The Bangladesh API Landscape: What Can and Cannot Connect
Before writing a single line of integration code, you need to understand a fundamental truth about Bangladesh's digital ecosystem: API quality varies enormously, from well-documented REST APIs (bKash, SSLCommerz) to barely-documented SOAP services (some bank corporate portals) to systems with no API at all (NBR's iBAS++ requires browser automation, not API calls).
Here is a practical map of what Bangladesh businesses typically want to connect to Odoo and the realistic integration level for each:
Well-documented REST API. Supports payment initiation, status check, refund. Requires IP whitelisting and sandbox testing. Custom Odoo module required.
Documented but uses RSA key-pair encryption on each request. More complex than bKash. Bangladesh-registered business required. Custom module required.
Bangladesh's most developer-friendly payment gateway. Supports bKash, cards, mobile banking in one gateway. PHP/Python SDKs available. Easiest integration point for Odoo e-commerce.
REST API with API key auth. Supports order creation, tracking, webhook callbacks on status change. Documentation available on request from Pathao merchant team.
Flat REST API with API key in header. Create order, get tracking. The simplest Bangladesh courier API — good starting point for custom delivery carrier modules.
BRAC, Dutch-Bangla, City, Eastern: most provide only CSV or MT940 file exports — no live API. IBBL and some new banks offer limited API. Use Odoo bank statement import, not live sync.
The NBR tax return system has no public API. Data must be submitted via web interface. Odoo can export the required formats (Mushak 6.3 reports) but cannot submit directly.
Newer gateway covering Bangladeshi cards + mobile banking. REST API with JWT auth. Gaining adoption in mid-market. Suitable for companies with in-house development capacity.
The Bangladesh fintech ecosystem is growing fast, but API quality still lags behind the ambition. Know what tier of integration you are building before you budget for it.
Odoo API Fundamentals: XML-RPC, JSON-RPC, and REST
Odoo exposes three API interfaces. Understanding which to use for which purpose is the first decision your integration team needs to make.
JSON-RPC — The Standard Choice for Bangladesh Integrations
Odoo's JSON-RPC interface at /web/dataset/call_kw is available in all Odoo versions and is the most widely used integration method. Every Odoo model and its methods are accessible — read, write, create, unlink, and any custom method you define. This is what most Bangladesh integration developers use because it requires no extra setup and works with any HTTP client.
import requests, json
url = "https://your-odoo.com"
# Step 1: Authenticate
auth = requests.post(f"{url}/web/dataset/call_kw", json={
"jsonrpc": "2.0", "method": "call", "id": 1,
"params": {
"model": "res.users",
"method": "authenticate",
"args": ["your-db", "user@company.com", "password", {}],
"kwargs": {}
}
}).json()
uid = auth["result"]
# Step 2: Read confirmed sale orders
orders = requests.post(f"{url}/web/dataset/call_kw", json={
"jsonrpc": "2.0", "method": "call", "id": 2,
"params": {
"model": "sale.order",
"method": "search_read",
"args": [[["state", "=", "sale"]]],
"kwargs": {"fields": ["name", "partner_id", "amount_total"], "limit": 50}
}
}).json()
print(orders["result"])XML-RPC — Legacy but Stable, Available in All Versions
XML-RPC is Odoo's older interface, available since Odoo 8. It works through two endpoints: /xmlrpc/2/common (for authentication) and /xmlrpc/2/object (for all model operations). It is slightly more verbose than JSON-RPC but is perfectly stable and used in many long-running Bangladesh integrations.
Use XML-RPC when: working with older Odoo versions (12, 13, 14), or when using Odoo's official odoorpc Python library which wraps XML-RPC cleanly.
REST API — New in Odoo 16, Cleaner for Modern Integrations
Odoo 16 introduced a proper REST API at /api/ endpoints for specific models. It uses API key authentication (no session management) and returns clean JSON. As of Odoo 18, the REST API covers the most common objects: /api/sale.order, /api/res.partner, /api/stock.picking, etc.
The REST API is the right choice for new integrations on Odoo 16+ because it does not require session cookie management and is easier to secure. Generate an API key from Settings → Users → Your User → API Keys tab.
curl -H "Authorization: Bearer YOUR_API_KEY" \
https://your-odoo.com/api/sale.order?domain=[["state","=","sale"]]Authentication & API Security
Authentication is where Bangladesh integrations most often fail — not because the code is wrong, but because the security configuration is not thought through. There are three patterns to choose from:
-
API Key Authentication (Recommended for Odoo 16+) Generate a dedicated API key for each external system. Settings → Technical → API Keys (or per-user API Keys tab). Store the key as an environment variable on the integration server — never in source code. Rotate keys every 90 days. Use one key per integration so you can revoke without affecting others.
