How to Handling JSON-RPC and REST APIs in Odoo?


✅ Overview

Odoo supports two major API paradigms for integration:


Type

Interface

Use Case

JSON-RPC

Built-in via /jsonrpc endpoint

Used by Odoo web client & XML-RPC compatible systems

REST API

Custom-developed via @http.route

Used in external integrations like mobile apps, ERP links, etc.



1. JSON-RPC: Native Odoo Interface


📌 Used Internally by Odoo Web Client

Endpoint:

https://<domain>/jsonrpc


Python Example (Login & Create Partner)​


import json

import requests


url = 'https://your-domain.com/jsonrpc'

headers = {'Content-Type': 'application/json'}


payload = {

    "jsonrpc": "2.0",

    "method": "call",

    "params": {

        "service": "object",

        "method": "execute_kw",

        "args": [

            'your_db',        # DB

            2,                # UID

            'your_api_key',   # Password/API key

            'res.partner',    # Model

            'create',         # Method

            [{

                'name': 'New Partner JSON-RPC',

                'email': 'test@example.com'

            }]

        ]

    },

    "id": 1,

}


res = requests.post(url, data=json.dumps(payload), headers=headers)

print(res.json())



✅ Key Points:

  • Requires DB, UID, and password/session.
  • Works with any Odoo model/method.
  • Structured for automation scripts.



2. REST API: Custom Implementation with @http.route

Odoo does not natively provide a REST API, but you can define your own using the http.Controller.


Example: Create Partner via REST API


from odoo import http

from odoo.http import request

import json


class PartnerAPI(http.Controller):


    @http.route('/api/partner/create', type='json', auth='user', methods=['POST'], csrf=False)

    def create_partner(self, **kwargs):

        data = kwargs.get('data')

        if not data:

            return {"error": "Missing data"}


        partner = request.env['res.partner'].sudo().create({

            'name': data.get('name'),

            'email': data.get('email')

        })

        return {"success": True, "id": partner.id}


🔑 Access via POST Request

bash

CopyEdit

curl -X POST https://your-domain.com/api/partner/create \

-H "Content-Type: application/json" \

-H "Authorization: Bearer <access_token>" \

-d '{"data": {"name": "Darshan", "email": "darshan@example.com"}}'


🔐 Security Tips for Both Approaches


Technique

Recommendation

Authentication

Use API tokens or OAuth2

Access control

Validate with sudo() only when necessary

CSRF protection

Set csrf=False for external access

Rate limiting/logging

Handle via Nginx/Cloudflare/3rd-party tools



✅ Summary Table


Feature

JSON-RPC

REST (Custom via @http.route)

Native in Odoo

✅ Yes

❌ No (requires custom controller)

Structured Calls

✅ Yes

✅ Yes

Flexibility

❌ Limited to execute_kw

✅ Full control over input/output

Use Case

Internal Odoo clients, scripts

Mobile apps, third-party integration

Authentication

Login + password/API key

Token or session-based


✅ Best Practices

  • For lightweight automation, use JSON-RPC.
  • For mobile or modern web integration, use custom REST APIs.
  • Always restrict public routes using auth='user' or custom tokens.