Setting up Tesla Integration with Home Assistant and CloudFlare
In the wake of Tesla discontinuing their REST-API, managing your vehicle via Home Assistant (HA) has become a tad more intricate but not impossible. You’re faced with a choice: opt for a Tessie subscription or, for the DIY enthusiasts, directly link your Tesla Integration with Home Assistant. Both paths have merits, but let’s dive into the latter for those who love a good project.
Preparation: To use the API you have to register a developer account with Tesla and (at least formally) register an app. When setting up the app, Tesla requires a web server that can be accessed from the Internet and one which certain certificates are stored.
Therefore, the software components are first installed and configured on the HA server. The server will later be made accessible on the Internet and the Tesla developer account will then be created including app registration.
Here are the steps, with the assumption that you have Home Assistant already operational and is running in Home Assistant Operating System mode.
If you are running Home Assistant on Docker follow this guide.
- Ensure your Home Assistant is accessible over the internet.
- Install Apache 2 Minimal Web Server
- Enable a Secondary Cloudflare Zero Trust tunnel
- Create a Tesla developer account
- Install Tesla HTTP Proxy configuration
- Install the Tesla Custom integration
1. Ensure Home Assistant is accessible of the internet
It is critical that the Tesla Service can access your HA instance, I’ve previously written a blog showing how to do this with Cloudflare Zero Trust. You can use other methods providing Tesla recognise the SSL certificate.
Note: If you have tightened up your security and implemented geo-blocking or equivalent you will need to remove this to ensure your website is accessible from anywhere on the internet until configured.
Alternative: If you’re looking to redirect your router’s traffic and use port forwarding to channel it to port 443 on your web server, alongside implementing DuckDNS, I recommend following the guidance provided in the Tesla Integration wiki.
2. Install Apache2 Minimal Web Server
Tesla requires access to a couple of private keys to validate your configuration. This is best hosted via a plain old Apache2 web server which is accessed through a Cloudflare Zero Trust tunnel.
2.1 Kickstarting web server installation
Start by adding the HA-Addons repository. You can do this manually with the provided GitHub repository link or simply click the ‘Add Repository’ button below for a quick setup and add the repository.
2.2 Navigating to the Add-On Store
After adding the repository, head over to your Home Assistant and go to Settings > Add-Ons, then tap on the Add-On Store and install the Apache2 Minimal Add-On.
2.3 Start the Apache2 installation.
Click on the install button to download and install the Apache2 Minimal web server.
2.4 Start up options.
Enable the startup options to ensure it stays up-to-date and doesn’t crash.
2.5 Configuration Tab
Connect to the configuration tab and fill out the details as per example below with your appropriate domain name.
2.6 Create your apache.conf file.
Login via ssh to your Home Assistant host and create the 000-default.conf file in the /share/apache2/ directory as per below.
<VirtualHost *:80>
ServerName tesla.smartmotion.life
DocumentRoot /share/tesla/
<Directory "/share/tesla">
Require all granted
</Directory>
Alias "/.well-known/appspecific/" "/share/tesla/"
<Location "/">
Require all denied
</Location>
<Location "/.well-known/appspecific">
Require all granted
</Location>
</VirtualHost>
2.7 Start your web server
3. Enable a Secondary Zero Trust tunnel.
Step 1 showed you how you can connect to your HA instance via a Cloudflare Zero trust tunnel. This negates the need to modify your router and port forward and manages the SSL certificate for you. With this configuration you will setup a second website so you will have two URL’s pointing at the HA host. One is your HA instance, the other is the Apache server setup in step 2. This will be used to share the *pem files with Tesla to validate and authenticate the Tesla API.
3.1 Get started
Visit CloudFlare website, sign in with your account.
3.2 Navigate to Zero Trust tunnel
Create a zero trust tunnel, and chose Configure.
3.3 Add a public hostname
You should already have one which was defined in step 1, choose to add one for Tesla API to authenticate against.
3.4 Configuring your Tesla API public host name
When setting up your Apache2 web server, it’s essential to designate a subdomain specifically for Tesla’s API authentication. This step is crucial as it establishes a direct line of communication between Tesla’s services and your setup. Given that the Cloudflare Zero Trust tunnel provides robust encryption, you can confidently operate this connection over port 80. This choice ensures a seamless flow of traffic straight from Cloudflare’s secure endpoints to your Home Assistant (HA) host, all the while maintaining the integrity and confidentiality of your data.
