for fleet owner

Quickstart - Authentication

Info: Stellantis Fleet Owner API for ex Groupe PSA brands (Citroën, DS, Peugeot, Opel and Vauxhall) is made for organisations owning fleet of vehicles.

Authentication B2B #

In this tutorial you will find an explanation about getting your B2B authentication in Stellantis network. This authentication is required in order to consume Stellantis API for ex Groupe PSA brands (Citroën, DS, Peugeot, Opel and Vauxhall).

This page is dedicated to Stellantis’s commercial partners. End-user authentication procedure is different, check this page.

Our API allows access to sensible data about your fleet of vehicles, that’s why we have to perform mutual authentication between our networks. In order to sign your certificate we need you to produce a Certificate Signing Request (CSR).

At the end of this process you will have everything you need to consume our B2B API for connected vehicles!

Login info:

  • MZP: partner login in Stellantis (ex-Groupe PSA) network.
  • Password: partner password in Stellantis (ex-Groupe PSA) network.
  • Client ID: application ID (maybe you will have more than one application).
  • Client Certificate: trusted SSL certificate signed by the dedicated Stellantis (ex-Groupe PSA) authority.
  • Private Key: Your Private Key file.
  • CA Certificate: Stellantis CA Cert for peer verification.


1. Partner Login #

First, you’ll need a Stellantis (ex-Groupe PSA) login (ex: MZP123456). If you already have one, you can go to step 2. If you don’t have one, contact us and we will create one for you.

2. Encryption Keys & CSR #

Once you have received MZP login, next step is to produce SSL keys and CSR. These keys will allow encrypted communication between you and Stellantis:

  • Public key will be used by Stellantis to encrypt messages.
  • Private key will be used by you to decrypt Stellantis’s messages. Be careful, your private key is secret you need to keep it safe on your network.

In order to ensure your identity we have to perform signing process of your public key and general info about your company. That is why you need to create a Certificate Signing Request (CSR). We will sign your CSR and send you back a proper SSL certificate. Here is info we need in your CSR:

Information Value
COUNTRY NAME (C) Country code, two letters (ex: FR)
STATE OR PROVINCE (S) ex: ‘Kansas’ or ‘Ile de France’
LOCALITY NAME (L) ex: ‘Paris’
ORGANIZATIONAL UNIT (OU) You must type: ‘Programs Partners’
COMMON NAME (CN) ex: ‘MZP128745’
EMAIL ADDRESS Email address, will be used in order to download and renew your certificate

Producing encryption keys and CSR have to be done with a dedicated software. Here is examples with two of them:

2.1 With OpenSSL

OpenSSL is an open-source software library for encryption purpose. It is widely used in internet security. You can download and install Open SSL using this link (Windows).

With OpenSLL producing key and creating CSR can be performed in one step. Create a directory with text configuration file named like ‘CSRConfig.conf’ and copy/past this text into it:

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
countryName = COUNTRY NAME (C) two letters ex: FR
stateOrProvinceName = STATE OR PROVINCE (S) ex: Kansas or Ile de France
localityName = LOCALITY NAME (L) ex: Paris
organizationName = ORGANIZATION NAME (O) ex: Free2Move
organizationalUnitName = ORGANIZATIONAL UNIT (OU) Press enter or Programs Partners
organizationalUnitName_default = Programs Partners
commonName = COMMON NAME (CN) ex: MZP128745
emailAddress = EMAIL ADDRESS will be used in order to download and renew your certificate

Browse this place with your terminal and execute this command:

$ openssl req \
  -new \
  -keyout KeyName.pem \
  -out CSRName.csr \
  -config CSRConfig.conf
  • KeyName.pem will be your keyfile name
  • CSRName.csr will be your CSR name
  • CSRConfig.conf is configuration file’s name

You will be requested for info incorporated in your CSR. Once you fill it you will get your CSR and Keyfile in your directory.

2.2 With Keytool

Keytool comes with Java Devlopment Kit. Like OpenSSL, it can be used to produce keys (in a file name keystore) and CSR.

Produce your keys using this command:

$ keytool \
  -genkey \
  -alias KeyName \
  -keyalg RSA \
  -keysize 2048 \
  -dname "CN=MZPXXXX,OU=Programs Partner,O=PatrnerName,L=<Paris,C=FR,email=it@partner.com" \
  -keystore KeyStoreName.jks
  • CN Common Name (ex MZP128745)
  • OU Do not replace Programs Partners is right
  • O Organization Name (ex Free2Move)
  • L Locality Name (ex Paris)
  • C Country Name two letters (ex: FR)
  • email will be used in order to download and renew your certificate
  • Keyname will be the name of the keys in the keystore
  • KeyStoreName.jks will be the name of your keystore

Generate your CSR:

$ keytool \
  -certreq \
  -alias Keyname \
  -keystore KeyStoreName.jks \
  -file CSRName.csr
  • Keyname is the name of the keys in the keystore
  • KeyStoreName.jks is the name of your keystore
  • CSRName.csr will be the name of the CSR

3. Submit CSR #

Once you have created your brand-new CSR file, send it to your contact in Stellantis. At this point we will begin our internal process to sign your certificate.

4. Certificate & Client ID #

If everything is ok, our certification authority will accept your Certificate Signing Request. Then you’ll receive an email at the adress you specified. This email contains: link to download your certificate & Stellantis CA certificate + Client ID (= application id). Download your signed certificate and keep carefully your client ID.

5. Request Example #

In order to use Stellantis Fleet owner API, you must authenticate yourself as a partner in Stellantis’s network! Look further for more info about B2B authentication. Once you get what you need for authentication, you can try to send your first request to Stellantis’s API.

Here is an example of cURL request:

$ curl \
  --request GET \
  --url 'https://api-cert.groupe-psa.com/connectedcar/v3/fleets' \
  --data-urlencode 'client_id=<client_id>' \
  --header 'Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==' \
  --key 'path/to/key.pem' \
  --cert 'path/to/client_cert.pem[:<cert_password>]' \
  --cacert 'path/to/ca_cert.pem' \
Type Name Value Description Required
Query Parameter client_id <App_ID> Id of the application. Yes
File Client Certificate path/to/client_certificate.pem Your SSL certificate for authentication in Stelantis network. Yes
File Private Key path/to/key.pem Your Private Key file. Yes
File CA Certificate path/to/ca_certificate.pem Stellantis CA Cert for peer verification. Yes
Header accept application/json Advertises that you accept JSON content-type. Yes
Header authorization Basic <BASIC_AUTH> Indicate that authentication is Basic Auth and <BASIC_AUTH> is user:password in Base64. Yes

See Also #


A Quick Start guide is provided to help you understand the basics and get started.

Testing the API

To test the API you can check the API List directly.