[spullara]

The problem with doing this with Teslas, as I have had one for years and thought about building this, is trusting someone else to hold your credentials for your car. There is no authorization scoping and anyone with the credentials can find the car, unlock it, get in and drive it away. Also, plenty of mischief as well like opening the sun roof, the trunks, flashing the lights and honking the horn. I wish they had proper OAuth with scopes that could support use cases like this one.

[sahaskatta]

Passage AI is using Smartcar.com (disclosure: my company) to build TeslaBot. We do the work facilitating OAuth2 and permission scopes so that developers do not need to handle usernames or passwords.

[stefan_]

So now you need to trust Smartcar.com and Teslabot. This makes it even worse while not addressing any of the concerns.

[sandermvanvliet]

However Tesla doesn’t provide a way to grant a token to a 3rd party so you (your application) would still need my tesla account credentials. How are you solving this?

[timdorr]

Until Tesla provides auth scopes, they can't solve it. They can only proxy Tesla's API and build scoping on top of it.

[Shivetya]

I guess I am confused. I use ValetforTesla, granted it runs on my Mac, but I do not give anything other than token generated through an API call via a script, npx generate-tesla-token [1] ; after a NPM install through terminal. So yeah, its not official, but its open enough to know what it does

there are sites out there which claim security to generate tokens for you but I am not going to even begin to suggest them.

[1] https://github.com/ELLIOTTCABLE/generate-tesla-token

[spullara]

As long as you are running the software yourself then you are the only responsible party. (assuming they don't just send your credential to their server :) )

[canada_dry]

Looks pretty slick.

On another matter... how's the Otonomo C&D working out?

[dstaley]

> anyone with the credentials can find the car, unlock it, get in and drive it away

While the first three are true, you can't actually drive the car without an authorized key. Adding a new authorized key requires an existing authorized key. However, if you have a Model 3 and keep a valet key card in your car, then yeah anyone who can unlock your car can also drive it.

[spullara]

You can definitely drive my Model S with only the credentials. I have been in a situation where I had to install the app on a new phone then unlock it and drive away. Model 3 may be different but I don't think it is.

[gok]

I don't think that's true? You can enable keyless driving with just a Tesla account credentials.

[dstaley]

You still need some sort of authentication before the vehicle will let you switch into drive. In a Model 3, those options are either an authenticated smartphone, a key card, or a key fob. You cannot enroll any of those three keys without having an authenticated key present.

[mehrdada]

I do not believe this is true. You can start the car with just the account credentials. You will have two minutes to start driving, as the GP states; it’s called keyless driving mode. I’m pretty sure as I have used it when my phone broke and started the car with unpaired iPad. You need a key fob or key card to add a new paired key/phone, a paired smartphone doesn't work for that.

[m463]

I would take this comment a step further.

Why should anyone have credentials for my car, including the car manufacturer?