TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker and becoming a Supporting Member. For more info: Support TMC
  1. TMC is currently READ ONLY.
    Click here for more info.

Tesla API Token Generator

Discussion in 'Model S' started by MarcusMaximus, Jan 6, 2017.

Tags:
  1. RTPEV

    RTPEV Member

    Joined:
    Mar 21, 2016
    Messages:
    804
    Location:
    Durham, NC
    I have not tried this myself (too lazy/am not that concerned about the potential security risks), but someone who has tried it has reported that they have generated a different token for each app they use and it does not invalidate the previously generated tokens.

    So:

    For app A, you generate access token A and refresh token A. You hand off access token A to app A.
    For app B, you generate access token B and refresh token B. You hand off access token B to app B.

    Now if you decide you want to revoke app A's access, you can use refresh token A to refresh token A. This will break app A, but app B should continue to keep working.
     
    • Informative x 1
  2. Ostrichsak

    Ostrichsak Active Member

    Joined:
    Sep 6, 2018
    Messages:
    3,178
    Location:
    Colorado, USA
    Access token and refresh token? Am I missing something here as I'm only getting a single token.
     
  3. RTPEV

    RTPEV Member

    Joined:
    Mar 21, 2016
    Messages:
    804
    Location:
    Durham, NC
    Yes, you are. It looks like you are using a pre-packaged script that is not providing you with the refresh token. If I've followed the thread correctly, you are using Hank's code which has the following section:

    complete: function(response) {
    var reply=JSON.parse(response["responseText"]);
    console.log(reply);
    Cookies.set('token', reply["access_token"]);
    location.reload();
    },


    It only retrieves reply["access_token"] but the API also returns reply["refresh_token"], which you would have to modify the code to do something with (such as display it--probably using code similar to this snippet where the token is displayed:

    $("div").html(title+"Token Loaded: <span class=header>"+token+"</span>"+br+br+

    Then, you would use that refresh token with a slightly different endpoint in the API (refresh_token) to do the refresh. See: Authentication

    You will get a new token/refresh token from this tendpoint, and presumably the original one is invalidated at this point. Maybe this would be a worthwhile enhancement for Hank's code.
     
    • Informative x 1
    • Like x 1
  4. HankLloydRight

    HankLloydRight No Roads

    Joined:
    Jan 18, 2014
    Messages:
    12,795
    Location:
    Connecticut
    I will make that change tomorrow! Thank you.
     
    • Like x 1
  5. HankLloydRight

    HankLloydRight No Roads

    Joined:
    Jan 18, 2014
    Messages:
    12,795
    Location:
    Connecticut
    Thanks @RTPEV. I've updated my Tampermonkey script to now include displaying the refresh token, as well as a new button to submit a Refresh Token request which will invalidate the existing token and generate a new one. The Create date is displayed both in unixtimestamp and local date+time formats.

    You should be able to simply upgrade the script in the TM console in your browser, or by re-installing here: About | Telsa API Safe Tools: Token Generator, API Query Tool, and Referral Info Retrieval | Userscripts | OpenUserJS
     
    • Like x 1
  6. drklain

    drklain Active Member

    Joined:
    Dec 17, 2016
    Messages:
    1,039
    Location:
    Scottsdale, AZ/Fairfax, VA/Brussels, BE
    @HankLloydRight Any tips on your script? I installed it but when I go to the address the instructions tell us to go to (https://owner-api.teslamotors.com/oauth/token), I get a "this page doesn't exist"....Is there a new page to go to? If so, you probably need to update that in your instructions as well.
     
  7. HankLloydRight

    HankLloydRight No Roads

    Joined:
    Jan 18, 2014
    Messages:
    12,795
    Location:
    Connecticut
    #87 HankLloydRight, Jul 10, 2020
    Last edited: Jul 10, 2020
    It works here. If you're getting the page below, it just means the script isn't running or is disabled in the TM dashboard. You want to make sure the script is enabled:

    upload_2020-7-10_19-45-42.png

    Also, on the dashboard, make sure you do not have the previous version of the script installed (which is just called "Telsa API Token Generator") -- if you do, just uninstall it.


    upload_2020-7-10_19-45-22.png
     
  8. drklain

    drklain Active Member

    Joined:
    Dec 17, 2016
    Messages:
    1,039
    Location:
    Scottsdale, AZ/Fairfax, VA/Brussels, BE
    Hank - thanks for the feedback. I figured it out. I use Greasemonkey for other scripts and (based on your site) thought it would work with this one. Turns out not so much. I installed tampermonkey and it worked fine!

    One question. When I enter in my credentials I get:
    Token Loaded: Token
    Refresh Token: What looks like a different token
    Refresh Token Created: undefined Invalid Date

    Then I have 4 buttons:
    - Log Out/Delete Token
    - Clear all data below (there is nothing below the buttons)
    - List all vehicles
    - Refresh Token Now

    So my questions are:
    What is the "refresh token" field that appears after token loaded?
    I assume log out/delete token deletes all api tokens for the car?
    Refresh token now presumably cancels existing tokens and creates a new one?
     
