Tesla API

Tesla API

I am a developer who would like access to my Tesla vehicle using Tesla's API. Rummaging around, I see that Tesla is using OAuth 2 for authentication. That protocol requires an app to be registered with Tesla's servers. The app is identified using an app secret. A client secret is also needed. It's purpose is complex but for this topic you can think of it as a user id and password taht identifies the app and it's developer. These keys should never be published and they should never be stored in a phone. OAuth 2 is very useful because it allows the app to access your data (with your permission) but the author cannot acquire your password.

I cannot find a site from Tesla where a developer can register and be given secrets that identify their app. However, I can find people selling apps. Either I need help finding the Tesla developer site, or these apps are using stolen keys.

Does anyone know which it is? If they are stealing keys, has Tesla been doing anything to thwart the activity? It would seem to me that Tesla should either put up an official way to get keys or rotate their keys.

What they shouldn't do is reward people who steal keys by allowing them to sell apps that use hacked keys.

Frankly, I have the skills and network software that would allow me to intercept the keys but I won't do it. I will wait to receive proper access from Tesla. I will not purchase a third-party app from a hacker. People who steal keys cannot be trusted. Nor will I buy an app from a third-party developer using valid keys obtained in a closed-source environment.

Let me know if there's a developer site that I totally missed. Otherwise I would really like to know your opinion.

Should Tesla publish and support an API (akin to Facebook, Google, LinkedIn and many more)?

I personally believe that, by limiting access, they are turning off what would be a large and free stream of innovation.

ulrichard | 23. September 2018

At first I had to laugh, reading your innocent post. But how the security of the app access is handled is not funny at all, and in fact the reason why I disabled it in my car.
There are no adjustable restricted access tokens as with other services. Your app can get a token that will expire after 90 days and grants access to everything short of driving off. To get the token you need the password. It is possible to transfer the token from a more secure device to a less secure device, but that would be too complicated for 99% of users. Thus, all apps require the password.
Ah, and BTW the API is not publicly documented, but the unofficial documentation is quite good.
And with a bit of searching, you can find bindings for most scripting languages.

zzn | 02. Januar 2020

As a developer and a new Tesla driver, realizing there is no Official API, but only Unofficial API, while Unofficial API actually can lock/unlock my car, it scares me. | 02. Januar 2020

@zzn - if your own code, the API is fairly hack-proof - so far no reports of anyone breaking through. Requires your username and password.

Now other legacy automakers, I would be worried since they seem so late to the software game. Most contract software out to multiple vendors and security has been an afterthought - not a good way to ensure security.