revoking API access for 3rd party apps?

[astrorob]

i can't figure out how i can revoke 3rd party API access to my ford account. is that possible? i mistakenly signed up for optiwatt and instantly regretted it.

do i have to change my ford account password to prevent them from seeing my data? i don't trust that deleting my car from their dashboard is enough to revoke access.

thanks

Sponsored

 

[macchiaz-o]

Yes, change your password. I'm assuming you have Optiwatt your password and not an actual API key, so changing your password will lock out Optiwatt.

 

[astrorob]

yeah optiwatt made me log in to ford (and charge point) but since the respective login pages were ford's and optiwatt i thought it was more setting up API access than just grabbing the password. i guess they could snarf the passwords at login though.

i guess i'll just change my passwords, thanks

 

[ChrisO]

I have no experience with this on Ford, but I do have experience with personal finance software and other software that exchanges a key.

If they asked you to log into Ford, and the Ford site asked you to confirm the connection, then they are using a security key, not your username/password. And changing your password will not do anything. This is in fact the secure way to do this. Giving any service your username and password for another site isn't not secure (Even though that for some personal finance software/connections to financial institutions).

I asked Copilot what it knows about this, it seems like a "reasonable answer", but I don't have enough knowledge/access to confirm what it is saying is actually true.

Note in the case where a security token is used for a personal finance program, it is the financial institution that actually generates the security token, and as such it will have a web page for revoking the access. But from the above it sounds like Optiwatt farms that out to Smartcar. Since the above is just an image here is the link for them:

https://my.smartcar.com/login

 

[astrorob]

interesting, thanks. i wonder if it is a slight hallucination though. i was able to get into smartcar with my email address but it showed no cars connected, and wants me to add my car to manage it. however, ford does not appear to be supported as it does not show up in their list.

so if there is some 3rd party conduit they are using, i guess it is not smartcar.

it does seem like it would be done via an API ID/key pair, however, neither ford nor chargepoint asked me to confirm any access. i just logged in and then the login popup disappeared. i also don't see anything in my chargepoint account regarding 3rd party access. chargepoint does have something called "connections" but these seem to be affinity programs that you attach to your account for discounts or access to particular public chargers.

anyway i've changed my PWs. i do have a customer service inquiry in with chargepoint about 3rd party API access so we'll see if they say anything.

 

[ChrisO]

Yeah, it is entirely possible that is incorrect or outdated information. Best of luck getting this resolved.

 

[macchiaz-o]

Be careful with AI results. Optiwatt used to use Smartcar (and maybe it still does, I don't know). Smartcar presented a FAKE Ford login screen, impersonating the real one. A customer would have entered their real Ford.com credentials into the Smartcar screen and then Smartcar recorded those credentials for future reuse.

Smartcar did this in violation of Ford's terms, instead of working with Ford to get an API key.

This led to Ford locking many user's accounts due to high request velocity and also due to the terms violation.

 

[astrorob]

so optiwatt's customer service claims that if the car is deleted from your account, then they lose access to the car. hard to believe that's really true, because it's on them to remove any API keys including from any backups they may have. they also noted that they get access to your car's camera because ford doesn't allow them to pick and choose what access they get - it's all or nothing. still they claim they have no way to see the output of the camera. for my part it was the car's location information that i felt they just didn't need, but again i guess in order to set charge targets they end up with that info as well.

finally they claim that if i delete my optiwatt account then any data in there is anonymized and they no longer can know who the data belonged to. but that means that they retain it, which isn't so hot. data can always be de-anonymized with some effort.

chargepoint has not replied to my inquiry.

 

[macchiaz-o]

so optiwatt's customer service claims that if the car is deleted from your account, then they lose access to the car. hard to believe that's really true, because it's on them to remove any API keys including from any backups they may have. they also noted that they get access to your car's camera because ford doesn't allow them to pick and choose what access they get - it's all or nothing. still they claim they have no way to see the output of the camera. for my part it was the car's location information that i felt they just didn't need, but again i guess in order to set charge targets they end up with that info as well.

finally they claim that if i delete my optiwatt account then any data in there is anonymized and they no longer can know who the data belonged to. but that means that they retain it, which isn't so hot. data can always be de-anonymized with some effort.

chargepoint has not replied to my inquiry.

