Authorize
chevron down
back search icon cancel search
 
 

Authorize

Initiates the OAuth 2.0 authorization flow by presenting the consent screen to the Fitbit user.

Request

URL https://www.fitbit.com/oauth2/authorize

Query Parameters
client_id
required

This is the Fitbit API application id created within dev.fitbit.com.

Type: string
response_type
required

code for Authorization Code Grant Flow [with PKCE]
token for Implicit Grant Flow.

Type: string
scope
required

A space-delimited list of the permissions you are requesting. See Scopes.

Type: string
redirect_uri
recommended

Where Fitbit should send the user after the user grants or denies consent. Required unless only one redirect URI is specified for the application in the settings on dev.fitbit.com. See Redirect URIs.

Type:URI
expires_in
optional

For use with the Implicit Grant Flow only. Pre-select the desired access token lifetime. Authorization Code Grant flow [with PKCE] access tokens only support a lifetime of 8 hours (e.g. 28800).

86400 for 1 day
604800 for 1 week
2592000 for 30 days
31536000 for 1 year

Default: 86400

Type: string
prompt
optional

Specify if you need to force the Fitbit authentication or the OAuth 2.0 authorization page to be displayed. When used, the redirect_uri parameter must be specified.

none for default behavior.
consent to require consent from the user, even if they have previously authorized your application.
login to require the user to sign in, but request consent according to the default behavior.
login consent to require the user to sign in and authorize your application. The space in this parameter value needs to be URL encoded.

Type: string
state
recommended

Provides any state that might be useful to your application when the user is redirected back to your application. This parameter will be added to the redirect URI exactly as your application specifies. Fitbit strongly recommend including an anti-forgery token in this parameter and confirming its value in the redirect to mitigate against cross-site request forgery (CSRF).

Type: string
code_challenge
(For use with PKCE only)
optional / required

The code challenge is derived from the code verifier by using a transformation on the code verifier. The code verifier is a cryptographically random string dynamically created for each authorization request. The available transformations are S256 and plain.

S256: must be used if supported by the client:
code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier))).

plain: does not mitigate as wide a range of attacks as S256 and may be used only if the client cannot technically support S256: code_challenge = code_verifier.

Default: plain

Type: string
code_challenge_method
(For use with PKCE only)
optional

Code verifier transformation method is S256 or plain.

Default: plain

Type: string


Examples

Authorization Code Grant Flow with PKCE (recommended) 
https://www.fitbit.com/oauth2/authorize?response_type=code
    &client_id=<client ID>
    &redirect_uri=https%3A%2F%2Fexample.com%2Fcallback
    &code_challenge=E9Melhoa2OwvFrEMTJgCHaoeK1t8URWbuGJSstw-cM
    &code_challenge_method=S256
    &scope=activity%20nutrition%20heartrate%20location%20...
Authorization Code Grant Flow 
https://www.fitbit.com/oauth2/authorize?response_type=code
    &client_id=<client ID>
    &redirect_uri=https%3A%2F%2Fexample.com%2Fcallback
    &scope=activity%20nutrition%20heartrate%20location%20...
Implicit Grant Flow 
https://www.fitbit.com/oauth2/authorize?response_type=token
    &client_id=<client ID>
    &redirect_uri=https%3A%2F%2Fexample.com%2Fcallback
    &expires_in=604800
    &scope=activity%20nutrition%20heartrate%20location%20...


Response

URL Parameter Description
code
 The authorization code which needs to be exchanges for the access token and refresh token.
Returned with Authorization Code Grant Flow [with PKCE].
access_token
 The Fitbit user's access token.
Returned with Implicit Grant Flow.
user_id The Fitbit user id.
Returned with Implicit Grant Flow.
token_type Supported: Bearer
Returned with Implicit Grant Flow.
expires_in Time when the access token expires.
Returned with Implicit Grant Flow.
scope List of scopes enabled by the Fitbit user.
Returned with Implicit Grant Flow.
Authorization Code Grant Flow [with PKCE] 
https://example.com/callback?code=<authorization_code>#_=_0
Implicit Grant Flow 
https://example.com/callback#access_token=<access_token>
    &user_id=<user_id>
    &token_type=Bearer
    &expires_in=604800
    &scope=social+weight+nutrition+profile...

Response Headers
content-type The media type of the response content being sent to the client.
Supported: application/json
fitbit-rate-limit-limit The quota number of calls.
fitbit-rate-limit-remaining The number of calls remaining before hitting the rate limit.
fitbit-rate-limit-reset The number of seconds until the rate limit resets.

Note: The rate limit headers are approximate and asynchronously updated. This means that there may be a minor delay in the decrementing of remaining requests. This could result in your application receiving an unexpected 429 response if you don't track the total number of requests you make yourself.

Response Type

HTTP Status Code HTTP response code. List of codes are found in the Troubleshooting Guide.
Status Message Description of the status code.
Response Body Contains the JSON response to the API call. When errors are returned by the API call, the errorType, fieldName and message text will provide more information to the cause of the failure.

Response Codes

For a complete list of authorization errors, please refer to the Troubleshooting Guide.


Additional Information

Localizing the consent page

The Fitbit consent page supports localization. Since it is just a web form, the text is translated based on the user's "Language by Region/Country" setting in their Fitbit account. The user's device or browser language settings may translate the consent language, as well. We do not support a query parameter that forces language conversion.

Client Credentials Grant Flow
next