The Odoo external API is the interface through which programs outside Odoo interact with it. This piece looks more closely at how it works in practice: how an external program connects and authenticates, what it can do once connected, and how access is controlled.
What "external" means here
The word external is precise. Inside Odoo, the applications, sales, inventory, manufacturing, accounting, are already connected; they share one model and need no API between them. The external API is about the boundary of Odoo: it is the interface for software that is not part of Odoo to interact with it. When people speak of the Odoo external API, they mean this outside-facing interface.
The protocols
The Odoo external API works over two standard protocols: XML-RPC and JSON-RPC. Both are well-established ways for one program to call another across a network. Because they are standard and widely supported, an external program can use the Odoo external API from almost any programming language. In Odoo 19, the endpoints that serve this programmatic access are organised within the system in a dedicated part, and the standard protocols continue to be supported so that existing integrations keep working.
Step one: authentication
An external program cannot do anything with the API until it has identified itself. The first step in using the Odoo external API is always authentication: the program connects and proves who it is. It does this with credentials, identifying which Odoo database it is accessing and authenticating as a particular user account. Odoo also supports the use of an API key rather than a password, which is the better practice for an integration, since a dedicated key can be managed and revoked independently of a person's login.
The important consequence of authentication is that the external program always acts as some account. It is never anonymous, and it is never unlimited. It is a specific identity, and that identity governs everything it can do.
Step two: what the program can call
Once authenticated, an external program interacts with Odoo by calling its models. Odoo's data is organised into models, customers, orders, products, and so on, and the external API lets the program operate on them. It can search for records that match criteria, read the data of records, create new records, write changes to existing records, delete records, and call methods that perform operations. In essence, the external API exposes the same kinds of actions a user performs through Odoo's screens, but as programmatic calls. This is what makes the external API powerful: an integration can do, in code, what a user does by hand.
Step three: access is governed by Odoo's security
This is the part that is most important to understand and most often overlooked. The external API does not open a special, unrestricted back door into Odoo. Everything an external program does through the API is governed by Odoo's normal security, applied to the account it authenticated as. If that account cannot see certain records in the Odoo interface, the API cannot see them either. If that account cannot delete a kind of record, the API cannot delete it. The external API is a channel; the account's permissions are the gate.
The practical implication is a good security habit: an integration should authenticate as a dedicated account with exactly the permissions it needs, no more. If an integration only needs to read orders and create deliveries, its account should be able to do only that. Then, even if the integration's credentials were ever misused, the exposure is limited to what that account could do. Using a powerful, broad account for an integration that needs little is an unnecessary risk.
The takeaway
The Odoo external API is the boundary interface for software outside Odoo to interact with it, over the standard XML-RPC and JSON-RPC protocols. An external program first authenticates, ideally with a dedicated API key, then operates on Odoo's models, searching, reading, creating, updating, and calling methods. Crucially, everything it does is governed by the permissions of the account it connects as, so integrations should use dedicated, least-privilege accounts. For how we approach Odoo, see our ERP practice.