If Optiwatt uses an intermediary like Smartcar, then you should also be concerned with what personal data and ongoing data connections that intermediary is retaining.

 

[methorian]

so optiwatt's customer service claims that if the car is deleted from your account, then they lose access to the car. hard to believe that's really true, because it's on them to remove any API keys including from any backups they may have. they also noted that they get access to your car's camera because ford doesn't allow them to pick and choose what access they get - it's all or nothing. still they claim they have no way to see the output of the camera. for my part it was the car's location information that i felt they just didn't need, but again i guess in order to set charge targets they end up with that info as well.

finally they claim that if i delete my optiwatt account then any data in there is anonymized and they no longer can know who the data belonged to. but that means that they retain it, which isn't so hot. data can always be de-anonymized with some effort.

chargepoint has not replied to my inquiry.

Based on the camera thing, I'd say they're full of bologna. Ther is no external/remote access to camera's on a Mach-E.

 

[astrorob]

well that might have been a catch-all response, i'm not sure the CSR really knew we were talking about mach-e as the support thread was triggered by my removal of my chargepoint charger from their dashboard. they then "reached out" to ask why i did this and i started asking them the privacy questions.

somehow they claim they are using smartcar.com as a conduit, and there's just no way to link a ford product on smartcar.com, so besides contacting smartcar and telling them to delete my API key (difficult since i don't know what user identifier they are using or what the API key is), i'm not sure how to proceed here. and really this revocation has to happen on ford/chargepoint's side for me to believe that smartcar (or whoever) really can no longer access my vehicles/charger.

 

[macchiaz-o]

somehow they claim they are using smartcar.com as a conduit, and there's just no way to link a ford product on smartcar.com, so besides contacting smartcar and telling them to delete my API key (difficult since i don't know what user identifier they are using or what the API key is), i'm not sure how to proceed here. and really this revocation has to happen on ford/chargepoint's side for me to believe that smartcar (or whoever) really can no longer access my vehicles/charger.

This is where it's super important to change your Ford credentials, to block Smartcar's access.

I noticed way back here that Smartcar was presenting a login that looked like Ford's but the url was at smartcar.com, so I backed away.

This was for Recurrent Auto -- so it's not just Optiwatt working with Smartcar. And since they've done literally nothing at all to improve their situation over many years, Smartcar seems to me to be shady as heck.

 

[astrorob]

This is where it's super important to change your Ford credentials, to block Smartcar's access.

well of course i have done that, but if we are talking about an API id/token then changing the password to the account won't do anything. the API id/token is like a 2nd login credential for the same account that needs to be revoked separately. that's why i'm concerned here. it seems insane that ford and chargepoint would allow API access via a token scheme but there's no way to see or revoke the tokens.

but of course it's possible that they are just using your login credentials to gain access to the API, and if that's the case then at this point all is taken care of.

 

[macchiaz-o]

well of course i have done that, but if we are talking about an API id/token then changing the password to the account won't do anything. the API id/token is like a 2nd login credential for the same account that needs to be revoked separately. that's why i'm concerned here. it seems insane that ford and chargepoint would allow API access via a token scheme but there's no way to see or revoke the tokens.

but of course it's possible that they are just using your login credentials to gain access to the API, and if that's the case then at this point all is taken care of.

Yeah I'm counting on it being the latter. I hope they don't have an API key, but if they did, then honestly it's Ford's responsibility to provide a user interface for us to be able to see and revoke those. Also, if Ford were to dispense a key for your account to any third party, then Ford should notify you by email.

As far as I know, Ford doesn't give us a web page where we can see third party authorizations so I'm assuming for now that Smartcar continues to do it the awful wrong way where they get full access to your personal account.

 

[astrorob]

so they just replied to me and said that they were in error when they said smartcar was in the loop and claim that they go direct to ford. but that implies the API key is still live and they have just deleted it on their end.

Sponsored