I am a developer who would like access to my Tesla vehicle using Tesla's API. Rummaging around, I see that Tesla is using OAuth 2 for authentication. That protocol requires an app to be registered with Tesla's servers. The app is identified using an app secret. A client secret is also needed. It's purpose is complex but for this topic you can think of it as a user id and password taht identifies the app and it's developer. These keys should never be published and they should never be stored in a phone. OAuth 2 is very useful because it allows the app to access your data (with your permission) but the author cannot acquire your password.
I cannot find a site from Tesla where a developer can register and be given secrets that identify their app. However, I can find people selling apps. Either I need help finding the Tesla developer site, or these apps are using stolen keys.
Does anyone know which it is? If they are stealing keys, has Tesla been doing anything to thwart the activity? It would seem to me that Tesla should either put up an official way to get keys or rotate their keys.
What they shouldn't do is reward people who steal keys by allowing them to sell apps that use hacked keys.
Frankly, I have the skills and network software that would allow me to intercept the keys but I won't do it. I will wait to receive proper access from Tesla. I will not purchase a third-party app from a hacker. People who steal keys cannot be trusted. Nor will I buy an app from a third-party developer using valid keys obtained in a closed-source environment.
Let me know if there's a developer site that I totally missed. Otherwise I would really like to know your opinion.
Should Tesla publish and support an API (akin to Facebook, Google, LinkedIn and many more)?
I personally believe that, by limiting access, they are turning off what would be a large and free stream of innovation.