All Posts People Badges

Ključne besede (View all)

About this forum

Pomoč

JSON API, API Keys and user connection

authentication api

3 Odgovori

2922 Prikazi

Martin

We'd like to develop a mobile app linked to a Odoo (19). Our goal is to use the JSON API, both because it seems to be the way of the future and also because we're more familiar with that kind of tech.

We have something that we can't figure out. Our goal is to have our end user to identify with their login/password in the app, and then use their credential to use the API (for example to retrieve their current holidays).

Issue: this works only using the API key, which cannot be generated from an endpoint - even with the user's password.

What's the current advice/strategy in this case? We could have a technical user with high access and use it everywhere but it looks extremely dangerous and actually not practical (I want to retrieve the current user's holiday, not all of them, etc).

People here making mobile apps, how are you interacting with the new API?

Martin

Avtor

Thanks - I get the idea but your example is using the jsonrpc api - I don't see any way to use this "with_user "on the json2 ("rest") one.

Ray Carnes (ray)

https://www.odoo.com/documentation/19.0/developer/reference/external_api.html#object-service

Atliis 360

Hi Martin,

The standard Odoo JSON-RPC authenticate call does return a session_id you can reuse — that's your bridge between user credentials and scoped API access.

Step 1 — Authenticate and get a session:

POST /web/dataset/call_kw

{

"jsonrpc": "2.0",

"method": "call",

"params": {

"model": "res.users",

"method": "authenticate",

"args": ["your-db", "user@example.com", "password", {}],

"kwargs": {}

}

The response includes a uid and the cookie header carries a session_id.

Step 2 — Use that session for all subsequent calls, passing the session_id cookie. Every call will execute as that specific user, so Odoo's record rules apply automatically — fetching holidays (or any model) returns only their own records.

The key insight is: don't try to generate an API key on behalf of the user. Just reuse the authenticated session. It's stateful but works perfectly for mobile apps.

If you'd rather have a cleaner REST interface with proper Bearer token auth, user-scoped API key issuance, and a dedicated POST /api/v1/auth/login endpoint — we built exactly that. Check out REST API Toolkit on the Odoo App Store.

Hope that unblocks you!

Cybrosys Techno Solutions Pvt.Ltd

Hi,

You're encountering a frequent issue when integrating Odoo 19 JSON-RPC API with mobile app user authentication. Since API keys are not suitable for individual mobile users authenticating with personal credentials, the correct solution is session-based authentication.

Why session-based authentication is ideal for mobile apps

Users log in using their own username and password

User context is automatically applied (no need to pass user ID manually)

Access rights, record rules, and ACLs are enforced correctly

No need to generate or maintain API keys for each user

Authenticate from the mobile app

Send a POST request to the Odoo session authentication endpoint:

POST https://your-odoo-instance.com/web/session/authenticate

Content-Type: application/json

Request payload:

{

"jsonrpc": "2.0",

"params": {

"db": "your_database",

"login": "user@example.com",

"password": "user_password"

}

If authentication succeeds:

Odoo returns session_id

The session_id is also set in response cookies

Store session_id securely in your mobile app

Use platform-specific secure storage:

Create a custom authenticated API endpoint in Odoo

In your custom Odoo module, define a controller with auth="user":

from odoo import http

class MobileHolidaysController(http.Controller):

@http.route('/api/mobile/my/holidays', type='json', auth='user')

def get_my_holidays(self, **kwargs):

# Business logic goes here

return {

"status": "success",

"message": "Authenticated successfully",

"data": {} # Replace with your actual holiday records

}

Call the endpoint from the mobile app

Include the stored session_id in cookies for all requests:

POST https://your-odoo-instance.com/api/mobile/my/holidays

Cookie: session_id=your_stored_session_id

Content-Type: application/json

Payload:

{

"jsonrpc": "2.0",

"params": {}

}

Hope it helps

Ray Carnes (ray)

with_user might be helpful here

self.env['hr.leave'].with_user(mobile_user).search([])

https://www.odoo.com/forum/help-1/what-is-the-purpose-of-with-user-means-what-is-the-advantage-of-using-it-189340

Enjoying the discussion? Don't just read, join in!

Create an account today to enjoy exclusive features and engage with our awesome community!

Prijavi

Related Posts	Odgovori	Prikazi
How i can auth my user to access odoo with API Key or Access Token? authentication api	4 mar. 26	47735
Error when trying to authenticate through API (v14) Solved authentication api	5 dec. 20	13506
Question about how to authentication using api key Solved authentication api api-key	1 sep. 25	8450
API authentication not working with API key authentication api api-key	0 jan. 24	5907
How to authenticate users from res.users model in laradoo package authentication api odoo	0 jul. 21	5435

This question has been flagged

Enjoying the discussion? Don't just read, join in!