Skip to Content

API Builder Studio (No-Code)

by
Odoo

698.99

v 19.0 Third Party
Availability
Odoo Online
Odoo.sh
On Premise
Lines of code 3159
Technical Name odoo_api_builder_studio
LicenseOPL-1
Websitehttp://auraodoo.tech/
You bought this module and need support? Click here!
Availability
Odoo Online
Odoo.sh
On Premise
Lines of code 3159
Technical Name odoo_api_builder_studio
LicenseOPL-1
Websitehttp://auraodoo.tech/

API Builder Studio

No-Code REST API Builder for Odoo 19

Create production-ready REST APIs without writing Python code. Select any model, choose fields, set filters, and generate endpoints instantly.

Table of Contents

Overview

API Builder Studio is a no-code REST API builder that transforms any Odoo model into a production-ready REST endpoint. Admins can configure endpoints through an intuitive web interface without touching Python code.

Perfect for SaaS companies, mobile app backends, headless e-commerce platforms, and integration partners who need rapid API deployment.

Key Features

No-Code Endpoint Creation

Select any Odoo model, choose exposed fields, add domain filters, and generate live REST endpoints instantly without coding.

Visual Field Selector

Powerful field picker supporting nested relationships, many2many, one2many, and many2one fields with customizable depth.

Dynamic Route Resolver

Automatic URL pattern generation: /api/v1/custom/<endpoint> with support for pagination, filtering, sorting, and searching.

Full CRUD Operations

GET (paginated, sorted, filtered), POST (create), PUT (update), DELETE (delete) - all configurable per endpoint.

Bearer Token + API Key Auth

Support for both HTTP Bearer tokens and X-API-Key header authentication. Login and registration endpoints included.

Rate Limiting Engine

Per-minute and per-hour rate limits enforced at the token and endpoint level with automatic reset.

IP Restriction & Multi-Company

Whitelist allowed IPs per token. Enforce company isolation to prevent cross-company data access.

Auto-Generated Swagger Docs

OpenAPI 3.0 spec dynamically generated from endpoint configurations. Interactive Swagger UI at /api/studio/docs.

Request/Response Logging

Comprehensive audit trail with status codes, response times, IP addresses, user info, and error messages.

Analytics Dashboard

OWL 2 dashboard with API usage statistics, endpoint performance, and request trends.

Domain Filter Builder

Visual domain filter editor to restrict which records each endpoint can access.

Dynamic JSON Serializer

Automatic serialization of relational and computed fields with configurable relation depth.

Cron-Based Log Cleanup

Automatic daily cleanup of old request logs with configurable retention period.

CORS Support

Cross-Origin Resource Sharing enabled for all API endpoints. OPTIONS preflight requests handled automatically.

Core Components

Models

  • api.endpoint: Stores REST endpoint configurations (model, fields, domain, security rules)
  • api.endpoint.field: Tracks which fields are exposed per endpoint with permissions and settings
  • api.access.token: Manages Bearer tokens and API keys with expiration, rate limits, IP restrictions
  • api.request.log: Records all API requests for auditing and analytics

Controllers

  • DynamicApiController: Main router handling all /api/v1/custom/* requests
  • SwaggerController: Generates OpenAPI 3.0 spec and serves Swagger UI
  • AuthController: Handles login, registration, token generation, refresh
  • DashboardController: Provides analytics and usage data

Services

  • SecurityManager: Authentication, rate limiting, IP filtering, request logging
  • DomainParser: Parses Odoo domain expressions for filtered queries
  • Serializer: Converts Odoo records to JSON with relation expansion

REST API Endpoints

Dynamic Model Endpoints

Based on /api/v1/custom/<endpoint_slug>

GET /api/v1/custom/sales-orders

List records with pagination, filtering, sorting

GET /api/v1/custom/sales-orders/42

Retrieve single record by ID

POST /api/v1/custom/sales-orders

Create new record

PUT /api/v1/custom/sales-orders/42

Update existing record

DELETE /api/v1/custom/sales-orders/42

Delete record by ID

Query Parameters

page=1 # Page number for pagination (default: 1) limit=20 # Records per page (capped at max_page_size) search=keyword # Full-text search on searchable fields sort=field_name # Field name to sort by order=asc|desc # Sort direction (default: asc)

