DeveloperSkip to main content

  1. Fleet API
  2. Charging

Third Party Tokens

Use the authorization_code grant flow to generate a token on behalf of a customer. This allows API calls using the scopes granted by the customer.

Step 1: User Authorization

To initiate the authorization code flow, direct the customer to an /authorize request.

https://auth.tesla.com/oauth2/v3/authorize

Parameters

NameRequiredExampleDescription
response_typeYescodeA string, always use the value "code".
client_idYesabc-123Partner application client ID.
redirect_uriYeshttps://example.com/auth/callbackPartner application callback url, spec: rfc6749.
scopeYesopenid offline_access user_data vehicle_device_data vehicle_cmds vehicle_charging_cmdsSpace delimited list of scopes, include openid and offline_access to obtain a refresh token.
stateYesdb4af3f87...Random value used for validation.
nonceNo7baf90cda...Random value used for replay prevention.

Example Request

https://auth.tesla.com/oauth2/v3/authorize?&client_id=$CLIENT_ID&locale=en-US&prompt=login&redirect_uri=$REDIRECT_URI&response_type=code&scope=openid%20vehicle_device_data%20offline_access&state=$STATE

Step 2: Callback

After the user authorizes their account with Tesla, they will be redirected to the specified redirect_uri.

Extract the code URL parameter from this callback.

Step 3: Code Exchange

Execute a code exchange call to generate a token. The access_token can be used for subsequent requests to Fleet API on behalf of the user.

If using the offline_access scope, save the refresh_token to generate tokens in the future. The refresh token is single use only and expires after 3 months.

An invalid_auth_code response likely means the code is expired.

POST https://auth.tesla.com/oauth2/v3/token

Parameters

NameRequiredExampleDescription
grant_typeYesauthorization_codeGrant type must be authorization_code.
client_idYesabc-123Partner application client ID.
client_secretYessecret-passwordPartner application client secret.
audienceYeshttps://fleet-api.prd.na.vn.cloud.tesla.comAudience for the generated token. Must be a Fleet API base URL.
redirect_uriYeshttps://example.com/auth/callbackPartner application callback url, spec: rfc6749.
scopeNoopenid offline_access user_data vehicle_device_data vehicle_cmds vehicle_charging_cmdsSpace-delimited list of scopes.

Example Request

# Authorization code token request
CODE=<extract from callback>
curl --request POST \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'grant_type=authorization_code' \
  --data-urlencode "client_id=$CLIENT_ID" \
  --data-urlencode "client_secret=$CLIENT_SECRET" \
  --data-urlencode "code=$CODE" \
  --data-urlencode "audience=$AUDIENCE" \
  --data-urlencode "redirect_uri=$CALLBACK" \
  'https://auth.tesla.com/oauth2/v3/token'
# Extract access_token and refresh_token from this response

Refresh Tokens

Use the refresh_token to generate new tokens and obtain refresh tokens. There are two common failure modes for using a refresh_token that will return a 401 - login_required response:

  1. The refresh token has already been used; only the newest refresh token is valid.
  2. The user has reset their password.

Parameters

NameRequiredExampleDescription
grant_typeYesrefresh_tokenGrant type must be refresh_token.
client_idYesabc-123Partner application client ID.
refresh_tokenYesNA_a90869e9d...Refresh token from the code exchange response.

Example Request

# Refresh token request
REFRESH_TOKEN=<extract from authorization code token request>
curl --request POST \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'grant_type=refresh_token' \
  --data-urlencode "client_id=$CLIENT_ID" \
  --data-urlencode "refresh_token=$REFRESH_TOKEN" \
  'https://auth.tesla.com/oauth2/v3/token'

Scope Changes

Once a user has granted scopes to an application, they can modify scopes or revoke access using the consent management page:

https://auth.tesla.com/user/revoke/consent?revoke_client_id=$CLIENT_ID&back_url=$RETURN_URL

Scope modifications are compatible with existing refresh tokens and will be applied to new access tokens.