
Odoo Online
Odoo.sh
On Premise
Lines of code 634
Technical Name jwt_auth_api
LicenseAGPL-3

Odoo JWT Authentication & API Controllers

Secure REST API authentication with Access & Refresh Tokens

This module provides a complete JWT (JSON Web Token) authentication solution for Odoo REST APIs.

It supports secure login, access token refresh, refresh token rotation, logout (token revoke), and a powerful generic CRUD API protected by JWT.

Key Features

  • JWT-based authentication for Odoo APIs
  • Login using username & password
  • Access token refresh using refresh token
  • Refresh token rotation for enhanced security
  • Logout / revoke refresh token
  • Browser support with HttpOnly cookie
  • Generic CRUD API for any Odoo model

Authentication Header

All protected endpoints require the access token in the Authorization header. 

Headers:
{
  "Content-Type": "application/json",
  "Authorization": "Bearer <ACCESS_TOKEN>"
}

1. Login (Password Authentication)

POST /api/login (auth: none)

Request:
{
  "login": "admin",
  "password": "admin"
}

Response (Browser):
{
  "token": "ACCESS_TOKEN",
  "user_id": 2,
  "refreshToken": "REFRESH_TOKEN",
}

Response (Mobile/App):
{
  "token": "ACCESS_TOKEN",
  "refreshToken": "REFRESH_TOKEN",
  "user_id": 2
}

2. Refresh Access Token

POST /api/update/access-token

Request:
{
  "user_id": 2
}

Response:
{
  "access_token": "NEW_ACCESS_TOKEN"
}

3. Rotate Refresh Token

POST /api/update/refresh-token (auth: jwt)

Response (Browser):
{
  "status": "done",
  "refreshToken": 1
}

Response (Mobile/App):
{
  "status": "done",
  "refreshToken": "NEW_REFRESH_TOKEN"
}

4. Logout / Revoke Token

POST /api/revoke/token (auth: jwt)

Response:
{
  "status": "success",
  "logged_out": 1
}

Generic CRUD API (JWT Protected)

This module includes a generic API endpoint that can read, create, update, and delete records from any Odoo model, based on configuration rules (connection.api).
Access to this endpoint is protected by JWT authentication.

Endpoint

/api/send_request (auth: jwt) - supports GET, POST, PUT, DELETE

How it works (high-level)

  1. Model validation: reads ?model= and verifies the model exists in ir.model.
  2. Permission by configuration: checks connection.api settings for the model (allowed methods: GET/POST/PUT/DELETE).
  3. Execute operation: performs search/read, create, write, or unlink with sudo().
  4. Flexible response: supports field selection, domain filtering, pagination, and relation expansion.

Supported methods

  • GET - List records or fetch a single record by ID
  • POST - Create a new record
  • PUT - Update an existing record by ID
  • DELETE - Delete a record by ID

GET request (Query Parameters)

  • model (required): Odoo model technical name (example: res.partner)
  • id (optional): record ID to fetch a single resource
  • fields (required): JSON list of fields to return (example: ["name","email"])
  • domain (optional): Odoo domain in string format (example: [["active","=",true]])
  • expand (optional): relation expansion map (example: {"child_ids":["name"]})
  • offset (optional): page number (default: 1)
  • limit (optional): page size (default: 20)
Example (GET list):
/api/send_request?model=res.partner&fields=["name","email"]&domain=[["active","=",true]]&offset=1&limit=20

Example (GET by id):
/api/send_request?model=res.partner&id=10&fields=["name","email"]

Example (GET with expand):
/api/send_request?model=res.partner&fields=["id","name", "company_id"]&expand={"bank_ids":["acc_number","email"]}

POST / PUT request (Body JSON)

For create/update, send JSON body with: values (data to write), optional fields (fields to return), optional expand (relations to expand). 

Example (POST create):
POST /api/send_request?model=res.partner
{
  "values": {
    "name": "Test Partner",
    "email": "test@example.com"
  },
}

Example (PUT update):
PUT /api/send_request?model=res.partner&id=10
{
  "values": {
    "email": "new@example.com"
  },
}

DELETE request

DELETE /api/send_request?model=res.partner&id=10

Response:
{
  "deleted_id": 10
}

Important Notes

  • JWT required: All calls to /api/send_request require a valid access token.
  • Per-model method control: Allowed HTTP methods are controlled by connection.api settings.
  • Pagination: uses offset (page) and limit (page size).
  • Expand: can load related records (many2one/one2many/many2many) with selected fields.
  • Security consideration: This endpoint uses sudo(). It is recommended to strictly control which models and methods are enabled through configuration and access rules.

Security Notes

  • HTTPS is strongly recommended
  • Refresh token is stored as HttpOnly cookie for browsers
  • Refresh token rotation reduces token theft risk
  • Access token must be sent with Bearer prefix

Please log in to comment on this module

  • The author can leave a single reply to each comment.
  • This section is meant to ask simple questions or leave a rating. Every report of a problem experienced while using the module should be addressed to the author directly (refer to the following point).
  • If you want to start a discussion with the author or have a question related to your purchase, please use the support page.