Carmiq
- Thread starter gilscales
- Start date
Runebane
Member
It sounds good, but when I started signing up they wanted my Tesla.com's actual login AND password. There were no other options to use instead of that. So I canceled signing up.
silentcorp
Member
Nope, I'm not giving a 3rd party my login information to my car for any reason. There are already a few alternatives out there that have a track record, I'd recommend going with them if you are willing to give up your credentials.
bd7349
Member
Runebane
Member
Pretty much legit companies don't ask for your username and password, especially when you can provide a token instead...
Hey everybody, thanks for your interest in Carmiq. I'm Haydn, one of the co-founders. Of course, user security is a paramount consideration of ours. The authorization process is a standard 'OAuth' that is hosted on Tesla servers. Therefore, we never have access to view/store the Tesla account credentials. When you input your account credentials, we receive the same token that provides temporary and limited access to the account. This is the same process used when you sign up to a site using Facebook or Google. While allowing users to input a token is a possibility, doing so does not actually provide any security advantages and requires users to generate their own token (through a different third-party site).
Many of Carmiq's features rely on individual data from users' Teslas, which is why we require this information to sign up. All vehicle API calls are done through the official Tesla fleet API's, which we have been granted a license to use. Furthermore, all features/data-sharing must be explicitly opted in to by the user. Carmiq will never spam you with ads for services or share your data without your permission.
If anybody has any additional questions, please respond below or direct message me and I'll be happy to answer.
Thanks!
Many of Carmiq's features rely on individual data from users' Teslas, which is why we require this information to sign up. All vehicle API calls are done through the official Tesla fleet API's, which we have been granted a license to use. Furthermore, all features/data-sharing must be explicitly opted in to by the user. Carmiq will never spam you with ads for services or share your data without your permission.
If anybody has any additional questions, please respond below or direct message me and I'll be happy to answer.
Thanks!
That’s very helpful information. I would, however, recommend switching to Tesla’s own authentication window just as Google and even Facebook do when using their login process to obtain a token. It would just be more secure as CARMIQ can never be accused of “holding” the user’s Tesla account password, even if for the brief initial OATH session. It also would give more comfort to those who do not want to - even briefly - hand over their password.
Runebane
Member
Definitely this. Or, let the user get their own token to give you like other Tesla apps do.
Thanks for the feedback. Unfortunately, Tesla has not yet developed its own authentication window yet. However to clarify, allowing users to input their own tokens would not increase security. When somebody enters the credentials on the page, they are saved in local memory until the form is submitted. At that point, it is sent to Tesla which verifies and grants/denies the token. At no point is the information accessible by Carmiq. Therefore, allowing users to input their own token adds friction while creating a misleading narrative that inputting the token is more secure.
sreams
Member
I'm sure that is the case. That said, there is no way for a Tesla owner to know you are doing this apart from taking your word.
You're neglecting the fact that without being allowed to enter their own token, the user feels insecure.
YOU may know that your code doesn't store the user credentials, but the user does not.
YOU may know that your code receives and uses a token, but the user does not.
smatthew
Active Member
Tesla doesn't license their API. All of these 3rd party apps that exist using the API are done so via reverse engineering. Tesla could kill them all at any point.
smatthew
Active Member
So I read the main page for Carmiq but all I interpreted from it was I sign up, I "selectively share my vehicle data" which I just read as you sell my data to who I say you can sell it to. I miss some some great user value somewhere?
Glad to see you are using OAuth for authentication and token. I wouldn't support allow user to upload a token. Insecure....
I signed up about 2 weeks ago. Unsure about the value, yet. May still revoke the tokens if I don't see info worth having. Definitely not there yet, but I'm looking forward to getting range/battery data, so I'm willing to share data to the analysis pool, for now.
Similar threads
