Software outside Odoo can interact with it, and the external API is how. It works over two standard protocols. This piece is about the Odoo external API, XML-RPC and JSON-RPC.
What the external API is
The Odoo external API is the interface through which software that is not part of Odoo interacts with it: the way an external program can read from, write to, and operate Odoo programmatically. The word external is precise, it is the interface for software outside Odoo, at Odoo's boundary, not the way Odoo's own connected applications work with each other inside the system.
The two protocols
The Odoo external API works over two protocols: XML-RPC and JSON-RPC. These are standard, well-established remote-procedure-call protocols, well-understood ways for one program to call another across a network. Because the external API works over these standard protocols, it can be used from essentially any programming language that can make such calls, which is most of them, so an external program is not restricted to a particular language to interact with Odoo.
What the external API lets a program do
Through the external API, an external program can do, programmatically, the kinds of things that working with Odoo's data and operations involves. It can read information out of Odoo, retrieving records. It can create records in Odoo. It can update existing records. It can operate on Odoo's data and call its operations. In essence, the external API lets an external program do, in code, the kinds of things that can be done with Odoo's records, which is what makes Odoo connectable to other software rather than sealed off.
Authentication and security
The external API is governed by authentication and by Odoo's normal security. An external program must authenticate, identify itself, before it can do anything, and once it does, it acts as a particular account, and it can do only what that account is permitted to do. The external API does not bypass Odoo's security; an external program sees and changes only what its account's permissions allow. The good practice that follows is to have an integration authenticate as a dedicated account with exactly the permissions it genuinely needs, no more, so the exposure through the API is limited to what that account can do.
The honest note on REST
An honest point worth making. The Odoo external API works over XML-RPC and JSON-RPC; it is not a REST API in the way some platforms provide. A developer expecting a native REST API will not find one as the standard external interface. The external API over XML-RPC and JSON-RPC provides full programmatic access and serves most integration needs; where REST specifically is genuinely required, it is added to Odoo, through custom controllers or a community module, as a deliberate piece of development. Knowing this honestly, from the start, saves a developer wasted effort.
The takeaway
The Odoo external API is the interface through which software outside Odoo interacts with it, working over the standard XML-RPC and JSON-RPC protocols, so it can be used from essentially any language. Through it, an external program can read, create, update, and operate on Odoo's records. It is governed by authentication and Odoo's security, so an integration should use a dedicated, least-privilege account. The external API is not a native REST API; where REST is genuinely required, it is added deliberately. For how we approach Odoo, see our ERP practice.