Model S REST API

[hans]

I get the session cookie back in my curl cookie.jar using the first GET /login

However when I try the POST /login with my tesla login and password I don't get back a cookie for the user credentials.

What I do get back is HTML with the following CSRF meta data

<meta content="authenticity_token" name="csrf-param" />
<meta content="****A*TOKEN****" name="csrf-token" />
<meta name="csrf-token" content="****A*TOKEN****">

What I can't figure out is how to use the csrf-token for the subsequent requests using curl.
Is the cookie supposed to be called "csrf-token" or "authenticity_token" or "user_credentials"?
Are you sure this is just a cookie only and doesn't also need other HTTP header fields like X-CSRFToken?
[FONT=Helvetica, sans-serif]
[/FONT]

 

[widodh]

I get the session cookie back in my curl cookie.jar using the first GET /login

However when I try the POST /login with my tesla login and password I don't get back a cookie for the user credentials.

What I do get back is HTML with the following CSRF meta data

<meta content="authenticity_token" name="csrf-param" />
<meta content="****A*TOKEN****" name="csrf-token" />
<meta name="csrf-token" content="****A*TOKEN****">

What I can't figure out is how to use the csrf-token for the subsequent requests using curl.
Is the cookie supposed to be called "csrf-token" or "authenticity_token" or "user_credentials"?
Are you sure this is just a cookie only and doesn't also need other HTTP header fields like X-CSRFToken?
[FONT=Helvetica, sans-serif]
[/FONT]

Do you sent the Cookie back you got with the first request?

 

[hans]

Do you sent the Cookie back you got with the first request?

Yes.

The following GET /login works and sets a session cookie in the file firstcookie.txt

curl -c firstcookie.txt https://portal.vn.teslamotors.com/login


Then I run POST /login and use the session cookie with extra username and password and get back the CSRF in HTML (but no additional cookies are set)

curl -u <username>:<password> -b firstcookie.txt -c secondcookie.txt https://portal.vn.teslamotors.com/login

 

[PureAmps]

The server doesn't use HTTP basic auth, you need to post them as parameters as expected by the API. Also, no need to do a GET in /login, the session cookie will be set on first access of any url. Try the following:

rm cookies.txt
curl -b cookies.txt -c cookies.txt -H "Accept: application/json" -X POST -d "user_session[email]=USERNAME" -d "user_session[password]=PASSWORD" https://portal.vn.teslamotors.com/login
curl -b cookies.txt -c cookies.txt -H "Accept: application/json" https://portal.vn.teslamotors.com/vehicles

Replace USERNAME/PASSWORD with your values. If you get back your vehicle info, you're good to go.

 

[widodh]

Yes.

The following GET /login works and sets a session cookie in the file firstcookie.txt

curl -c firstcookie.txt https://portal.vn.teslamotors.com/login


Then I run POST /login and use the session cookie with extra username and password and get back the CSRF in HTML (but no additional cookies are set)

curl -u <username>:<password> -b firstcookie.txt -c secondcookie.txt https://portal.vn.teslamotors.com/login

Try this:

$ curl -c cookie.curl https://portal.vn.teslamotors.com/login
$ curl -b cookie.curl -c cookie.curl -d "user_session=<EMAIL_ADDR>&user_session[password]=<PASSWORD>" https://portal.vn.teslamotors.com/login
$ curl -b cookie.curl https://portal.vn.teslamotors.com/vehicles[/QUOTE]

Just tested this on my Ubuntu desktop and works. /vehicles doesn't return anything to me since I don't have a Model S (yet!).

 

[hans]

Works. You are right that there is no need to call the GET /login. Both cookies are set on the one POST /login

$ curl -c cookie.txt -d "user_session=<myusername>&user_session[password]=<mypassword>" https://portal.vn.teslamotors.com/login

$ curl -b cookie.txt https://portal.vn.teslamotors.com/vehicles

$ curl -b cookie.txt https://portal.vn.teslamotors.com/vehicles/000/command/flash_lights

{"reason":"","result":true}

Yes!!! I just curled my Tesla from 3000 miles away from home.

