Implementation Checklist

Phase 0: Pre-Kickoff

Tech Stack: Identify technology stack for implementation and explore appropriate SDKs (frontend and backend) and getting started resources.
Tesla Tenanting: (Enterprise Only) Check in with your Solution Architect to ensure you have your Tesla Tenant set up enabling your org to have a Virtual Key with your own brand name.
Slack Channel: (Enterprise Only) Smartcar will set up a dedicated Slack channel for technical communications - ensure the relevant stakeholders are added.

Team Access: Invite relevant team members to your Smartcar Dashboard account.
Subscribe to Updates: Ensure your team subscribes to status.smartcar.com, brandreliability.smartcar.com and product changelogs to stay informed on platform health and updates.
Environment Setup: Create distinct Test and Production applications in the dashboard with clear naming conventions.
Credentials: Capture and securely store your Client ID, Client Secret, and Application Management Token.
Secret Management: Integrate your Client Secret into an enterprise secrets management system (e.g. AWS Secrets Manager, Vault). Never commit secrets to version control.
Connect Configuration: Set each application’s Privacy Policy URL and Logo.
Redirect URIs: Configure the Redirect URI for each application (ensure they are externally accessible).
Scope Definition: Define your Vehicle Access Configuration (OAuth scopes) based on the specific signals and commands your application requires.
Scope Minimization: Strictly enforce Scope Minimization by requesting only the minimum necessary data permissions from the user.
Brand Select: Confirm and specify which OEM Brands will be displayed to the user and if you want to automatically add any new brands as they become available.
Compatibility Check: (Enterprise Only) Validate target vehicle compatibility using the Region and Make Compatibility API.

User Journey: Determine how your application will funnel users into the Smartcar Connect flow.
Frontend Implementation: Implement the frontend Connect flow to generate the authorization URL (using link.getAuthUrl()).
First Connection: Onboard your first test vehicle and review its data in the Smartcar Dashboard.
Brand Select: Assess and implement Brand Select functionality (if applicable) to skip the brand selection screen and accelerate the user flow.
Error Simulation: Validate your application’s error handling by testing with simulated error VINs (e.g., using the invalid_subscription trigger).

Architecture: Design the backend architecture.
Webhook Endpoint: Implement a backend endpoint to receive webhook data and error payloads.
Callback Endpoint: Implement a backend endpoint to receive the authorization code at your Redirect URI.
Token Exchange: Implement the logic to exchange the authorization code for an accessToken (valid for 2 hours) and refreshToken (valid for 60 days). This must be done server-side.
Secure Storage: Securely store tokens in an encrypted backend database. Tokens must never be stored client-side.
Proactive Renewal: Implement a service to exchange the refreshToken for a new token pair before the 60-day expiration window closes.
Atomic Token Rotation: Implement Atomic Token Rotation logic to ensure new token pairs are persisted reliably, preventing race conditions that could invalidate single-use tokens.
Support Protocol: Establish internal support protocols to handle questions from your vehicle owners (ensure your team acts as Tier 1 support before escalating to Smartcar).

Webhooks-First: (If migrating) Shift data ingestion models from polling to a Webhooks-First architecture for real-time scalability.
Webhook Configuration: Configure Webhook integrations in the Smartcar Dashboard (select triggers, set callback URI).
Payload Verification: Implement the mandatory callback URI verification logic (responding to the VERIFY event with the challenge hash).
User Error Handling: Map Connect errors (e.g. no_vehicles) to clear, actionable messages for your users.
Vehicle Error Handling: Handle VEHICLE_ERROR events and trigger user notifications when specific vehicle owner actions are required to resolve the issue.
Re-authentication: Implement resolution logic for ACCOUNT_ISSUE errors by prompting the user to re-authenticate via Smartcar Connect.
Rate Limiting: Implement Exponential Backoff strategies for retrying API errors (429) and adhere to Retry-After headers.

Access Control: Ensure all service-specific IAM roles adhere to the principle of least privilege.
Secret Management: Verify all secrets are stored and accessed via a dedicated secrets manager.
Encryption: Ensure data is encrypted at rest and in transit.
Vulnerability Scanning: Confirm that dependency and vulnerability scans pass with zero critical/high issues.
Network Security: Configure firewalls/security groups to block unauthorized ports and apply WAF rules where appropriate.
Logging: Ensure structured logs are successfully ingested for staging and production environments, with configurable log levels.
Observability: Configure a dashboard to capture essential metrics (Latency, Error Rate, Traffic).
Alerting: Configure critical alerts to route to your on-call channels.
CI/CD: Ensure a fully automated build and deployment pipeline is in place for all environments.
Infrastructure as Code (IaC): The service infrastructure is managed using IaC (e.g., Terraform, CDK).
Architecture Review Complete: The service architecture has passed the formal review.
Service Runbook: A complete runbook exists detailing: service owners, quick start, deployment, scaling, and incident response.
Tagging: Tagging policy is applied to infrastructure.
Support Review: Review the vehicle owner support approach again and ensure VO’s are not channeled to Smartcar support directly and that Smartcar support is used as Tier 3