Tesla made the Vehicle commands API publicly accessible during the October time frame of 2023. During the initial launch, these APIs can be directly consumed with just the oAuth tokens to pass the commands to the vehicles. Later in a month, Tesla announced that the APIs would be deprecated in favor of the vehicle command SDK, which uses a Http-Proxy server to forward the commands to the vehicle. Tesla is moving towards a more secure way of passing the commands to the car apart from just validating the oAuth tokens.
I drew the high-level architectural design to send commands to the Tesla vehicle.
Let us see in detail how to set up the http proxy server in the local environment until end-to-end testing of the vehicle commands.
Pre-Requisites –
1) Golang is already installed
2) Public and private keys generated while registering the third-party app at the Tesla portal are available
3) A valid Tesla user credential to generate the access token
4) Vehicle command SDK checked out from the GitHub-https://github.com/teslamotors/vehicle-command/tree/main/cmd/tesla-control
Step 1 ::
Navigate to the folder where you want to create the TLS server certificate needed by the HTTP proxy server
Use the below command to create the private and public key –
openssl req -x509 -nodes -newkey ec \
-pkeyopt ec_paramgen_curve:secp521r1 \
-pkeyopt ec_param_enc:named_curve \
-subj '/CN=localhost' \
-keyout key.pem -out cert.pem -sha256 -days 3650 \
-addext "extendedKeyUsage = serverAuth" \
-addext "keyUsage = digitalSignature, keyCertSign, keyAgreement"
key.pem is the private key file.
cert.pem is the TLS certificate chain file.
Step 2 ::
a) Navigate to the ‘tesla-http-proxy‘ folder in your terminal
b) Use the below command to build the proxy server
go build
Step 3 ::
Start the HTTP proxy server using the following sample command
./tesla-http-proxy -tls-key /Users/shankarkumarasamy/Desktop/Tesla/tls-key-server-keys/key.pem -key-file /Users/shankarkumarasamy/Desktop/Tesla/tesla-app-registragtion-keys/private.pem -cert /Users/shankarkumarasamy/Desktop/Tesla/tls-key-server-keys/cert.pem -port 4443 -verbose
Do not listen on a network interface without adding client authentication. Unauthorized clients may be used to create excessive traffic from your IP address to Tesla’s servers, which Tesla may respond to by rate limiting or blocking your connections.
Options:
Required parameters –
-tls-key {path_to_the_file}
Server TLS private key file. This is generated in the above step (key.pem)
-key-file {path_to_the_file}
A file containing private key. This is the private key generated while registering the third party app with tesla
-cert {path_to_the_file}
TLS certificate chain file with concatenated server, intermediate CA, and root CA certificates. This is generated in the above step (cert.pem)
-port {optional_port_number}
Port to listen on (default 443). For testing purposes use port 4443
Optional parameters –
-domain value
Domains to connect to (can be repeated; omit for all)
-host hostname
Proxy server hostname (default “localhost”)
-key-name name
System keyring name for private key. Defaults to $TESLA_KEY_NAME.
-keyring-debug
Enable keyring debug logging
-keyring-file-dir directory
keyring directory for file-backed keyring types (default “~/.tesla_keys”)
-keyring-type type
Keyring type (file|keychain|pass). Defaults to $TESLA_KEYRING_TYPE.
-session-cache file
Load session info cache from file. Defaults to $TESLA_CACHE_FILE.
-verbose
Enable verbose logging
The server should be up and running, waiting to execute the commands.
Step 4 ::
Open a new terminal and execute the following command to verify whether the commands work
curl
--cacert /Users/shankarkumarasamy/Desktop/Tesla/tls-key-server-keys/cert.pem \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InE0dHg3Q1UyYzI2V1BiemwxZjZjanM3QnhzayJ9.eyJpc3MiOiJoasdadadadaszYzOX0.EgjZKPIVjIbXpzhTYAa8a6g58PhKNYTNef6wI2oKdIQzIj21XHnsvg5i-QVb2AMktvIe6SLdeTNlM65i5MUMf-PihqS4xZ1daDPMdsYwM_lXHDWIJmmTOses2O-X7XFQQgONMp67_9XvSy-IC9Q5-AuFjScA5vcSCz3nGJdFAGAS0Ao7IEM-VmvXwC5pl8kzQTZvFL5R7LWPUuzMOJ3toPbM82DUtshZOSMQ0lF8Jr9eTegTmYMvVdvfqqsWARhW2ohpfDyRa2j5XLfZlusb5bbE4fYgNItT7tLm0JA0GUUJ0kR90Njm_X99pOL-65RAIbxi4pzrlecxsFTYOE3n3w" \
--data '{}' \
"https://localhost:4443/api/1/vehicles/7SAYGDEE2PA110666/command/flash_lights"
Options:
Required parameters –
-cacert
TLS certificate chain file with concatenated server, intermediate CA, and root CA certificates.
-header ‘Content-Type’application/json
-header ‘Authorization: Bearer’
The Access Token of the user
-data
Any optional parameters to send with the commands
-{command}
The actual command to be sent to the vehicle
This blog helps you in running the HTTP-proxy server.
Happy learning!
Shankar's Blog 
Does that mean the other parts of your blog will eventually stop working?
LikeLike
I didn’t discuss much on consuming the Tesla Vehicles using API in the blogs as mentioned here – https://developer.tesla.com/docs/fleet-api#vehicle-commands
Discussed more on the proxy server integration as mentioned here – https://github.com/teslamotors/vehicle-command
LikeLike
Hello. Thank you very much for your blog post.
I assume then the application that intends to run vehicle commands will need to change by talking to the proxy instead of the Tesla API directly, correct?
Does the proxy server need to run on the same machine as the application that talks to the Tesla API via said proxy or can it run on a different IP address?
Have you used the application via the proxy server to run commands towards the vehicle successfully?
Cheers
LikeLike
I tested using an AWS EC2 instance (Stand alone) with the proxy server running on it.
The architecture for the third party API can be something like below with the end to end flow –
Third party app -> API gateway(REST)/App sync(GraphQL) -> EC2 (Private instance with proper security groups) -> Tesla servers -> Tesla Vehicle
LikeLike