Hence I've always felt a little weary about all these 3rd party apps that people grant explicit access to.Tesla issue a refresh token that doesn't expire and a normal use api token that does quite quickly as you suggest, the problem is the refresh token can generate a new api token via one extra step, so all these websites/apps etc like teslamate, teslafi etc use the refresh token to just keep creating new api tokens whenever they need them making the expiry pretty pointless
I don't value the data or utility that they offer enough to do it. Not because I think the authors have bad intentions necessarily, but because they're human and we all make mistakes. Risk vs reward.
I get it's a bit 'lazy', but I think this just makes it easier for Tesla to manage, and can remove a bad actors access to their refresh token if needed.
That said, 'what we don't know can't hurt us'?