Authentication Endpoints

POST /api/studio/auth/login

Authenticate with Odoo credentials and receive Bearer token

POST /api/studio/auth/register

Create new portal user and receive token

POST /api/studio/auth/token

Generate named API token (admin-only)

POST /api/studio/auth/refresh

Regenerate token from current valid token

GET /api/studio/auth/me

Get current user and token information

POST /api/studio/auth/logout

Revoke current token

GET /api/studio/auth/tokens

List all user's tokens

Documentation Endpoints

GET /api/studio/docs

Interactive Swagger UI with all endpoints

GET /api/studio/spec

JSON OpenAPI 3.0 specification

Authentication Schemes

Bearer Token (HTTP)

Send token in Authorization header:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

API Key (Header)

Send token in X-API-Key header:

X-API-Key: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Query Parameter (Limited Use)

Optional token in query string:

GET /api/v1/custom/sales-orders?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Token Types

  • Bearer: Login tokens with configurable expiration (default: 24 hours)
  • API Key: Long-lived tokens for system integrations (default: 365 days)
  • Login: Auto-generated after registration or login

Security Features

Token Management

  • Tokens stored as SHA-256 hashes (raw value shown only once)
  • Automatic expiration based on configurable expiration_date
  • Token revocation capability with automatic state update
  • Token regeneration creates new hash, invalidating the old one

Rate Limiting

  • Per-minute limits enforced in-memory (configurable per token and endpoint)
  • Per-hour limits with automatic bucket cleanup every 5 minutes
  • Minimum of token limit and endpoint limit applied
  • Returns HTTP 429 when limit exceeded

IP Restrictions

  • Comma-separated IP whitelist per token
  • Comma-separated IP whitelist per endpoint
  • Supports both IPv4 and IPv6 formats
  • Extracts real client IP from X-Forwarded-For header when behind proxy

Company Isolation

  • Tokens scoped to company_id for multi-company environments
  • Endpoints scoped to company_id
  • Returns HTTP 403 if token company does not match endpoint company

Endpoint Scope

  • Tokens can be restricted to specific endpoints via endpoint_ids
  • Empty endpoint_ids = access to all endpoints
  • Returns HTTP 403 if token not allowed for requested endpoint

ORM Execution Context

  • All API operations executed as token user (not admin)
  • Respects user permissions and record-level access rules
  • AccessError returns HTTP 403

CORS Headers

  • All endpoints support CORS preflight (OPTIONS requests)
  • Access-Control-Allow-Origin: *
  • Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
  • Access-Control-Allow-Headers: Content-Type, Authorization, X-API-Key

Usage Guide

Step 1: Create an Endpoint

  1. Go to API Studio > Endpoints
  2. Click Create
  3. Enter endpoint name and route slug (e.g., sales-orders)
  4. Select the Odoo model (e.g., sale.order)
  5. Configure HTTP methods: GET, POST, PUT, DELETE
  6. Set authentication requirement and rate limits
  7. Click Save

Step 2: Select Exposed Fields

  1. In the endpoint form, go to Endpoint Fields tab
  2. Click Load Fields from Model to auto-populate
  3. For each field, configure:
  4. Include in response (GET responses)
  5. Include in create (POST/PUT payloads)
  6. Required (validation on create)
  7. Searchable (for /search queries)
  8. Sortable (for /sort queries)
  9. For relational fields: set depth and sub-field names

Step 3: Configure Domain Filter

  1. In Domain Filter field, enter Odoo domain expression
  2. Example: [('state','=','sale'),('company_id','=',1)]
  3. Applied to all reads from this endpoint
  4. Leave empty for no filtering

Step 4: Generate Tokens

  1. Go to API Studio > Security > API Tokens
  2. Click Create
  3. Enter token label and select user
  4. Configure rate limits and expiration date
  5. Optionally restrict to specific endpoints and IPs
  6. Click Save
  7. Copy the auto-generated token immediately

Step 5: Test the Endpoint

  1. Go to API Studio > Swagger Docs
  2. Find your endpoint in the list
  3. Click Try it out
  4. Paste your token in Authorization header
  5. Click Execute