During this process, your server will host *.pem files in a public directory. These files are critical for the authentication process, serving as digital certificates that verify your server’s identity to Tesla’s API. It’s important to note that while these files are accessible, they are securely managed and play a pivotal role in the authentication sequence, ensuring that only authorised requests are processed by your Tesla API application.
By carefully following these guidelines, you’ll establish a secure and efficient communication channel between your Home Assistant setup and Tesla, enabling advanced control and integration of your vehicle with your smart home ecosystem.
4. Create a Tesla developer account
4.1 Get going with your Tesla Developer account.
Go to developer.tesla.com and register as a developer with your standard Tesla account. Two-factor authentication must be set up for the account; I used Microsoft Authenticator as the app.
Tesla required an Australian Business Number (ABN). Smart Motion has a valid one, so the example used that. However, if you do not, it may be possible to create a dummy ABN. I have read that Tesla has promised to remove the ABN requirement. If this has been done, please post a message below.
Once you set up the account, create a pro forma app authorised to access the vehicle.
4.2 Request Application Access
Once logged into the developer dashboard choose ‘Request Application Access’.
4.3 Choose the account which you have just created.
4.4 Write a short description of the purpose of this application
4.5 Enter the client details for your configuration
4.6 Specify the API & Scopes for what you will use it for, I am only accessing vehicle information hence my choices.
4.7 App Request Submitted
After a few seconds, Tesla will send you an automatic approval email. Important: Tesla now checks whether the domain can be reached via the Internet and whether the certificate is correct.
If it worked, you will see the app you created in your account.
4.8 You should now see an active application within your dashboard, choose to ‘View Details’
4.9 Copy and store securely the details, you will need them in step 5.4 below.
5. Install Tesla HTTP Proxy configuration
5.1 Kickstarting Cloudflared Integration
Start by adding the HA-Addons repository. You can do this manually with the provided GitHub repository link or simply click the ‘Add Repository’ button below for a quick setup and add the repository.
5.2 Navigating to the Add-On Store
After adding the repository, head over to your Home Assistant and go to Settings > Add-Ons, then tap on the Add-On Store and install the Tesla HTTP Proxy.
5.3 Install the Tesla HTTP Proxy
Click on the install button to download and install the Tesla HTTP Proxy server.
5.4 Configure the Tesla HTTP Proxy
Head over to the Configuration tab and populate the service, you will need the details from step 4.9.
5.5 Navigate to the info tab and start the Add-On.
Note: If this did not start have you followed the DNS entry setup in 1.2?
5.6 Choose Open Web UI
5.7 We will now follow the four steps in order to authenticate with your Tesla account, choose ‘Login to Tesla account’
Note: You will see a call out warning you that the ‘Page not found’ is to be expected.
5.8 After you have logged into your Tesla account copy the URL from the address bar.
5.9 Navigate back to Home Assistant and paste this callback into the dialogue box provided and choose ‘Generate token from URL’
5.10 Click ‘OK’ at the Authorization complete screen which will copy the refresh token to your clipboard
5.11 Navigate back to the Tesla HTTP Proxy add on screen and choose ‘Enrol public key in your vehicle’ and follow the instructions.
- Sign in to the Tesla App
- Scan the QR Code
- Click ‘Finish setup’ on your phone and it will install the ‘Virtual Key’ in your vehicle
6. Install the Tesla Custom Integration
6.1 Home Assistant Tesla Custom Integration installation
You now have a ‘Refresh Token’ that will enable the Tesla Custom Integration to authenticate. Install it from GitHub repository link or simply click the ‘Add Repository’ button below for a quick setup and add the repository.
6.2 Agree that you need the Tesla HTTP Proxy, which you have already done.
6.3 Enter your email address and the ‘Refresh Token’ from step 5.10.
6.4 Within your integrations you will now see commands to control your Tesla.
Congratulations! You’ve now got your own Tesla Integration working without the need for ongoing subscription to Tessie! Have questions or feedback for Home Assistant with Cloudflare Zero Trust? Feel free to share your thoughts or ask for help in the comments below.
