All, While testing app functionality on 2.12.126, I noticed there were changes made to the API that can allow you to bypass the password requirement of Keyless Start, requiring only the token. Before .126, driving away in the car required a secondary authentication: Your Tesla password (or fingerprint in the case of Remote S). That's no longer the case under certain circumstances I've identified. Of course, you still need to use your login and password to generate a token. This concerns you only if you're thinking about giving your generated token to a 3rd party. If you have any concerns, you can change your password on Tesla's official site to generate a new token. I don't believe there is a risk here if 3rd party developers use proper security procedures, but the API behavior did change, so I wanted to let everyone know. My concern is that a lazy/inexperienced/malicious 3rd party could request your token. If someone gains access to your token, they can identify your exact location (via GPS), open your garage door, and perform a workaround "Keyless Start." I've already notified Tesla (and submitted it via Bugcrowd) if they feel like it's necessary to modify the way their API works. To be clear, there is NO risk at all if you have not given your token to a 3rd party or the 3rd party is using good security policies. Special thanks to Allen (Remote S developer) for additional information about it. And, also of note, Remote S is NOT at risk as it uses Apple's secure Keychain to protect your token. NOTE: I'm specifically not mentioning the exact method of performing this workaround until Tesla has enough time to respond. For all I know, they may be aware and not think it's necessary to change.