-
Dedicated Integration User (All Versions) Create a dedicated Odoo user (e.g., api-integration@company.com) with the minimum permissions required for the integration's function. Do not use an admin account. If the key is compromised, a minimal-permission user limits blast radius. See the Odoo User Access Rights guide for configuring a restricted user role.
-
IP Whitelisting via Nginx/Server Config If your integration server has a static IP (recommended for Bangladesh office servers and cloud VMs), restrict API access at the web server level. Nginx allow/deny rules ensure that even with a leaked credential, the API cannot be accessed from arbitrary IPs.
-
Store Keys in System Parameters For third-party API keys that Odoo itself needs to call (e.g., bKash API key, courier API key), use Settings → Technical → System Parameters to store them. Name them clearly:
bkash.app_key,steadfast.api_key. Restrict access to System Parameters to admin only.
Never commit API keys or Odoo credentials to Git repositories. Bangladesh development teams frequently push API keys to GitHub in config files — this is a critical security vulnerability. Use environment variables or encrypted secret stores (AWS Secrets Manager, HashiCorp Vault, or even a .env file that is git-ignored).
Payment Gateway Integration
Bangladesh businesses — especially e-commerce, B2C SaaS, and export billing — need payment gateways connected to Odoo's invoicing and accounting modules. Here is how each major gateway integrates.
bKash Merchant API Integration
Integration type: Custom Odoo payment provider module extending payment.provider and payment.transaction models. bKash uses OAuth 2.0 — you first obtain a token (POST to /tokenized/checkout/token/grant), then use the token to create a payment (POST to /tokenized/checkout/create), then redirect the user to bKash's payment page, then capture the callback on your webhook URL.
Bangladesh-specific requirements:
- You must have an active bKash merchant account with a registered business (trade license + TIN).
- Production credentials require IP whitelisting — your Odoo server's public IP must be registered with bKash.
- bKash requires a callback URL that is accessible over HTTPS. Self-signed certificates are not accepted in production.
- Test using the sandbox at
tokenized.sandbox.bka.shbefore requesting production credentials.
What the Odoo module does: When a Bangladesh customer pays a Odoo invoice via bKash, the payment form redirects to bKash, completes payment, returns to Odoo's callback URL, and the module automatically marks the invoice as paid and creates the journal entry in the bKash bank journal.
SSLCommerz Integration
SSLCommerz is the right choice when you want to accept multiple payment methods (bKash, Nagad, Rocket, cards, internet banking) through a single gateway without building separate integrations for each. SSLCommerz handles the complexity and splits funds to your settlement account.
SSLCommerz provides a Python SDK on GitHub. The Odoo integration pattern is: create an SSLCommerz session (POST to /gwprocess/v4/api.php) on invoice payment click, redirect to SSLCommerz hosted checkout, receive IPN (Instant Payment Notification) at your Odoo webhook, validate the hash signature, and auto-reconcile the payment.
import hashlib
def validate_sslcommerz_ipn(data, store_passwd):
"""Verify SSLCommerz IPN hash before marking payment as received."""
received_hash = data.get("verify_sign")
data_without_sign = {k: v for k, v in data.items()
if k not in ("verify_sign", "verify_key")}
# Sort keys and concat with store password
sorted_data = dict(sorted(data_without_sign.items()))
sorted_data["store_passwd"] = hashlib.md5(
store_passwd.encode()).hexdigest()
hash_str = "&".join(f"{k}={v}" for k, v in sorted_data.items())
expected = hashlib.md5(hash_str.encode()).hexdigest()
return received_hash == expectedNever mark a payment as received without validating this hash. Skipping validation is the #1 SSLCommerz security mistake Bangladesh developers make.
Bank Feed Integration: The Bangladesh Reality
Bangladesh corporate banking APIs are significantly less mature than payment gateway APIs. Here is the honest state of bank connectivity for Bangladesh Odoo implementations.
BRAC Bank, Dutch-Bangla, City Bank, Eastern Bank: CSV/MT940 Import
As of 2026, Bangladesh's major commercial banks — BRAC, Dutch-Bangla, City Bank, Eastern Bank, Mutual Trust Bank — do not offer a live corporate banking API accessible to business customers. What they do provide:
- CSV statement export: Available from internet banking portals. Download daily or weekly, import into Odoo via Accounting → Bank Statements → Import.
- MT940 format: Some banks (particularly those with SWIFT connectivity) offer MT940 format exports. Odoo natively supports MT940 import.
