Ensure your EC private key (P-256) is available in your application runtime; this is the key whose public counterpart was registered at your well-known endpoint
Construct the command payload as a protobuf message using Tesla's published proto schema (VCSEC or CarServer domain depending on the command type)
Sign the serialized protobuf payload using ECDSA with SHA-256 and include the signature in the signed command envelope along with an epoch-based nonce to prevent replay attacks
POST the signed command to the Fleet API endpoint for the target vehicle, e.g. POST /api/1/vehicles/{id}/signed_command, with the binary protobuf body and appropriate Content-Type
Inspect the response: a 200 with result true indicates success; handle response codes for timeout (vehicle asleep), rate limiting, or key not paired errors specifically
Known gotchas
The vehicle must have your public key enrolled before it will accept signed commands — enrollment happens the first time a user pairs the app via the Tesla mobile app or in-vehicle screen; commands fail silently if the key is not enrolled
Nonce values must be strictly monotonically increasing per vehicle session; reusing or resetting a nonce causes the vehicle to reject the command as a replay
Newer Tesla firmware versions require Fleet API commands for many operations; the older REST command endpoints (e.g., /command/door_lock) have been deprecated and may not work on recent firmware without signing
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp