Security & Privacy
How GuestKeyTS protects your Tesla account and vehicle.
Your Tesla password stays with Tesla
When you connect your account, GuestKeyTS opens a secure browser window directly to Tesla's website (auth.tesla.com). Your credentials are entered on Tesla's own page and sent only to Tesla's servers. GuestKeyTS never sees, receives, or stores your password.
OAuth token authentication
After sign-in, Tesla provides a temporary access token -- a limited-use pass for sending vehicle commands. It doesn't contain your password and can be revoked at any time. Tokens refresh automatically in the background. OAuth tokens are stored in Google Cloud Firestore and protected by Google's infrastructure encryption in transit and at rest. Access is restricted to authenticated backend services.
Cryptographically signed commands
GuestKeyTS uses Tesla's official Fleet API. Every command is cryptographically signed with a private key and routed through a dedicated instance of Tesla's official vehicle-command proxy, hosted on Google Cloud. This is the same secure signing infrastructure Tesla requires of all authorized third-party apps.
Time-limited guest access
Guest permissions can be time-limited by the owner and can be revoked at any time.
Granular permissions
Owners choose exactly which controls each guest can use — climate, seat heaters, media, and horn are all independently toggled. No driving, no trunk, no location tracking.
No personal accounts
GuestKeyTS uses anonymous authentication -- neither owners nor guests create a traditional account with an email or password. Anonymous identifiers are generated for security and service operation purposes, but no personally identifiable information is required.
Proximity verification
For rideshare mode and owner-configured guests, GuestKeyTS verifies that the guest is physically near the vehicle before allowing commands. The native iOS app uses Bluetooth Low Energy (BLE) to detect the owner's device nearby — no location data is derived or stored from BLE signals. The web guest client uses GPS location instead, comparing the guest's position to the vehicle's location to confirm proximity. If the proximity check fails, commands are blocked.
App verification
Requests to GuestKeyTS are protected by Firebase App Check. The native iOS app uses Apple's App Attest, which provides hardware-backed proof that commands originate from a genuine, unmodified copy of the official app on a real Apple device. The web guest client uses reCAPTCHA Enterprise for verification. In both cases, automated scripts, modified builds, and spoofed requests are designed to be rejected.
Want to revoke all GuestKeyTS access instantly? Change your Tesla account password. This immediately invalidates all tokens and disconnects GuestKeyTS — and any other third-party app — from your vehicle. You can reconnect at any time by signing in again.
While we employ industry-standard security measures, no security system is infallible. These security features are designed to reduce risk but do not guarantee protection against all possible attacks or unauthorized access. See our Terms of Use for warranty limitations.
Security governance: GuestKeyTS maintains a Written Information Security Program (WISP) prepared pursuant to 201 CMR 17.00 and a documented Data Breach Response Plan compliant with Massachusetts General Laws Chapter 93H. These documents are reviewed annually. For security inquiries, contact [email protected].
Want to see how it all connects?
View the Security Flow Diagram →