Tesla Developer API Guide: Account Setup, App Creation, Registration, and Third-Party Authentication Configuration (Part 1)

For years, Tesla has been leading in innovating electric vehicles and energy solutions. However, their developer API remained tightly sealed, even though many other vendors offered these APIs by reverse engineering the Tesla unreleased APIs until Tesla decided to make their APIs publicly available in October 2023. This direct developer API from Tesla opens up a new frontier for developers and enthusiasts to integrate Tesla’s offerings into their apps and creations.

Let us see the step-by-step procedure to start consuming the Tesla developer APIs.

Step 1 — Create a Tesla account with MFA ( Login Link)

Tesla enforces MFA to start requesting app access to be used by developers. There can be two scenarios here.

A. New user and setting the Tesla account for the first time using email and password.

B. Existing customers log in using a registered username and password.

It is important to note that in neither situation is multi-factor authentication (MFA) automatically enforced. The illustration below shows the step-by-step procedure for creating a successful Tesla account using MFA.

Setting up the Tesla account with MFA

Step 2 — Submit the Access Request to get the App Credentials ( Developer Portal Link)

The first thing in this step is to ‘Request app access’ by providing legal business details, app name, description, and purpose of usage.

Requesting app access via the Tesla API developer portal

Once the app request is submitted, Tesla will review it and email it with status updates. Currently, this step is instantaneous. We can fetch the client ID and client secret from the developer portal.

Fetch Client ID and Client Secret

Step 3 — Register for the App

Five steps involved to register the app.

A — Generate the public key

The below steps work for MacOS.

Install OpenSSL: In MacOS, Use brew install openssl if it's not installed already.

Check the successful installation using openssl version.

Generate a private key: This command generates and saves it in the file 'private.pem'.

openssl ecparam -name prime256v1 -genkey -noout -out private.pem

Generate the public key: This command extracts the public key from the private key and saves it in the file 'public.pem'.

openssl ec -in private.pem -pubout -out public.pem

Locate the public and private key: Navigate to ‘Users’ -> ‘Username’ in the MacOS.

Public and Private key location in MacOS

Rename public key: Rename the 'public.pem' file to 'com.tesla.3p.public-key.pem'.

B — Host the public key in the /.well-known section of the website

This website is the same as the allowed origin website that we requested during app registration. The public key must be hosted on the location as mentioned below.

https://<your domain>/.well-known/appspecific/com.tesla.3p.public-key.pem

I have tried hosting the public key file on two sites with different hosting environments.

1. WordPress hosted site — I upgraded to the ‘WordPress Business’ plan to get SFTP credentials to access website files. Upload the public key to the desired location.
2. CloudFront and S3 hosted site — Create the needed folder structure in S3 where the website files reside and upload the public key.

C — Generate the partner authentication token ( Postman API Link)

Using the below Curl generate the partner authentication token.

CLIENT_ID=<command to obtain your client_id> CLIENT_SECRET=<secure command to obtain your client_secret> AUDIENCE="https://fleet-api.prd.na.vn.cloud.tesla.com" # Partner authentication token request curl --request POST \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=client_credentials' \ --data-urlencode "client_id=$CLIENT_ID" \ --data-urlencode "client_secret=$CLIENT_SECRET" \ --data-urlencode 'scope=openid vehicle_device_data vehicle_cmds vehicle_charging_cmds' \ --data-urlencode "audience=$AUDIENCE" \ 'https://auth.tesla.com/oauth2/v3/token'

D — Register the app using a bearer token from © ( Postman API Link)

Using the below Curl register the app.

curl --header 'Content-Type: application/json' \ --header "Authorization: Bearer $PARTNER_AUTHENTICATION_TOKEN" \ --data '{"domain":"string"}' \ 'https://fleet-api.prd.na.vn.cloud.tesla.com/api/1/partner_accounts'

E — Validate a successful registration of the app by calling the public key endpoint using bearer toke from © ( Postman API Link)

Using the below Curl ensure the registration was successful.

curl --header 'Content-Type: application/json' \ --header "Authorization: Bearer $PARTNER_AUTHENTICATION_TOKEN" \ 'https://fleet-api.prd.na.vn.cloud.tesla.com/api/1/partner_accounts/public_key'

Step 4 — Validate the Third-party app login as the end customer

The app is now ready to be used to test with the user.

Using our registered app, we can redirect the user to get the authorization code ( Postman API Link)

https://auth.tesla.com/oauth2/v3/authorize?client_id={{client_id}}&locale=en-US&prompt=login&redirect_uri={{redirect_uri}}&response_type=code&scope=openid user_data vehicle_device_data vehicle_cmds vehicle_charging_cmds energy_device_data energy_cmds offline_access&state=abc123

Users can grant the needed access as part of the log in via third-party apps to provide restricted and granular access to the account.

Allow users to sign in with Third-party apps using Tesla credentials

Step 5 — Generate the access token that third-party apps can use

To access the Fleet API’s, you need access tokens with the necessary scopes. The following Curl command can be used to retrieve access, refresh, and id tokens: ( Postman API Link).

curl --location 'https://auth.tesla.com/oauth2/v3/token' \ --data-urlencode 'grant_type=authorization_code' \ --data-urlencode 'client_id={{client_id}}' \ --data-urlencode 'client_secret={{client_secret}}' \ --data-urlencode 'code={{auth_code}}' \ --data-urlencode 'audience={{audience}}' \ --data-urlencode 'redirect_uri={{redirect_uri}}'

Third-party apps can persist the refresh token and get new access tokens based on the needs using the below Curl ( Postman API Link).

curl --location 'https://auth.tesla.com/oauth2/v3/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=refresh_token' \ --data-urlencode 'client_id={{client_id}}' \ --data-urlencode 'refresh_token={{refresh_token}}'

Let’s take a detailed look at the various commands and operations available within the Tesla Fleet APIs, which we will explore in the next part of the blog.

Share your thoughts on use cases and modern architectures in implementing Tesla developer API in your applications.

Happy learning!

Originally published at http://shankarkumarasamy.blog on October 30, 2023.