- OFX format: Rare but available in some portals. Also natively supported by Odoo.
Practical recommendation: Automate the CSV download via a scheduled script (using Selenium or Playwright to log in to the bank portal and download the statement) and then push the file to Odoo's bank statement import API. This gives you near-automated bank reconciliation without a live API.
Automated browser login to bank portals may violate your bank's terms of service. Check with your relationship manager before implementing browser automation against your corporate internet banking portal. Some banks offer OTP-based access that makes automation impractical anyway — human-assisted daily import may be the only option.
IDLC Finance, IPDC: Corporate Finance APIs (Limited)
A small number of Bangladesh NBFIs and newer digital banks are beginning to offer corporate API access. If your company banks with an institution that offers corporate API access, use Odoo's account.bank.statement.line model to import transactions programmatically rather than via file upload. This is the approach to take if and when your bank offers it.
Shipping & Delivery API Integration
For Bangladesh e-commerce and B2B fulfilment companies, courier API integration is often the highest-ROI integration to build. Automating shipment creation, label printing, and tracking status sync saves hours of manual data entry per day at any meaningful order volume.
Steadfast Courier API — Simplest Bangladesh Courier Integration
Steadfast's API is the simplest in the Bangladesh courier market. API key authentication (pass Api-Key and Secret-Key in headers), flat REST endpoints, straightforward response structure. The integration extends Odoo's stock.delivery.carrier model.
import requests
STEADFAST_BASE = "https://portal.packzy.com/api/v1"
headers = {
"Api-Key": "YOUR_API_KEY",
"Secret-Key": "YOUR_SECRET_KEY",
"Content-Type": "application/json"
}
def create_steadfast_order(invoice, customer, address, cod_amount):
payload = {
"invoice": invoice, # Your order reference
"recipient_name": customer,
"recipient_phone": address["phone"],
"recipient_address": address["street"],
"cod_amount": cod_amount # 0 for prepaid
}
resp = requests.post(
f"{STEADFAST_BASE}/create_order",
json=payload, headers=headers
)
data = resp.json()
return data.get("consignment", {}).get("tracking_code")Store the returned tracking_code on the Odoo stock.picking record. Use a scheduled action to poll Steadfast's status endpoint and update the delivery status in Odoo automatically.
Pathao Courier API — Webhook-Based Status Updates
Pathao's courier API supports webhook callbacks — Pathao pushes status updates to your Odoo server when a shipment status changes (picked, in-transit, delivered, returned). This is more efficient than polling. Register your Odoo controller URL as the webhook endpoint in Pathao's merchant portal, then write an Odoo controller that receives POST requests and updates the corresponding stock.picking record.
Pathao also requires merchant onboarding and credentials available through their logistics business team. Contact via Pathao for Business portal.
Redx & eCourier
Both Redx and eCourier offer REST APIs with API key authentication. Redx documentation is available via their merchant portal. eCourier API is slightly more complex with zone-based pricing calculations. The integration pattern is identical to Steadfast — create order on picking validation, store tracking code, poll or receive webhook for status updates.
NBR & Tax System: What is Actually Possible
Many Bangladesh businesses ask whether Odoo can submit Mushak reports or VAT returns directly to NBR. The honest answer: not directly — but Odoo can generate the data in exactly the format NBR requires.
The NBR iBAS++ system (where government tax is submitted) and the Mushak online portal (VAT returns) require manual submission through a browser interface as of 2026. There is no public REST API for automated submission.
What Odoo can do:
- Generate Mushak 6.3 (sales VAT register), 6.4 (purchase VAT register), and 6.5 (credit note register) as PDF or CSV exports — exactly the format required for NBR filing.
- Calculate TDS (Tax Deducted at Source) on vendor payments and generate 108 and 108A certificates.
- Track VAT payable/receivable for monthly reconciliation before filing.
- Export VAT return data in the Excel format required for upload to the VAT Online portal.
The integration gap is the final submission step — which still requires a human to log in to the NBR portal and upload or enter the data. Odoo bridges everything up to that point.
Common Integration Patterns for Bangladesh Businesses
E-Commerce Sync: WooCommerce / Custom Website → Odoo
Bangladesh online retailers with separate WooCommerce stores need orders, customers, and inventory synced to Odoo. The standard pattern: WooCommerce webhook (on order.created) calls an Odoo JSON-RPC endpoint to create a sale.order, confirm it, and trigger stock reservation. Inventory levels sync back to WooCommerce on a schedule (every 15 minutes) via a cron job querying Odoo's product.product model.
Available tools: Odoo Connector for WooCommerce (OCA project on GitHub), or build a lightweight webhook handler using Python FastAPI/Flask as middleware between WooCommerce and Odoo's API.
