Developer's Guide to Virtual Keys

A virtual key is a public/private key pair which enables authorization when interacting with a vehicle. The public key must be added to the vehicle by a trusted user and the private key is kept securely on the application's server. Before executing a command or accepting a Fleet Telemetry configuration, the vehicle ensures the payload is signed by a private key whose public key is present on the vehicle.

The virtual key provides a crucial layer of protection for users. Adding the key to a vehicle requires a trusted user-in-the-loop, preventing even Tesla's backend from accessing these capabilities. This ensures only authorized parties are able to execute commands or access device data through Fleet Telemetry. If at any time the user wishes to revoke access, they can remove the virtual key from the Locks screen.

To create a private key, run:

openssl ecparam -name prime256v1 -genkey -noout -out private-key.pem

Then, generate the associated public key.

openssl ec -in private-key.pem -pubout -out public-key.pem

Note: the vehicle only supports prime256v1 keys.

This public key must remain available at:

https://developer-domain.com/.well-known/appspecific/com.tesla.3p.public-key.pem

Note: private-key.pem needs to be kept secret and should never be hosted on a domain.

After the public key is publicly accessible, call the Partner Account register endpoint to enroll this key with Tesla.

Tesla can add virtual keys to vehicles purchased through the B2B program. Vehicles purchased outside the B2B program do not allow Tesla to remotely add keys. Partners must add the virtual key manually.

To pair a virtual key manually:

1. Ensure the user has authorized the application and granted the vehicle_device_data, vehicle_cmds, or vehicle_location scopes.
2. Direct the user to:

https://tesla.com/_ak/*developer-domain.com*

This will allow the user to add the key to their vehicle through the Tesla mobile app.

To remove a key, the user must navigate to the Locks screen in the vehicle and delete the key. Access can also be revoked remotely by revoking the third-party application's access.

• Virtual key: A virtual key is a public/private key pair used by a developer application to securely communicate with a vehicle.
• Public key: A cryptographic key used by the vehicle to validate a payload comes from a trusted source.
• Private key: A cryptographic key used by the Vehicle Command Proxy to sign payloads sent to the vehicle. The private key must be kept secret to prevent unauthorized access to the vehicle.
• Signed commands: A signed command is a command (such as unlock door) which is signed by the application's private key. The easiest method to sign commands is through the Vehicle Command Proxy.