Odoo API Access Explained: RPC Protocols and the Pain of Non-Standard Authentication

But if you’re trying to integrate with Odoo, you’ll quickly realize: it doesn’t work like most modern SaaS tools and can be quiet frustrating.

• No REST API.
• No token-based authentication.
• Just RPC protocols and manual credential juggling.

In this guide, we’ll walk you through how to connect to Odoo the right way:

• What protocols you can use (and which one we recommend)
• How authentication works (it’s not tokens)
• The most common pitfalls to avoid

Whether you’re integrating directly or just evaluating what’s involved to integrate Odoo in your SAAS product, this post is for you:

No REST API — Just RPC Protocols

First of all, Odoo doesn’t expose a REST API. Instead, it offers two older protocols:

• XML-RPC, which is more commonly documented, but verbose and outdated.
• JSON-RPC, which is more readable and modern in structure, but has less documentation and more quirks.
  

We recommend using JSON-RPC. It’s easier to work with long-term and fits more naturally into modern environments. That said, expect some trial-and-error, especially when dealing with filtering, pagination, or model-specific behavior.

(We will provide in depth reviews of these topics in follow up Blogs)

Here’s a basic example of how to retrieve contact records using search_read on the res.partner model:

await session.post('/jsonrpc', {

jsonrpc: '2.0',

method: 'call',

id: new Date().getTime(),

params: {

service: 'object',

method: 'execute_kw',

args: [

databaseName,

uid,

password,

'res.partner',

'search_read',

[domain],    // your filters

pagination,  // e.g. { offset: 0, limit: 50 }

],

},

});

No Token Authentication

Unlike most APIs today, Odoo doesn’t use OAuth2, API keys, or any kind of token-based system.

Instead, you authenticate by passing:

• The database name
• A username
• A password
  

How to deal with it?

To keep things clean and reduce duplication, it helps to:

• Write a small helper or wrapper function that handles the login flow and returns the uid
• Centralize where and how you pass auth values into your RPC calls
• Avoid hardcoding model names or endpoints wherever possible

This won’t eliminate the quirks, but it’ll reduce friction and make it easier to debug issues later.

Common Pitfalls to Watch Out For in the Odoo API:

No sessions to manage

You don’t need to store or refresh sessions. Just reuse the same credentials and uid in every call.

RPC calls are hard to test manually

Tools like Postman or browser-based clients aren’t helpful here. You’ll likely need to script your own requests or build lightweight internal tools to test specific RPC methods.

Error handling can be misleading

If something goes wrong —for example, invalid credentials — Odoo might still return a 200 OK with an empty or generic response. This makes debugging harder unless you log responses and test for edge cases intentionally.

How We Tackled This at Maesn?

These challenges weren’t theoretical for us, they were real blockers while building our Odoo integration.

To reduce time-to-integration and eliminate unnecessary frustration for our users, we built a robust abstraction layer that takes care of all the topics above and more:

That includes:

• Wrapping the RPC protocol in clean, REST-style endpoints
• Introducing token-based authentication that integrates into modern workflows
• Handling authentication cleanly and abstracting quirks behind the scenes, including model-specific logics like Odoo’s unusual contact structure, which we’ll explore in a follow-up post
• Providing consistent error feedback and query parameters you’d expect (e.g. ?limit=50&offset=100)

The result: what used to take weeks or more to integrate can now go live in a day.

📄 View the Technical Docs

➡️ Explore the Odoo Integration