Tesla Account Security
Your Tesla account is safe when using TezLab.
TezLab never sends or processes your Tesla account password via our servers in any way, period.
TezLab asks you to log into your Tesla Account so we can establish a connection with your car. TezLab's systems are not involved in the exchange of your username and password with Tesla.
Here's how it works:
- TezLab opens an SSL encrypted browser window to auth.tesla.com or auth.tesla.cn (for Chinese users) for you to sign in to your Tesla account. This ensures that these credentials are entered directly into Tesla's website and are not visible to TezLab.
- Tesla responds with a random authorization code.
- From your device, this authorization code is exchanged with Tesla for an authentication token and a 'refresh token'.
- Your device sends these tokens to TezLab's servers where they are encrypted and saved on your TezLab account.
A token is like an exclusive access badge with an expiry date that says the bearer has permission to enter a secret event (or in this case, to communicate with your vehicle). TezLab uses this token going forward for all requests to Tesla's API. These tokens are not permanent, and you can revoke both the authorization and refresh tokens at any time by simply changing your Tesla password.
When an authorization token expires, we use the refresh token that came with it to ask Tesla for a new token. If that token is still valid, Tesla will respond with updated tokens for us to use. This prevents you from having to log into your Tesla account repeatedly.
If your token expires and we aren't able to refresh it, we’ll ask you to re-authenticate on your mobile device.
Changing your Tesla password will invalidate any tokens that have been issued which will 'break' the connection with your vehicle.
When you log out of TezLab, we delete the Tesla tokens associated with your account and stop communication with your vehicle.