I downloaded ChargeHQ, but before I signed in with my Tesla account I emailed them to ask what security measures they have in place to prevent my Tesla account being hacked via the API interface. There was a report recently where a hacker showed how easy it was to access the Tesla App functions via a hacked password. I asked a week ago and haven't received a reply yet.
From what I’ve read, these Apps or services require you to log in once with your Tesla credentials (email address and password), and they do not store those credentials, since the authentication is done in real time directly with the Tesla auth server.
That authentication returns two tokens - an access token and a refresh token - and these are stored by the App or service. The access token is valid for 8 hours from creation, and provides access to all vehicle and Powerwall controls offered though the Tesla API. The third-party app or service needs that access in order to do what they do.
The refresh token has no expiry and is used to generate new access tokens after each one expires.
So while these third-party players can tell you with 100% honesty that they don’t store your Tesla login details, it somewhat avoids the question, because the tokens they do store provide them with all the control they need as if they did have your login credentials. A bad actor could use those tokens to control your car without your consent, for example, in perpetuity. They just keep using the refresh token to generate new access tokens.
The protection you do have is that a bad actor couldn’t change your Telsa password or access your Tesla account, which they could do if they stored your login details and not just the tokens. The tokens only allow API access. And if you change your Tesla password, any previously issued API tokens are invalidated, preventing any further unauthorised control. You’d need to log in again to use any of these third party services.