Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Tesla API Token Generator

This site may earn commission on affiliate links.
I'm using the curl statement but getting the following response:

Code:
{"response":"authorization_required_for_txid_``"}

I'm using :

Code:
curl -X POST -H "Cache-Control: no-cache" -H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW" -F "grant_type=password" -F "client_id=e4a9949fcfa04068f59abb5a658f2bac0a3428e4652315490b659d5ab3f35a9e" -F "client_secret=c75f14bbadc8bee3a7594412c31416f8300256d7668ea7e6e7f06727bfb9d220" -F "email=USER_YOUR_EMAIL" -F "password=USER_YOUR_PASSWORD" "https://owner-api.teslamotors.com/oauth/token"
 
Ok, I've just added some new enhancements to my secure Tesla API Token Generator

To recap, you can generate an API token using my script and only sending your credentials directly to Tesla. No middleman. No variables to set up. No script editing. No command line. Just a few clicks to install the script. Works in any modern browser.

See my original post here for simple install directions here: Post #47

I've now added the ability to view/download all your referral information that you can see in the Loot Box, but here you can get access to it all in a web page without using the mobile app or the TESLA ACCOUNT page. Includes order date, delivery date, and name of each referrer.

I've also added the ability to load/display your 'Loot Box' just like it is displayed in the mobile app.

The script also can download all the information for any vehicles linked to your car. A quick and dirty way to check /api/1/vehicles and /data.

If you've already installed the script, just go to your Tampermonkey Dashboard and click on the "Last Updated" column to install the latest version:

upload_2018-11-26_16-45-7.png


That's it. Then all you need to do is go to Tesla's own website to get started: https://owner-api.teslamotors.com/oauth/token

upload_2018-11-26_16-51-56.png
 
Last edited:
Well, here's another solution that doesn't run on anyone's server, so no uploading your credentials or security concerns.

It doesn't require Python, Ruby, CURL, PHP, Postman, or using a command line in OSX or Linux.

It only requires the well-known browser plugin Tampermonkey for Chrome or Firefox (see: Tampermonkey) , and my one-line script available here:

About | Telsa API Token Generator | Userscripts | OpenUserJS

Once you install Tampermonkey, and install my script above (one click), just go to this Tesla API URL in your browser:

https://owner-api.teslamotors.com/oauth/token

The script will add a form to enter your credentials, and from the same Teslamotors.com domain, submit your credentials to the API and return the JSON with your token.

Cool Tampermonkey plugin! I did notice that it thinks there are error in syntax for the $ in the code. (Along with using some dot notation and cookie not being defined.) Using 4.8.41 of TamperMonkey.
 
I'm pretty sure if you change your Tesla Account password, it instantly invalidates all tokens.
Bump query. Two cars, two drivers, two phones—I’d rather not change passwords as often as I might want to revoke an access code.
Trying to use iOS Shortcuts to execute revoke without success. Getting an access code works fine. Any tips on syntax?
 
My curl command that worked (I think) had:

-F "token=$access_token" "https://owner-api.teslamotors.com/oauth/revoke"

What are you trying?

EDIT: Hmm... I can't remember if that worked or an iOS shortcut that required a further tweak.

I do remember there being some small difference vs what the API 'docs' said online.

EDIT2: I think maybe the API docs didn't mention you having to include the normal auth header, but you do (or vice versa)

-H "Authorization: Bearer $access_token" -F "token=$access_token" "https://owner-api.teslamotors.com/oauth/revoke"

?? ... nah, I think it was the form data part I had to add to get it to work, I was always including auth ??

LOL. Once you get it to work post back!
 
Last edited:
Well, here's another solution that doesn't run on anyone's server, so no uploading your credentials or security concerns.

It doesn't require Python, Ruby, CURL, PHP, Postman, or using a command line in OSX or Linux.

It only requires the well-known browser plugin Tampermonkey for Chrome or Firefox (see: Tampermonkey) , and my one-line script available here:

About | Telsa API Token Generator | Userscripts | OpenUserJS

Once you install Tampermonkey, and install my script above (one click), just go to this Tesla API URL in your browser:

https://owner-api.teslamotors.com/oauth/token

The script will add a form to enter your credentials, and from the same Teslamotors.com domain, submit your credentials to the API and return the JSON with your token.
For me, this was the easiest and most secure of all methods posted. Thanks.

I noticed when generating an API token that there was an option to "Log Out/Delete Token" and I'm wondering if there's an easy way to do this down the road at any point w/o changing my Tesla.com password? Say I want to revoke access to that one single API token w/o revoking others or needing to change my password. Is there a way to access this option in the future to either list tokens and what device/application they've been used to access & select which ones to revoke or (at minimum) a way to manually enter a token that you've saved elsewhere in your own list and revoke it's access privileges?
 
  • Like
Reactions: HankLloydRight
Doesn't Tesla make you change the password anyway periodically? I just use my Apple built-in password manager. Whenever I am unhappy with an app I connected to my TM3 I just reset it and update it in the Tesla app and TezLab and I put the token in EV-FW.com. Then I know where I am at.

Though I tend to forget to update my wife's phone.

Would have been nice if I had done that before realizing I left my phone in the car when we were on a hike this week. Could have locked the car from her phone remotely instead of just hoping the car was still there when we got back... Apple needs to update the password manager for everyone in the family or at least give me access from my Watch.
 
Last edited:
For me, this was the easiest and most secure of all methods posted. Thanks.

You're welcome!

I noticed when generating an API token that there was an option to "Log Out/Delete Token" and I'm wondering if there's an easy way to do this down the road at any point w/o changing my Tesla.com password? Say I want to revoke access to that one single API token w/o revoking others or needing to change my password. Is there a way to access this option in the future to either list tokens and what device/application they've been used to access & select which ones to revoke or (at minimum) a way to manually enter a token that you've saved elsewhere in your own list and revoke it's access privileges?

I'm not 100% certain, but I do not think there's any way to invalidate a specific token, only that all current tokens are expired when you change your password. If there is, someone please show us how.
 
Use the refresh token received when you got your access token to refresh your token.

This should invalidate the original access token.
So that means if I have multiple apps I want a token for I use the same API token for each one. Getting a new token will revoke the previous one so I'd need to use that new token in all apps I previously had a token for, right?