Step 6: Monitor Requests

  1. Go to API Studio > Monitoring > Request Logs
  2. View all API requests with status, response time, and errors
  3. Filter by endpoint, user, or date
  4. View pivot and graph analytics

API Documentation

Response Format

All responses are JSON with consistent structure:

{ "success": true, "data": {...}, "count": 10, "total": 100, "page": 1, "limit": 10, "pages": 10 }

Error Format

{ "error": true, "message": "Record not found", "status": 404, "code": "NOT_FOUND" }

HTTP Status Codes

  • 200: Success (GET, PUT, DELETE)
  • 201: Created (POST)
  • 400: Bad request or validation error
  • 401: Authentication required or invalid token
  • 403: Forbidden (access denied, no scope, IP blocked)
  • 404: Resource not found
  • 409: Conflict (duplicate user during registration)
  • 429: Rate limit exceeded
  • 500: Internal server error

Demo Data & Testing

The module includes demo data with test users and tokens for immediate testing.

Portal User

Email: api_demo@example.com

Password: api_demo_2026

Token (Bearer): See API Tokens in UI

Admin User

Email: api_admin@example.com

Password: api_admin_2026

Permissions: Can create named tokens and admin endpoints

Testing with cURL

# Login curl -X POST http://localhost:8019/api/studio/auth/login \ -H "Content-Type: application/json" \ -d '{"login":"api_admin@example.com","password":"api_admin_2026"}' # Get Records curl -X GET "http://localhost:8019/api/v1/custom/sale-orders" \ -H "Authorization: Bearer YOUR_TOKEN" # Create Record curl -X POST http://localhost:8019/api/v1/custom/sale-orders \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{"partner_id":1,"amount_total":1000.00}'

Technical Details

Dependencies

  • Odoo 19.0
  • Python 3.8+
  • No external Python packages required

Database Models

  • api.endpoint: Stores endpoint configurations
  • api.endpoint.field: Links fields to endpoints
  • api.access.token: Stores hashed tokens and metadata
  • api.request.log: Stores request audit trail

Security Considerations

  • Tokens stored as SHA-256 hashes, never in plaintext
  • All operations run as token user, respecting Odoo ACLs
  • Rates limits enforced in-memory with periodic cleanup
  • Request logging captures IPs for abuse tracking
  • HTTPS strongly recommended in production

Performance Characteristics

  • GET requests: Sub-100ms for typical models with pagination
  • Rate limiting: O(1) bucketing with lazy cleanup
  • Token validation: Hash lookup, no database hit after first request
  • Relation expansion: Configurable depth to control serialization
  • Log cleanup: Nightly cron removes logs older than 90 days

Supported Field Types

  • Char, Text, HTML, Selection
  • Date, Datetime
  • Integer, Float, Monetary
  • Boolean
  • Binary
  • Many2one, One2many, Many2many (with relation expansion)

Unsupported Features

  • Transient models (excluded from UI)
  • Computed fields (read-only, can be exposed)
  • Related fields (derived from relations)
alt alt
Support

For issues, feature requests, or documentation updates, please contact the development team.

License

OPL-1 (Odoo Proprietary License). All rights reserved.

API Builder Studio for Odoo 19 - Version 1.0.0

Developed by Aura Odoo Tech - auraodoo.tech

Odoo Proprietary License v1.0

This software and associated files (the "Software") may only be used (executed,
modified, executed after modifications) if you have purchased a valid license
from the authors, typically via Odoo Apps, or if you have received a written
agreement from the authors of the Software (see the COPYRIGHT file).

You may develop Odoo modules that use the Software as a library (typically
by depending on it, importing it and using its resources), but without copying
any source code or material from the Software. You may distribute those
modules under the license of your choice, provided that this license is
compatible with the terms of the Odoo Proprietary License (For example:
LGPL, MIT, or proprietary licenses similar to this one).

It is forbidden to publish, distribute, sublicense, or sell copies of the Software
or modified copies of the Software.

The above copyright notice and this permission notice must be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.

Please log in to comment on this module

  • The author can leave a single reply to each comment.
  • This section is meant to ask simple questions or leave a rating. Every report of a problem experienced while using the module should be addressed to the author directly (refer to the following point).
  • If you want to start a discussion with the author or have a question related to your purchase, please use the support page.