403 status code on http://auth. tesla.com/oauth2/v3/authorize.. after entering email

[itsMeDavidV]

Over the last 2 days an increasing number of users are reporting getting access denied (403) responses after entering their email when trying to sign in via http://auth.tesla.com/oauth2/v3/authorize

Context: on a mobile safari web browser (so javascript & captcha issues mentioned in other places/issues not relevant), user-agent: Mozilla

Common response:

Access Denied
You don't have permission to access "http://auth. tesla.com/oauth2/v3/authorize?" on this server.
Reference #18.401. . . 

I cannot reproduce this issue myself under the same parameters and most users are not experiencing this under the same parameters. It would seem as though these users might be randomly blocked?

Rate-limiting doesn't seem to be a factor as most affected users got 403 on first try.

All are able to sign in to tesla.com. Some have corrected the issue via switching connections (eg: WiFi -> Cellular). Some have been able to obtain tokens on their own using the same connection.

Unfortunately this is completely unexplained at the moment.

[itsMeDavidV]

Additionally it appears the Tesla app is using a new GET param: is_in_app=true and uses a new value for scope: openid email offline_access phone

[KartikAiyer]

I tried using the library with the following snippet

require 'tesla_api'


tesla_api = TeslaApi::Client.new(email:"<MY EMAIL>")
printf('TeslaAPI Client created')
tesla_api.login!("<MY PASSWORD>")
printf('Num Vehicles = %d', tesla_api.vehicles.length())

And am getting the 403 error when performing Step 2 and POST ing the credential information. Is this the same issue that you are referring to ? You mentioned that some people are able to escape the 403 loop. I have not been that lucky. Anyways, is this something very recent?

[itsMeDavidV]

I'm using a browser, so I'm not manually posting the credential, but I assume Tesla is doing so automatically after the user enters their email

[cweinberger]

Any news here? Anyone who is able to successfully perform Step 2 via Tesla API?

[itsMeDavidV]

unfortunately not. On my end the reports of this issue have all but dwindled, however that's not to say this issue doesn't exist and given the amount of upvotes on this discussion, it seems others are going thru this as well.

[dnachev]

I am currently experiencing this problem - recent new comer and I have never had a working setup.

I noticed if the flow is triggered in the browser, it will successfully reach to https://auth.tesla.com/void/callback with code parameter attached. So far, I've tried:

• Using playwright to drive the process through a full blown browser - gets 403
• Using an actual browser to visit the URL and extract the authorization code manually - gets 400 Unauthorized client when executed on the server-side
• Tried to reuse the browser session by executing fetch() manually in the same browser - still 400 Unauthorized client

I have not solved the problem, but decided sharing a little more information will not hurt.