Volkswagen tightens API security, disrupting Home Assistant vehicle integration

Volkswagen has implemented a technical change requiring client assertion for authentication, a move that has effectively blocked login functionality for the Home Assistant Volkswagen Carnet integration. While the official Volkswagen smartphone application continues to operate without issue, users attempting to access their vehicles via the Home Assistant platform are encountering significant authentication errors.

The disruption was identified through community reports on GitHub and Hacker News, highlighting a divergence between official app functionality and third-party API access. The specific error message received by users is in German: "Anmeldung bei Volkswagen Connect nicht möglich. Bitte überprüfe deine Zugangsdaten und stelle sure, dass der Dienst verfügbar ist," which translates to "Login at Volkswagen Connect not possible. Please check your login details and ensure that the service is available."

This change suggests Volkswagen is tightening security protocols for its connected car services. Client assertion is a security mechanism often used in OAuth 2.0 flows to verify the identity of the client application. The implementation indicates a strategic shift in how the manufacturer manages access to its Volkswagen Connect API, potentially impacting other unofficial integrations that rely on similar authentication methods.

The issue was reported via GitHub issue #967 on the robinostlund/homeassistant-volkswagencarnet repository. The report notes that users can still log in using the smartphone app Volkswagen/Volkswagen Connect and interact with their cars, confirming that the backend services remain active for authorised official clients. However, the third-party integration lacks the necessary support for the new client assertion requirement.

It remains unclear if this change is a permanent policy shift or a temporary technical adjustment by Volkswagen. The specific timeline for when this change was implemented is not explicitly stated in the source material, only that it is currently active. Furthermore, it is uncertain whether other third-party integrations or unofficial clients are similarly affected, as only the Home Assistant integration is explicitly mentioned in the report.

Home Assistant is an open-source home automation platform that allows users to integrate various smart devices, including vehicles, into a centralised system. The homeassistant-volkswagencarnet is a third-party integration that enables Home Assistant to communicate with Volkswagen vehicles via the Volkswagen Connect API. This incident underscores the fragility of such integrations when manufacturers alter their security architectures without prior notice to the developer community.