From your Smartcar dashboard, set an allowed redirect URI and note your Client ID.
Construct the authorization URL: https://connect.smartcar.com/oauth/authorize?response_type=code&client_id={clientId}&redirect_uri={redirectUri}&scope={spaceDelimitedScopes}&state={csrfToken}. Include only the scopes you need, such as read_vehicle_info, read_odometer, read_fuel, read_battery, read_location, read_vin, control_security.
Redirect the vehicle owner to the authorization URL; they authenticate with their OEM credentials and grant consent.
After consent, Smartcar redirects to your redirect URI with a code parameter; exchange it via POST https://auth.smartcar.com/oauth/token with grant_type=authorization_code, code, redirect_uri, and Base64-encoded Basic Authorization header of clientId:clientSecret.
Store the returned access_token (1-hour TTL) and refresh_token (long-lived); use the refresh_token grant to obtain new access tokens.
In v3, pass the sc-user-id header on vehicle API requests to scope the application-level token to a specific user.
Known gotchas
Requesting excessive scopes increases friction in the consent screen and may cause users to abandon the flow; request only the minimum scopes needed.
Smartcar Connect is per-OEM at runtime — not every OEM supports every scope; consult the Smartcar compatibility matrix before presenting features to end users.
The v3 authentication model uses a single application-level access token scoped by user ID header, which is a breaking change from v2's per-user tokens; do not mix v2 and v3 patterns.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp