What is the Tesla Fleet API?

Fleet API is Tesla’s data and command service for authorized access to Tesla vehicles and energy devices, either for your own devices or devices a customer has granted access to.

Should I poll vehicle data endpoints regularly?

No. Tesla recommends avoiding frequent polling of device/vehicle data. Use Fleet Telemetry for ongoing realtime needs because it is designed for streaming and is typically cheaper and more scalable.

Why do refresh tokens become invalid?

Refresh tokens have a limited lifetime. Also, when you exchange a refresh token, you must store and use the NEW refresh token for the next exchange.

Tesla Fleet API Guide: OAuth, Fleet Telemetry, Endpoints, Examples (2026)

Quickstart checklist

1) Know which token type you need

Third-party customer tokens: a customer authorizes your app (authorization_code flow). See Tesla “Third-Party Tokens”.
Partner/business tokens: for business/fleet scenarios (depending on your integration model).

Start here: Third-Party Tokens and Authentication Overview.

2) Avoid expensive patterns

Don’t poll “vehicle data/device data” endpoints on an interval.
Use Fleet Telemetry for ongoing realtime data streaming.
Check connectivity state before requesting data or commands.

Tesla best practices: Best Practices and Billing & Limits.

Production rule of thumb: If you need data “all the time,” use Fleet Telemetry. If you need a one-off value occasionally, use the appropriate vehicle endpoint sparingly.

OAuth & tokens (what actually matters in production)

Fleet API endpoints use a standard Bearer token header: Authorization: Bearer <token>. See Tesla’s Authentication and Conventions.

Authorization Code flow (customer grants access)

Redirect user to Tesla authorization URL (your client_id + scopes + redirect_uri).
Receive code at your redirect_uri.
Exchange code for access_token + refresh_token.
Store refresh token securely, rotate on every refresh.

Refresh-token pitfall: after exchanging a refresh token, store the NEW refresh token and use it next time. Tesla notes refresh token validity and rotation behavior in the FAQ. See FAQ.

Token storage & rotation

Encrypt refresh tokens at rest (KMS / envelope encryption).
Rotate on each refresh; keep “last refresh” timestamps.
Handle concurrent refresh: single-flight lock per user to avoid invalidating tokens.
Log token exchange failures with correlation IDs (but never log tokens).

If you’re doing this “just for yourself”: EVFleetPulse is building owner-friendly automations on top of Fleet API so you don’t have to maintain token refresh + cron jobs.

Get EVFleetPulse beta (owners automations) Email me the PDF checklist

Get the checklist (email)

OAuth redirect + refresh rotation mistakes are the #1 time sink. I’ll email you the PDF checklist.

Fleet Telemetry (realtime streaming)

Fleet Telemetry streams vehicle signals to a server you run on the public internet. Tesla documents server and vehicle setup here: Fleet Telemetry and available fields here: Available Data.

Prerequisites (watch these)

Vehicle firmware requirements apply (Tesla lists minimum versions; some hardware variants require newer versions).
Virtual key pairing is required for streaming configuration/signing flows.
A vehicle can be configured to stream to a limited number of third-party apps.

How it works (architecture)

Your app runs a Telemetry server (ingest endpoint).
You configure vehicles to stream to your server (configuration is signed).
You process protobuf/event messages → store in TSDB → analytics/dashboard.

Use telemetry connectivity state to avoid waking vehicles.
Implement backpressure: queue + batch writes.
Alerting: deltas + thresholds (don’t alert on jitter).

Why this matters: Tesla explicitly recommends avoiding polling device/vehicle data and using Fleet Telemetry for ongoing needs. Best Practices.

Commands, virtual keys & the Vehicle Command Proxy

Vehicle commands require signed payloads for many vehicles, using your application’s virtual key. Tesla’s docs: Vehicle Commands and Virtual Keys Developer Guide.

High-level rules

Unsigned commands may be rejected by the vehicle.
The Vehicle Command Proxy signs commands with your private key before sending to Fleet API.
Prefer proxy approach unless Tesla explicitly says a proxy is not required for your scenario/vehicle types.

Operational tip: Treat your private key like a production secret. Never ship it to browsers or mobile apps. Keep it server-side only.

Examples

These examples are intentionally “minimal but real.” You’ll still need your app’s OAuth config, scopes, and the correct Fleet API base URLs per Tesla’s docs.

Example: call an authenticated endpoint (curl)

curl -sS \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  "https://fleet-api.prd.na.vn.cloud.tesla.com/api/1/vehicles"

Example: token exchange (server-side) with authorization_code

curl -sS -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET" \
  -d "code=AUTH_CODE_FROM_REDIRECT" \
  -d "redirect_uri=https://yourdomain.com/callback" \
  "https://auth.tesla.com/oauth2/v3/token"

Reference: Tesla’s third-party token flow docs: Third-Party Tokens.

Example: refresh token rotation (pseudo)

// Pseudo: always store the NEW refresh token you receive
function refreshAccessToken(userId) {
  lock("refresh:" + userId, () => {
    const current = db.getRefreshToken(userId);
    const resp = POST("https://auth.tesla.com/oauth2/v3/token", {
      grant_type: "refresh_token",
      client_id: "...",
      client_secret: "...",
      refresh_token: current
    });
    db.saveTokens(userId, {
      accessToken: resp.access_token,
      refreshToken: resp.refresh_token, // IMPORTANT: rotate!
      expiresAt: now() + resp.expires_in
    });
  });
}

Tesla notes refresh token behavior and common issues in: FAQ.

Example: Java (Spring WebClient) request

import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.core.publisher.Mono;

public class TeslaFleetClient {
  private final WebClient webClient;

  public TeslaFleetClient(String baseUrl) {
    this.webClient = WebClient.builder()
        .baseUrl(baseUrl)
        .defaultHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
        .build();
  }

  public Mono<String> listVehicles(String accessToken) {
    return webClient.get()
        .uri("/api/1/vehicles")
        .header(HttpHeaders.AUTHORIZATION, "Bearer " + accessToken)
        .retrieve()
        .bodyToMono(String.class);
  }
}

Troubleshooting checklist

Auth & tokens

401/403 after refresh: you may be re-using an old refresh token (rotation required). See Tesla FAQ.
Random invalid refresh tokens: track last-used; avoid multiple concurrent refreshes per user.
Wrong scopes: requests fail even with valid token. Ensure requested scopes match endpoint needs.

Public key hosting / well-known PEM (common app registration pitfall)

Make sure your public key is reachable at Tesla’s required well-known path (exact path, correct content-type, no HTML).
Avoid redirects for the PEM URL. Some proxies/CDNs rewrite or cache incorrectly.
Verify from a clean network: curl -I https://yourdomain/.well-known/...pem and ensure it returns 200.

If you don’t want to babysit OAuth + PEM hosting: EVFleetPulse is building the owner automations layer (charge rules, preconditioning, alerts) so you can skip the plumbing.

Get EVFleetPulse beta (owners automations) Email me the PDF checklist

Email me the PEM hosting checklist (PDF)

This is the most common app registration failure: wrong path, redirect, or HTML instead of PEM.

403 “Access Denied” during token exchange

Confirm you’re using Tesla’s correct token endpoint.
Ensure your server/network is not blocked by edge policies (try from a different cloud/IP range).
Log the Tesla response correlation IDs and timestamps for support cases.

Telemetry not streaming

Vehicle firmware doesn’t meet minimum requirements (Tesla lists versions in Fleet Telemetry docs).
Virtual key not paired / proxy signing misconfigured.
Your telemetry server isn’t reachable publicly (firewall, TLS, DNS).
Vehicle reached “max number of configured third-party apps” limit.

Commands failing

Unsigned payload (vehicle rejects silently or returns an error).
Virtual key missing on the vehicle; install/pair before retry.
Vehicle offline: check connectivity via Telemetry (preferred) or vehicle endpoints before sending.

Design smell: If your app frequently wakes vehicles, Tesla considers that a sign of improper design. Prefer streaming and only do on-demand queries/commands when necessary. Billing & Limits.

FAQ

Is Fleet Telemetry required?

Not for every use case, but for ongoing realtime data needs it’s the preferred approach. Polling vehicle/device data endpoints regularly is discouraged. See: Best Practices.

Do I need the Vehicle Command Proxy?

Many commands must be signed with your virtual key. The proxy signs requests server-side and forwards them. Tesla’s docs explain when it’s required and how it works: Vehicle Commands.

Why did my refresh token stop working?

Refresh tokens have lifetimes and rotation behavior. When you exchange a refresh token, save the new refresh token returned and use that next time. Reference: Tesla Fleet API FAQ.

Why EVFleetPulse exists

A lot of people start with “I just want SoC twice a day,” then end up maintaining OAuth refresh, key hosting, sleep/wake edge cases, and alert logic. EVFleetPulse is the owner-focused layer on top of Fleet API so you can get useful outcomes without building an app platform.

Charge rules: weekday/weekend limits, schedules, and simple automation templates
Preconditioning: time + proximity triggers (comfort without constant polling)
Alerts: “something changed” signals (idle drain/efficiency exceptions, reminders)

If you don’t want to build all this yourself:

Get EVFleetPulse beta (owners automations) Email me the PDF checklist Download PDF

Resources

More guides in this series

Get the checklist + early access

If this guide helped, grab the PDF checklist and updates (OAuth pitfalls, PEM hosting, telemetry gotchas).