No-Code Middleware: n8n for Simple Bangladesh Integrations
For Bangladesh businesses that want integration without custom development, n8n (open-source workflow automation) is an excellent middle layer. n8n has native Odoo nodes and can be self-hosted on a BDT 1,500/month cloud VM. Common use cases: Google Forms → Odoo lead, email → Odoo support ticket, Excel/Google Sheets import → Odoo product/customer records.
n8n is not suitable for high-volume, real-time integrations (like SSLCommerz IPN callbacks at 100+ transactions/minute). For those, a proper Odoo custom module is the right answer.
Pushing Data Out: Odoo → External BI / Reporting Tools
Some Bangladesh companies want to push Odoo data to Power BI, Google Looker Studio, or a custom dashboard for the CEO. The pattern: a scheduled Python script queries Odoo's API (search_read on relevant models), transforms the data, and writes to a PostgreSQL database or Google Sheets, which Power BI or Looker Studio connects to.
Alternatively, connect Power BI directly to Odoo's PostgreSQL database (if self-hosted) using the read-only reporting user. This is the simplest approach for Odoo on-premise deployments in Bangladesh.
Troubleshooting API Connectivity Issues
Problem: "odoo.exceptions.AccessDenied" on every API call
The integration user either has the wrong password or is not in the correct database. Verify: the database name matches exactly (case-sensitive), the user is active (not archived), and the password has not expired. If using Odoo 17+, check whether 2FA is enabled on the user — API key auth bypasses 2FA; session-based auth does not.
Problem: API works in testing but fails from Bangladesh production server
Most likely cause: the Bangladesh server's IP is blocked by the external API provider (bKash, SSLCommerz, etc.). Check IP whitelisting. If your Bangladesh server uses a shared/dynamic IP (common with ISPs like BTCL, Grameenphone home plans), you need a static IP — available from your ISP on request, or use a cloud VM with a fixed public IP.
Problem: SSL certificate errors from Bangladesh server
Bangladesh servers often have outdated CA certificate bundles. Run sudo update-ca-certificates on Ubuntu/Debian or install the ca-certificates package. Also verify your server's clock is accurate (NTP-synced) — certificate validation fails if the server clock is more than 5 minutes off, which is surprisingly common on misconfigured Bangladesh VMs.
Problem: Webhook callbacks from bKash/SSLCommerz not reaching Odoo
Check that your Odoo server is accessible on port 443 (HTTPS) from the internet. Many Bangladesh on-premise servers are behind a NAT router without port forwarding configured. Use a service like ngrok for development/testing. For production, ensure your firewall and router forward port 443 to your Odoo server and that you have a valid SSL certificate (Let's Encrypt works perfectly).
For the access rights configuration that underpins all integration security, the Odoo User Roles & Access Rights guide covers how to create minimal-permission integration users correctly. And for the multi-company setups where API integration becomes more complex, the Odoo Multi-Company Setup guide explains the database architecture that determines which company's data your API calls will see.
If your Bangladesh business needs Odoo connected to bKash, a courier API, a banking system, or a custom third-party tool, I can assess the scope and advise on build vs. buy vs. middleware. Contact me for an integration scoping call →
Frequently asked questions
Does Odoo have a REST API?
Yes. Odoo 16 and later expose a native REST API at /api/ endpoints for specific objects. Earlier versions use XML-RPC or JSON-RPC at /web/dataset/call_kw. The JSON-RPC interface is the most commonly used method for Bangladesh integrations because it works with any HTTP client and does not require a special SDK.
Can bKash be integrated directly with Odoo?
Yes, but not with a native Odoo module. bKash merchant API (REST, OAuth 2.0) must be connected via a custom payment provider module. The bKash merchant API requires a registered business account, IP whitelisting, and sandbox credentials from bKash before production integration. Most Bangladesh Odoo partners build this as a custom module that extends Odoo's payment.provider model.
Which shipping APIs work with Odoo in Bangladesh?
Pathao Courier, Steadfast Courier, Redx, and eCourier are the main Bangladesh delivery APIs. None have official Odoo modules on the App Store as of 2026. Integration requires a custom delivery carrier module. Steadfast has the simplest API (flat REST with API key auth) and is the easiest starting point for custom development.
What is the safest way to store API keys in Odoo?
Use Settings → Technical → System Parameters to store third-party API keys in the database. For Odoo's own API keys granted to external systems, generate dedicated API keys per integration from the user's API Keys tab. Never commit API keys to Git. Restrict System Parameters access to Administrator role only via access rights configuration.