Did this guide help you secure your Home Assistant remotely? If you found it valuable and are feeling generous, consider Buying Me A Coffee. Your support encourages me to create more helpful content like this. Cheers!
This is a very well explained guide!
Unfortunately i’m stuck on the last step… When I scan the QR-code I get an error from Tesla app, claiming, that this is an third party app and its not registered…
Somebody have an Idea of what I did wrong?
Unfortunately I haven’t seen that, my suggestion is to run through it again. There is a timeout and you may have been a bit slow through it (I know I was for the first few goes). Let me know how you go!
Thanks for the detailed description! Would this process result in getting location updates via streaming or via polling?
Yes, the GPS coordinates are sent back via the Tesla Custom Integration https://github.com/alandtse/tesla
Sounds like it is polling only and not streaming, unfortunately. Thanks.
“I’m currently trying to install the Tesla integration in Home Assistant. I’m quite new to this topic, so this guide came in handy for me. I had already set up a tunnel via Cloudflare, and my HA server is externally accessible. Now, I’ve set up a second tunnel and installed the Apache server. It’s now accessible via https://tesla.myaddress.com. What’s not entirely clear to me is where to get the public key stored in com.tesla.3p.public-key.pem. If I generate a key pair with openssl and rename the public key to com.tesla.3p.public-key.pem and copy it to /share/apache2/, then it is also displayed to me via https://tesla.myaddress.com. Additionally, I had to manually create the folders /share/tesla and /share/apache2, was that correct?”
This was an error in the blog that the certificate is available at this time. I’ve removed the step where you test your public key. As you pointed out it is not created at this time.
You should not have to create the directories, do you get an error message if they are not created?
Thanks for the detailed guide. I have been postponing the fleet API as it was hard to follow but your guide was very helpful. I reached successfully until step 5.11 and when I scan the code on my mobile, I get the error ‘Unable to Share Vehicle, This third party isn’t registered with Tesla. We can’t grant them access at this time.’ Any suggestions?
After verifying your public key is accessible, at step 5.4, make sure you enable the Regenerate Tesla Authentication. This step is to register your public key with Tesla for step 5.11.
Also watch out for WAF geofence settings. Check out my discussion topic on github.
https://github.com/llamafilm/tesla-http-proxy-addon/discussions/86#discussion-6562646
Thank you for this tip! Without it I would have got stuck without knowing what the problem was. Perhaps the article could be updated to incorporate this.
Thanks for pointing this out. I’ve updated the image in 5.4 to show that you need to enable the Regenerate Tesla Authentication.
Also, when I go to the cloudflare subdomain created with homeassistant.example.com go to my HA instance but going to the subdomain created with tesla.example.com gets ‘Forbidden, You don’t have permission to access this resource.’ Not sure is this is expected behavior and related to above problem’
I am pretty sure that there is a problem with your webserver setup, possibly in CloudFlare. In your example does the following work for your domain?
https://tesla.smartmotion.life/.well-known/appspecific/com.tesla.3p.public-key.pem
My suggestion is to ensure that through CloudFlare (Access->Applications) there is no restriction on getting to https://tesla.yourdomain.com/
Developer Account steps doesn’t require a Business Number for US, I see the Tax ID for UK though. Also it has the note saying that Tesla API is temporarily free during this trial period. Does that mean this will only work for a while before Tesla charging us for API call? Thanks
I do not believe that Tesla will charge for this. My understanding is that they have tightened security hence the change.
Hello,
seems a nice guide, but only for HA OS users, not for me running HA in a docker container…
I managed to settle Tesla developer needs..
I managed to build a webserver (Apache2), I managed to create Cloudflare tunnel to that server.
I’m stuck at creating the Tesla_http_proxy thing. I need more time and nerves. Only ChatGPT seems endless in energy on that 😉
> seems a nice guide, but only for HA OS users, not for me running HA in a docker container…
I’ve just created a guide for HA on Docker – https://www.smartmotion.life/2024/04/23/tesla-custom-integration-with-home-assistant-on-docker/
You are quite right that it is only for HA OS, I’ll update the guide. I need to think about how this can be adapted to those running containers!