REST · JSON · JWT

Connect your product to Odoo with CTIT Gateway

Start in Odoo: create an Application, set scopes, then use the credentials to call the APIs. Trial host: https://api.ctit.com.sa

Step 1Create Application
Step 2Scopes & fields
Step 3Copy credentials
Step 4Login & call APIs
1
Applicationcreate in Odoo
2
Scopesmodels & fields
3
Credentialsclient_id / secret
4
Call APIslogin → data
01

What is the API Gateway?

A secure REST layer in front of Odoo. Mobile apps, websites, partner portals, and backend services connect via HTTPS JSON and JWT — never directly to the database.

Important order
Integration always starts inside Odoo: create an Application, configure scopes, then share credentials. Without an Application, login returns invalid_client.

What we validate

  • Application credentials
  • User identity (JWT)
  • Scopes (models / fields)
  • Rate limits & audit

Who it’s for

Odoo admins (setup) and integrators building any client: mobile, web, or partner systems.

02

Trial server

Base URL

https://api.ctit.com.sa

Odoo UI: https://api.ctit.com.sa/web/login
API login: POST /api/v1/auth/login

Access
Ask CTIT for an Odoo user with API Gateway Manager rights to create Applications and test.
03

Odoo setup — create an Application

Do this first in Odoo before any client coding.

1
Install module api_gateway_rest if needed.
2
Open API Gateway → Applications.
3
Click New and set a clear name (e.g. Mobile App).
4
Keep Active = ON. Optionally set Rate Policy and CORS.
5
Save — Odoo auto-generates client_id, client_secret, and JWT secret.

Credentials tab

FieldWhat to do
client_idCopy — public app ID
client_secretCopy securely — used only at login
access_token_ttl_minutesDefault 15
refresh_token_ttl_daysDefault 14
04

Scopes & fields

Without scopes the app can login, but data APIs return permission errors.

1
Open Application → Scopes & Permissions → Add.
2
Choose model (e.g. res.partner).
3
Enable Read / Create / Write / Delete / Call as needed.
4
Select allowed read and write fields.
5
Set max limit per request and optional domain filter.
05

Extra settings

Custom Calls

Register method slugs for /call/{slug}.

App Screens & Users

Map screen keys to users for menu-access.

Blocked Users

Blocked users cannot login or call this app.

Audit Logs

API Gateway → Audit Logs for debugging.

06

Share with the integrator

ItemNotes
base_urlhttps://api.ctit.com.sa
client_idFrom Credentials tab
client_secretSecret — share privately
User login + passwordActive Odoo user
07

Integration flow

Odoo: Create Application + Scopes → share client_id / client_secret / user → POST /api/v1/auth/login → access_token + refresh_token → /api/v1/info/* & /api/v1/data/* with Authorization: Bearer … + X-Client-Id
08

Authenticate

Login

POSThttps://api.ctit.com.sa/api/v1/auth/login
REQUESTJSON
{
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "login": "user@company.com",
  "password": "******"
}
Persist
access_token · refresh_token · expires_in · user.id

Refresh

POST/api/v1/auth/refresh
REQUESTJSON
{
  "client_id": "YOUR_CLIENT_ID",
  "refresh_token": "CURRENT_REFRESH_TOKEN"
}

Revoke (logout)

POST/api/v1/auth/revoke
09

Request headers

HeaderValue
AuthorizationBearer
X-Client-Id
Content-Typeapplication/json
10

Discover permissions

GET/api/v1/info/models
GET/api/v1/info/models/{model}/fields
GET/api/v1/info/methods
Rule
Only write fields listed in write_fields.
11

Read & write data

Base path: /api/v1/data/{model}

GET/api/v1/data/res.partner?limit=20&lang=ar
POST/api/v1/data/res.partner
CREATEJSON
{
  "values": {
    "name": "New Customer",
    "email": "new@example.com"
  }
}
PATCH/api/v1/data/res.partner/55
DELETE/api/v1/data/res.partner/55
POST/api/v1/data/{model}/{id}/call/{slug}
12

Endpoint reference

MethodPathPurpose
POST/api/v1/auth/loginLogin
POST/api/v1/auth/refreshRefresh
POST/api/v1/auth/revokeRevoke
GET/api/v1/info/modelsModels
GET/api/v1/info/models/{model}/fieldsFields
GET/api/v1/data/{model}List
GET/api/v1/data/{model}/{id}Read
POST/api/v1/data/{model}Create
PATCH/api/v1/data/{model}/{id}Update
DELETE/api/v1/data/{model}/{id}Delete
13

Go-live checklist

  • Created Application in Odoo
  • Configured scopes (model + fields + operations)
  • Shared base_url, client_id, client_secret
  • Login returns tokens + user
  • Protected calls send Authorization + X-Client-Id
  • 401 triggers refresh + single retry

Need access?

Contact CTIT for trial credentials on api.ctit.com.sa

Contact us