 

[MrSniffer]

Thanks to a bit of curl and a jot of cron, I woke up this morning to a nice, toasty Model S, despite the 34 degree outside air temperature. Thanks to everyone for guidance and info in making this possible, esp. aviators99.

 

[derekt75]

Cool, I can see my car. battery_current is -0.8. I wonder what units that is.
So, now we could make our own custom website so that we could send a command from the car to our website that would send a command to the Tesla portal, that would send a command back to the car, so that a button press on the touch screen flashes our headlights?

 

[hans]

I hadn't seen the reference to streaming.vn, so that peaked my interest this morning. Now that I have the iPhone app, I was able to watch the traffic via a proxy this afternoon.

It is really quite impressive what they've done. Through their streaming API they are providing real-time telematics updates every 250ms. I tested this while driving around with my daughter watching the speedometer and the mobile app at the same time, and the latency appears quite low (well less than 1 second). Considering the data is coming from my vehicle over AT&T's 3G network to some Tesla data center and then sent back over Verizon's LTE network (in my case) to my phone, it is pretty amazing!

I think nodejs was a good choice on Tesla's part for this application, a pretty good match for the problem they are solving, and should scale well.

I noticed the authentication used for the streaming API is using one of the two "tokens" provided in the vehicle's JSON description. It kind of make me wonder what the other token is for....

Is there any documentation on the streaming interface?

 

[ClaytonTMC]

A few days ago I was able to query the location and charging information on my car via the portal REST service. Interesting thing is: my car is still at the factory and was in "burn-in" phase. The GPS location was showing the Tesla factory. I've since been getting access denied messages indicating that I now need to turn on remote access, but was interesting.

I've also noticed that most people have reported their model coming back as "MS01", but mine comes back with "MS02". I wonder if this is MY2012 vs. MY2013? It's not related to battery pack, as I have the 60kWH and others that get "MS01" have the same.

Clayton

 

[hans]

A few days ago I was able to query the location and charging information on my car via the portal REST service. Interesting thing is: my car is still at the factory and was in "burn-in" phase. The GPS location was showing the Tesla factory. I've since been getting access denied messages indicating that I now need to turn on remote access, but was interesting.

I've also noticed that most people have reported their model coming back as "MS01", but mine comes back with "MS02". I wonder if this is MY2012 vs. MY2013? It's not related to battery pack, as I have the 60kWH and others that get "MS01" have the same.

Clayton

All S60's are model year 2013 cars. My 60 kWh car say MS01 and BT60.

 

[ClaytonTMC]

All S60's are model year 2013 cars. My 60 kWh car say MS01 and BT60.

Hmm...Good point.

Here's my option codes:
"option_codes":"MS02,RENA,TM00,DRLH,PF00,BT60,PMTG,RFPO,WT21,IPMB,IDOM,TR00,SU01,SC01,TP01,AU01,CH01,HP00,PA00,PS00,AD02,X020,X025,X001,X003,X007,X011,X013"

All but the MS02 seem to have been decoded.

Clayton

 

[hans]

Is it just me or is the REST interface no longer allowing access other than via the mobile apps? Both curl and my node.js app both return HTML containing the following...

<...>You do not have access, please contact jmoncharmont@<...>

 

[ClaytonTMC]

Is it just me or is the REST interface no longer allowing access other than via the mobile apps? Both curl and my node.js app both return HTML containing the following...

<...>You do not have access, please contact jmoncharmont@<...>

Just checked using CURL and I still seem to be able to access.

Got back the expected results. I didn't re-authenticate, but used my existing session token. Just sent a request for a list of vehicles and it came back fine. Not sure if other queries are working, as my vehicle won't actually be here until Monday.

 

[widodh]

Is it just me or is the REST interface no longer allowing access other than via the mobile apps? Both curl and my node.js app both return HTML containing the following...

