I have not tried this myself (too lazy/am not that concerned about the potential security risks), but someone who has tried it has reported that they have generated a different token for each app they use and it does not invalidate the previously generated tokens. So: For app A, you generate access token A and refresh token A. You hand off access token A to app A. For app B, you generate access token B and refresh token B. You hand off access token B to app B. Now if you decide you want to revoke app A's access, you can use refresh token A to refresh token A. This will break app A, but app B should continue to keep working.
Yes, you are. It looks like you are using a pre-packaged script that is not providing you with the refresh token. If I've followed the thread correctly, you are using Hank's code which has the following section: complete: function(response) { var reply=JSON.parse(response["responseText"]); console.log(reply); Cookies.set('token', reply["access_token"]); location.reload(); }, It only retrieves reply["access_token"] but the API also returns reply["refresh_token"], which you would have to modify the code to do something with (such as display it--probably using code similar to this snippet where the token is displayed: $("div").html(title+"Token Loaded: <span class=header>"+token+"</span>"+br+br+ Then, you would use that refresh token with a slightly different endpoint in the API (refresh_token) to do the refresh. See: Authentication You will get a new token/refresh token from this tendpoint, and presumably the original one is invalidated at this point. Maybe this would be a worthwhile enhancement for Hank's code.
Thanks @RTPEV. I've updated my Tampermonkey script to now include displaying the refresh token, as well as a new button to submit a Refresh Token request which will invalidate the existing token and generate a new one. The Create date is displayed both in unixtimestamp and local date+time formats. You should be able to simply upgrade the script in the TM console in your browser, or by re-installing here: About | Telsa API Safe Tools: Token Generator, API Query Tool, and Referral Info Retrieval | Userscripts | OpenUserJS
@HankLloydRight Any tips on your script? I installed it but when I go to the address the instructions tell us to go to (https://owner-api.teslamotors.com/oauth/token), I get a "this page doesn't exist"....Is there a new page to go to? If so, you probably need to update that in your instructions as well.
It works here. If you're getting the page below, it just means the script isn't running or is disabled in the TM dashboard. You want to make sure the script is enabled: Also, on the dashboard, make sure you do not have the previous version of the script installed (which is just called "Telsa API Token Generator") -- if you do, just uninstall it.
Hank - thanks for the feedback. I figured it out. I use Greasemonkey for other scripts and (based on your site) thought it would work with this one. Turns out not so much. I installed tampermonkey and it worked fine! One question. When I enter in my credentials I get: Token Loaded: Token Refresh Token: What looks like a different token Refresh Token Created: undefined Invalid Date Then I have 4 buttons: - Log Out/Delete Token - Clear all data below (there is nothing below the buttons) - List all vehicles - Refresh Token Now So my questions are: What is the "refresh token" field that appears after token loaded? I assume log out/delete token deletes all api tokens for the car? Refresh token now presumably cancels existing tokens and creates a new one?
No, the "logout/delete token" simply logs your browser out of your account and deletes the token (and refresh token) stored as a browser cookie. It has no effect on the generated/displayed token which is still valid for other purposes. If you logout of my page and delete the browser cookie and then log back in again, you'll get a new token, but the old token will still be valid. If you want to delete all current valid tokens on your account, you would need to change your password on the Tesla website which should immediately expire all tokens. The way I believe it works is that you: 1. request a new token 2. You get back a 'token' and a 'refresh token' 3. The token is valid for 45 days, you can then use that token on other API driven sites/services (like Teslafi.com) 4. If you want to expire that token (not all tokens), then you can click the "refresh token" button which will expire only that current token and give you a new token and refresh token good for another 45 days. No, it only cancels the existing token paired with its refresh token and then generates a new pair.
You only use the refresh token if you have the tools to use the API. Every time you 'request a token' it returns an 'access token' (to give sites and apps access to the API for your car) and a 'refresh token'. The thing is, the 'access token' automatically expires after 45 days. But sites like TeslaFi.com can use the paired 'refresh token' to automatically request a new 'access token' for you when the old one expires. But it needs the 'refresh token' to do so. As a regular owner or user, you don't have any need for the refresh token unless you also have the ability to make calls to the Tesla API. For instance, if you're running your own API code, and for some reason someone gains access to your 'access token' (which means they can locate and control your car), you can immediately expire that token by requesting a new 'access token' using it's paired 'refresh token'. Or if you want to grant access to someone to your car for a short period of time without giving them your Tesla.com login credentials, you can generate a new token, give it to them, and then you have control when to expire their token and access. Hope that's clear.
I don't know for sure, but I just set up 2FA on my Tesla account, and my api-token-generator script still works fine. Also, I can log into the Tesla App on my phone without prompting for 2FA. Looks like from here 2FA only is applied when logging into the website. Odd.
That is strange as I thought the app required 2FA as well not just the website. I will have to try your token generator script again as it was failing when I tried last time. I know teslafi requires the 2FA code in order for it to regenerate the token. Would assume the same for any token generating script for which a user has 2FA applied.
I just tried it again, and the token script works without triggering 2FA, as does logging into the mobile app. But 2FA is triggered when logging into the website. So for whatever reason, YMMV.
Hi Hank, Will you update the script to handle the new process that Tesla has started to use? https://tesla-api.timdorr.com/api-basics/authentication BR, Tom