⚠ This is a work in progress ⚠Tesla has deprecated the/oauth/token
endpoint in favor of usingauth.tesla.com
. I'm working on updating the documentation as soon as possible. This documentation is still missing handling for MFA users. Feel free to discuss this in issue #260.
state
value for requests, which is a random string of any length.User-Agent
header that looks like a browser (such as Chrome or Safari). The SSO service has protections in place that will require executing JavaScript if a browser-like user agent is detected.https://auth.tesla.com/oauth2/v3/authorize
redirect_url
of "https://auth.tesla.com/void/callback", which is a non-existent page. The Tesla app intercepts the request to this page to capture the authorization code.client_id
ownerapi
code_challenge
123
code_challenge_method
S256
redirect_uri
https://auth.tesla.com/void/callback
response_type
code
scope
openid email offline_access
state
123
<form>
with hidden <input>
elements that contain session-based information to prevent CSRF attacks. At the moment, they appear to be _csrf
, _phase
, _process
, transaction_id
, and cancel
, but they may change due to server-side changes by Tesla. These must be provided in the POST body to validate the following request.set-cookie
header that includes a session ID cookie. This should be provided to the following request as a Cookie
header so that the SSO service can match up your request with private data it has in that session.login_hint
parameter is supplied with the GET
request and the email is registered with a Tesla SSO service in another region this will respond with a 303 HTTP response code (See Other), which will redirect you to the Tesla SSO service in that region (e.g. auth.tesla.cn). Should this redirect happen you should continue using the region specific Tesla SSO host name in all subsequent steps. Easy way to test this is to use auth.tesla.cn
with login_hint
using an email registered under auth.tesla.com
.<input>
s are provided as POST body parameters and the Cookie
header is set.https://auth.tesla.com/oauth2/v3/authorize
Note: These are query parameters, not part of the POST body
client_id
ownerapi
code_challenge
123
code_challenge_method
S256
redirect_uri
https://auth.tesla.com/void/callback
response_type
code
scope
openid email offline_access
state
123
Note: This is the contents of the POST body. These should be form encoded (application/x-www-form-urlencoded
).
<input>
scredential
brbgoingtomars
location
header. You should not follow it, as it is non-existent. Instead, you should parse this URL and extract the code
query parameter, which is your authorization code.https://auth.tesla.com/oauth2/v3/token
grant_type
authorization_code
client_id
ownerapi
code
123
code_verifier
123
redirect_uri
https://auth.tesla.com/void/callback
access_token
provided with the response. It is treated as an OAuth 2.0 Bearer Token and expires every eight hours. This token is passed along in an Authorization header with all future requests:https://auth.tesla.com/oauth2/v3/token
refresh_token
from Step 3 above to do an OAuth 2.0 Refresh Token Grant. This does not work with the refresh_token
provided by the Owner API. Those have no use currently and should be discarded.cn-
you should POST to auth.tesla.cn
Tesla SSO service to have it refresh. Owner API tokens starting with qts-
are to be refreshed using auth.tesla.com
grant_type
refresh_token
client_id
ownerapi
refresh_token
123
scope
openid email offline_access