<...>You do not have access, please contact jmoncharmont@<...>

It's just you

Maybe we should not sent a User-Agent header as well, since I don't see them in the logs: model-s-api/logs/login.GET.log at master · timdorr/model-s-api · GitHub

 

[hans]

It's just you

Maybe we should not sent a User-Agent header as well, since I don't see them in the logs: model-s-api/logs/login.GET.log at master · timdorr/model-s-api · GitHub

Looks like the user session cookie expired. I had to go back and do a GET /login to get a new session cookie and then POST /login and I was back in and able to GET /vehicles, etc.

I guess it's not sustainable to assume you get both cookies set in one POST /login.

 

[PureAmps]

I've also noticed that most people have reported their model coming back as "MS01", but mine comes back with "MS02".

My guess is that after you take delivery, your car will start reporting MS01. It's probably a flag of some type that indicates if the vehicle is an "owner" vehicle or not. I guess after you take delivery, you can let us know.

Maybe we should not sent a User-Agent header as well, since I don't see them in the logs.

There is a User-Agent sent from the iPhone app. I don't have it in front of me at the moment, but it has the app version and info about the phone's OS/hardware as I recall.

In either case, you should set a User-Agent header to something different from their app's user agent string (curl's default user agent string should be fine). It makes it easier for Tesla to isolate problems and not waste time tracking down what they may think is a "bug" in the app's communication with their servers. I'm all for playing with the API, but I don't think we should "trick" their servers into thinking that traffic is coming from the app.

 

[aviators99]

In the phone app thread, someone mentioned that you should be able to set an alert if the car is not plugged in at a certain time. Here's a bourne shell script to do that. You must fill in the 4 variables at the top.

#! /bin/sh

HOME_DIRECTORY="HOMEDIR"
TM_USERNAME="USERNAME"
TM_PASSWORD="PASSWORD"
ALERT_EMAIL="EMAILADDRESS"

curl -s --cookie $HOME_DIRECTORY/cookie.jar -c $HOME_DIRECTORY/cookie.jar -X POST -F "user_session[email]=$TM_USERNAME" -F "user_session[password]=$TM_PASSWORD" -k "https://portal.vn.teslamotors.com/login" > /dev/null 2>&1

vehicle=`curl -s --cookie $HOME_DIRECTORY/cookie.jar -c $HOME_DIRECTORY/cookie.jar -k "https://portal.vn.teslamotors.com/vehicles" | awk -F, '{for(i=1;i<NF;i++){if($i ~ /"id":.*/) {print  substr($i,6)} }}'`

if [ "$vehicle" == "" ]; then
   echo "Could not communicate with vehicle"
   exit 0
fi

ps=`curl -s --cookie $HOME_DIRECTORY/cookie.jar -c $HOME_DIRECTORY/cookie.jar -k "https://portal.vn.teslamotors.com/vehicles/$vehicle/command/charge_state" | awk -F, '{for(i=1;i<NF;i++) {if($i ~ /".*pilot_current":.*/) {print substr($i,25)} }}'`

if [ "$ps" == "" ]; then
   echo "Could not communicate with vehicle"
   exit 0
fi

if [ "$ps" == "0" ]; then
   echo "Not plugged in"
   Mail -s 'Car not plugged in!' $ALERT_EMAIL < /dev/null
   exit 1
else
   echo "Plugged in"
   exit 1
fi

 

[Zas]

In the phone app thread, someone mentioned that you should be able to set an alert if the car is not plugged in at a certain time. Here's a bourne shell script to do that. You must fill in the 4 variables at the top.

Thanks Aviators99 ! This sounds really cool, but i have no experience how to install and run this script, can you provide a helpful link for newbies ?

 

[zax123]

Thanks Aviators99 ! This sounds really cool, but i have no experience how to install and run this script, can you provide a helpful link for newbies ?

Zas,

Just so you know, you'll need a machine running some flavor of Linux or perhaps Mac OS or CygWin or a virtual machine on Windows to run this script. It's not a native script for Windows... Once you've got that setup, you'll need to learn this ins and outs of cron (a built-in timer/automated task system in GNU systems like Linux).

If all this doesn't sound daunting, then by all means, continue the research. If it does, I'm sure the app will soon provide timer-based events which will make this a lot easier.