  9. HankLloydRight

    HankLloydRight No Roads

    Joined:
    Jan 18, 2014
    Messages:
    12,795
    Location:
    Connecticut
    No, the "logout/delete token" simply logs your browser out of your account and deletes the token (and refresh token) stored as a browser cookie. It has no effect on the generated/displayed token which is still valid for other purposes. If you logout of my page and delete the browser cookie and then log back in again, you'll get a new token, but the old token will still be valid. If you want to delete all current valid tokens on your account, you would need to change your password on the Tesla website which should immediately expire all tokens.

    The way I believe it works is that you:

    1. request a new token
    2. You get back a 'token' and a 'refresh token'
    3. The token is valid for 45 days, you can then use that token on other API driven sites/services (like Teslafi.com)
    4. If you want to expire that token (not all tokens), then you can click the "refresh token" button which will expire only that current token and give you a new token and refresh token good for another 45 days.

    No, it only cancels the existing token paired with its refresh token and then generates a new pair.
     
  10. drklain

    drklain Active Member

    Joined:
    Dec 17, 2016
    Messages:
    1,039
    Location:
    Scottsdale, AZ/Fairfax, VA/Brussels, BE
  11. Klaus

    Klaus Member

    Joined:
    Apr 20, 2013
    Messages:
    511
    I still don’t understand what the refresh token is for. When and how would you use it?
     
  12. HankLloydRight

    HankLloydRight No Roads

    Joined:
    Jan 18, 2014
    Messages:
    12,795
    Location:
    Connecticut
    You only use the refresh token if you have the tools to use the API. Every time you 'request a token' it returns an 'access token' (to give sites and apps access to the API for your car) and a 'refresh token'. The thing is, the 'access token' automatically expires after 45 days. But sites like TeslaFi.com can use the paired 'refresh token' to automatically request a new 'access token' for you when the old one expires. But it needs the 'refresh token' to do so.

    As a regular owner or user, you don't have any need for the refresh token unless you also have the ability to make calls to the Tesla API. For instance, if you're running your own API code, and for some reason someone gains access to your 'access token' (which means they can locate and control your car), you can immediately expire that token by requesting a new 'access token' using it's paired 'refresh token'. Or if you want to grant access to someone to your car for a short period of time without giving them your Tesla.com login credentials, you can generate a new token, give it to them, and then you have control when to expire their token and access.

    Hope that's clear.
     
    • Helpful x 1
  13. Klaus

    Klaus Member

    Joined:
    Apr 20, 2013
    Messages:
    511
    Thanks, Hank! Very clear.
     
  14. cherrybomb

    cherrybomb Member

    Joined:
    Jun 26, 2019
    Messages:
    53
    Location:
    New York
    @HankLloydRight Out of curiosity does your script take into account 2FA?
     
  15. HankLloydRight

    HankLloydRight No Roads

    Joined:
    Jan 18, 2014
    Messages:
    12,795
    Location:
    Connecticut
    Not at this point, but I’ll test it out tomorrow.
     
  16. cherrybomb

    cherrybomb Member

    Joined:
    Jun 26, 2019
    Messages:
    53
    Location:
    New York
    Thank you. That would be a great help for those of us who have enabled 2FA.
     
  17. HankLloydRight

    HankLloydRight No Roads

    Joined:
    Jan 18, 2014
    Messages:
    12,795
    Location:
    Connecticut
    I don't know for sure, but I just set up 2FA on my Tesla account, and my api-token-generator script still works fine.
    Also, I can log into the Tesla App on my phone without prompting for 2FA.
    Looks like from here 2FA only is applied when logging into the website. Odd.
     
  18. cherrybomb

    cherrybomb Member

    Joined:
    Jun 26, 2019
    Messages:
    53
    Location:
    New York
    That is strange as I thought the app required 2FA as well not just the website. I will have to try your token generator script again as it was failing when I tried last time. I know teslafi requires the 2FA code in order for it to regenerate the token. Would assume the same for any token generating script for which a user has 2FA applied.
     
  19. HankLloydRight

    HankLloydRight No Roads

    Joined:
    Jan 18, 2014
    Messages:
    12,795
    Location:
    Connecticut
    I just tried it again, and the token script works without triggering 2FA, as does logging into the mobile app. But 2FA is triggered when logging into the website. So for whatever reason, YMMV.
     
  20. midtboell

    midtboell New Member

    Joined:
    Feb 2, 2021
    Messages:
    1
    Location:
    Europe
    Hi Hank,
    Will you update the script to handle the new process that Tesla has started to use?
    https://tesla-api.timdorr.com/api-basics/authentication
    BR,
    Tom
     

Share This Page

  • About Us

    Formed in 2006, Tesla Motors Club (TMC) was the first independent online Tesla community. Today it remains the largest and most dynamic community of Tesla enthusiasts. Learn more.
  • Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.


    SUPPORT TMC