What is the API Gateway?
A secure REST layer in front of Odoo. Mobile apps, websites, partner portals, and backend services connect via HTTPS JSON and JWT — never directly to the database.
What we validate
- Application credentials
- User identity (JWT)
- Scopes (models / fields)
- Rate limits & audit
Who it’s for
Odoo admins (setup) and integrators building any client: mobile, web, or partner systems.
Trial server
Base URL
https://api.ctit.com.sa
Odoo UI:
https://api.ctit.com.sa/web/login
API login:
POST /api/v1/auth/login
Odoo setup — create an Application
Do this first in Odoo before any client coding.
Credentials tab
| Field | What to do |
|---|---|
| client_id | Copy — public app ID |
| client_secret | Copy securely — used only at login |
| access_token_ttl_minutes | Default 15 |
| refresh_token_ttl_days | Default 14 |
Scopes & fields
Without scopes the app can login, but data APIs return permission errors.
Extra settings
Custom Calls
Register method slugs for /call/{slug}.
App Screens & Users
Map screen keys to users for menu-access.
Blocked Users
Blocked users cannot login or call this app.
Audit Logs
API Gateway → Audit Logs for debugging.
Integration flow
Authenticate
Login
{
"client_id": "YOUR_CLIENT_ID",
"client_secret": "YOUR_CLIENT_SECRET",
"login": "user@company.com",
"password": "******"
}
Refresh
{
"client_id": "YOUR_CLIENT_ID",
"refresh_token": "CURRENT_REFRESH_TOKEN"
}
Revoke (logout)
Request headers
| Header | Value |
|---|---|
| Authorization | Bearer |
| X-Client-Id | |
| Content-Type | application/json |
Discover permissions
Read & write data
Base path: /api/v1/data/{model}
{
"values": {
"name": "New Customer",
"email": "new@example.com"
}
}
Endpoint reference
| Method | Path | Purpose |
|---|---|---|
| POST | /api/v1/auth/login | Login |
| POST | /api/v1/auth/refresh | Refresh |
| POST | /api/v1/auth/revoke | Revoke |
| GET | /api/v1/info/models | Models |
| GET | /api/v1/info/models/{model}/fields | Fields |
| GET | /api/v1/data/{model} | List |
| GET | /api/v1/data/{model}/{id} | Read |
| POST | /api/v1/data/{model} | Create |
| PATCH | /api/v1/data/{model}/{id} | Update |
| DELETE | /api/v1/data/{model}/{id} | Delete |
Go-live checklist
- Created Application in Odoo
- Configured scopes (model + fields + operations)
- Shared base_url, client_id, client_secret
- Login returns tokens + user
- Protected calls send Authorization + X-Client-Id
- 401 triggers refresh + single retry
Need access?
Contact CTIT for trial credentials on api.ctit.com.sa