Volkswagen blocks Home Assistant integration with client‑assertion requirement

Volkswagen’s CarNet API now enforces a client‑assertion token for OAuth flows, breaking the Home Assistant integration that relied on standard client‑credential grants [GitHub Issue]. The change, documented in issue #967 on May 29 2026, requires callers to present a signed JWT as the ‘client_assertion’ parameter, a step the existing integration does not perform.

Home Assistant’s ‘volkswagencarnet’ component authenticates by sending client_id and client_secret to Volkswagen’s token endpoint. With the new requirement, token requests fail with “invalid_client” errors, leaving users with disconnected vehicle data until the component is patched.

The fix is straightforward: generate a JWT signed with the client’s private key and include it in the token request. The upstream repository has already opened a pull request that adds this logic, but the change has not yet merged into the stable release [GitHub Issue]. Until then, users must either wait for the official update or apply the temporary patch manually.

This incident underscores two practical points. First, API providers can alter authentication contracts without notice, so integrations that depend on third‑party APIs need a rapid response path. Second, adopting standards such as RFC 7523 client assertions can improve security but also raises the implementation bar for hobbyist developers.

Developers maintaining Home Assistant integrations should monitor the upstream issue tracker and be prepared to push updates quickly when authentication schemes evolve.