Generate an EC key pair using the secp256r1 curve; host the PEM-encoded public key at https://{appDomain}/.well-known/appspecific/com.tesla.3p.public-key.pem.
Register as a partner by calling POST /api/1/partner_accounts with your partner token; Tesla links the hosted public key to your application domain.
For business-owned fleets, automatic virtual key pairing is available after the partner account registration endpoint is called — no additional driver action is required.
For third-party user vehicles, direct the authorized user to the deep link: https://tesla.com/_ak/{appDomain} while they are logged in with their Tesla account; they must approve the key pairing from the Tesla mobile app.
Verify pairing succeeded by calling GET /api/1/vehicles/{vin}/drivers with the user access token; the response should list your application.
Sign all vehicle command requests (unlock, actuate trunk, etc.) using your private key via the vehicle-command proxy; commands without a valid signature are rejected with a missing_key or invalid_signature error.
Known gotchas
Virtual key pairing requires the vehicle owner to complete an in-app approval step on the Tesla mobile app; this cannot be fully automated from the server side for third-party user vehicles.
If the virtual key has not been added to the vehicle, any command request returns an error indicating missing_key; check pairing status before sending commands.
One application domain can have only one registered public key; if you rotate keys you must re-register and all vehicle users must re-pair.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp