| Technical Name |
jwt_auth_api
|
| License | OPL-1 |
Odoo JWT Authentication & API Controllers
Secure REST API authentication with Access & Refresh Tokens
This module provides a complete
JWT (JSON Web Token)
authentication
solution for Odoo REST APIs.
It supports secure login, access token refresh, refresh token rotation,
logout (token revoke), and a powerful generic CRUD API protected by JWT.
Key Features
- JWT-based authentication for Odoo APIs
- Login using username & password
- Access token refresh using refresh token
- Refresh token rotation for enhanced security
- Logout / revoke refresh token
- Browser support with HttpOnly cookie
- Generic CRUD API for any Odoo model
Authentication Header
All protected endpoints require the access token in the Authorization header.
Headers:
{
"Content-Type": "application/json",
"Authorization": "Bearer <ACCESS_TOKEN>"
}
1. Login (Password Authentication)
POST /api/login
(auth: none)
Request:
{
"login": "admin",
"password": "admin"
}
Response (Browser):
{
"token": "ACCESS_TOKEN",
"user_id": 2,
"refreshToken": "REFRESH_TOKEN",
}
Response (Mobile/App):
{
"token": "ACCESS_TOKEN",
"refreshToken": "REFRESH_TOKEN",
"user_id": 2
}
2. Refresh Access Token
POST /api/update/access-token
Request:
{
"user_id": 2
}
Response:
{
"access_token": "NEW_ACCESS_TOKEN"
}
3. Rotate Refresh Token
POST /api/update/refresh-token
(auth: jwt)
Response (Browser):
{
"status": "done",
"refreshToken": 1
}
Response (Mobile/App):
{
"status": "done",
"refreshToken": "NEW_REFRESH_TOKEN"
}
4. Logout / Revoke Token
POST /api/revoke/token
(auth: jwt)
Response:
{
"status": "success",
"logged_out": 1
}
Generic CRUD API (JWT Protected)
This module includes a
generic API endpoint
that can read, create, update, and delete records
from any Odoo model, based on configuration rules (
connection.api
).
Access to this endpoint is protected by
JWT authentication
.
Endpoint
/api/send_request
(auth:
jwt
) - supports
GET
,
POST
,
PUT
,
DELETE
How it works (high-level)
-
Model validation:
reads
?model=and verifies the model exists inir.model. -
Permission by configuration:
checks
connection.apisettings for the model (allowed methods: GET/POST/PUT/DELETE). -
Execute operation:
performs search/read, create, write, or unlink with
sudo(). - Flexible response: supports field selection, domain filtering, pagination, and relation expansion.
Supported methods
- GET - List records or fetch a single record by ID
- POST - Create a new record
- PUT - Update an existing record by ID
- DELETE - Delete a record by ID
GET request (Query Parameters)
-
model(required): Odoo model technical name (example:res.partner) -
id(optional): record ID to fetch a single resource -
fields(required): JSON list of fields to return (example:["name","email"]) -
domain(optional): Odoo domain in string format (example:[["active","=",true]]) -
expand(optional): relation expansion map (example:{"child_ids":["name"]}) -
offset(optional): page number (default: 1) -
limit(optional): page size (default: 20)
Example (GET list):
/api/send_request?model=res.partner&fields=["name","email"]&domain=[["active","=",true]]&offset=1&limit=20
Example (GET by id):
/api/send_request?model=res.partner&id=10&fields=["name","email"]
Example (GET with expand):
/api/send_request?model=res.partner&fields=["id","name", "company_id"]&expand={"bank_ids":["acc_number","email"]}
POST / PUT request (Body JSON)
For create/update, send JSON body with:
values
(data to write),
optional
fields
(fields to return),
optional
expand
(relations to expand).
Example (POST create):
POST /api/send_request?model=res.partner
{
"values": {
"name": "Test Partner",
"email": "[email protected]"
},
}
Example (PUT update):
PUT /api/send_request?model=res.partner&id=10
{
"values": {
"email": "[email protected]"
},
}
DELETE request
DELETE /api/send_request?model=res.partner&id=10
Response:
{
"deleted_id": 10
}
Important Notes
-
JWT required:
All calls to
/api/send_requestrequire a valid access token. -
Per-model method control:
Allowed HTTP methods are controlled by
connection.apisettings. -
Pagination:
uses
offset(page) andlimit(page size). - Expand: can load related records (many2one/one2many/many2many) with selected fields.
-
Security consideration:
This endpoint uses
sudo(). It is recommended to strictly control which models and methods are enabled through configuration and access rules.
Security Notes
- HTTPS is strongly recommended
- Refresh token is stored as HttpOnly cookie for browsers
- Refresh token rotation reduces token theft risk
- Access token must be sent with Bearer prefix
Odoo Proprietary License v1.0 This software and associated files (the "Software") may only be used (executed, modified, executed after modifications) if you have purchased a valid license from the authors, typically via Odoo Apps, or if you have received a written agreement from the authors of the Software (see the COPYRIGHT file). You may develop Odoo modules that use the Software as a library (typically by depending on it, importing it and using its resources), but without copying any source code or material from the Software. You may distribute those modules under the license of your choice, provided that this license is compatible with the terms of the Odoo Proprietary License (For example: LGPL, MIT, or proprietary licenses similar to this one). It is forbidden to publish, distribute, sublicense, or sell copies of the Software or modified copies of the Software. The above copyright notice and this permission notice must be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.