By ByteBot
On May 27, 2026, Volkswagen quietly changed its authentication API — and thousands of home automation setups broke overnight. No announcement. No migration path. Just HTTP 401 errors cascading through Home Assistant dashboards, evcc charge controllers, and ioBroker instances across Europe. The Hacker News thread hit 248 points in hours. The cause: VW now requires “client assertion,” a cryptographic proof that API requests originate from an approved VW app on an unmodified Google Play or Apple App Store device. Open-source projects can’t get that key. They never will, unless they pay for a formal partnership with VW Group Info Services.
What Broke — and Why It Mattered
The integrations that stopped working weren’t hobbyist curiosities. The most affected workflow was solar surplus EV charging: evcc, the popular open-source EV charge controller, polls your car’s state-of-charge every few minutes and only charges when your rooftop solar is producing more than your home consumes. That loop depends on reading battery data from the VW API. The official VW app offers no equivalent automation capability — it’s manual control only.
Home Assistant’s Volkswagen integration exposed vehicle state as sensors: battery percentage, charging status, cabin temperature, estimated range, door locks. Users built automations around these — arrival-triggered pre-conditioning, battery health limits set at 80%, charging windows aligned to cheap off-peak electricity rates. All of it requires API access. GitHub issue #969 captures the frustration: “VW has disabled access to API, so any services based on it no longer work.” The same pattern repeated across ioBroker, custom evcc forks, and every other third-party tool reaching emea.bff.cariad.digital.
Data Protection, or Just Monetization?
VW’s official framing: “Apps without a formalised relationship with VW Group Info Services will no longer be able to access vehicle data.” The stated reasoning is “data protection and stability.” However, the technical reality contradicts the security narrative. VW’s own browser-based portal still works. This restriction doesn’t protect your data — it controls who can read it for commercial purposes.
The business logic is straightforward. VW already charges €100 per year for a WeConnect subscription. Third-party API access now requires a separate paid relationship with CARIAD, VW’s software arm. Commercial apps can apparently fast-track through the process — Tibber’s energy integration reportedly survived. Open-source projects have no path. There is no public registration form, no open developer program, no timeline for evcc or Home Assistant to gain access. The “formal framework” is a paywall, not a safety measure. You’re being charged twice: once for the car, once for the subscription, and now again for the privilege of reading a sensor value from something you own.
The Wall Has an Expiration Date
Here’s the irony VW’s legal team cannot have missed: the EU Data Act (Regulation 2023/2854) Article 3 enforcement deadline is September 12, 2026 — less than 16 weeks away. The regulation requires connected products, including vehicles, to make user-generated data available in a structured, machine-readable format to the owner and any third party the owner designates. Direct user access must be free. VW is erecting a commercial paywall on access that EU law will soon mandate be accessible at no charge for user-directed use.
The evcc community began petitioning the EU Parliament about this precise issue in December 2025. The EU Data Act vehicle guidance published by the Commission spells out compliance requirements clearly: manufacturers must expose vehicle data through an accessibility-by-design interface by September. VW’s May 2026 lockdown may or may not survive legal scrutiny — but the September deadline makes this a short-lived problem, at least in the EU. Non-EU markets have no equivalent protection.
What Developers Can Do Right Now
For those who can’t wait until September, three options exist. First, OBD-II hardware adapters connect directly to your car’s diagnostic port over Bluetooth or Wi-Fi — no VW cloud involvement, no authentication issues. evcc supports dozens of vehicles through OBD adapters today. Second, OpenVehicles OVMS is an open-source hardware module that plugs into the OBD port and provides a community-maintained firmware layer. Third, and most relevant for developers: file a consumer complaint with your national EU Data Act enforcement authority. The law is already on the books. The evcc community is pursuing exactly this route while waiting for September.
Key Takeaways
- VW broke Home Assistant, evcc, and ioBroker integrations on May 27 by requiring client assertion — a restriction that locks out all open-source projects from vehicle data.
- The stated rationale is “data protection,” but commercial apps get exceptions and VW is charging for API access on top of existing €100/year subscription fees.
- The EU Data Act Article 3 requires free user-directed data access starting September 12, 2026 — making VW’s paywall legally questionable and time-limited within the EU.
- Immediate workaround: OBD-II hardware adapters bypass the cloud API entirely and work with evcc today.
- Non-EU markets have no equivalent regulatory protection. If you build on manufacturer cloud APIs, this pattern is coming for you regardless of brand.
