Introspect
Allows the application to retrieve the active state of an OAuth 2.0 token. This endpoint conforms to RFC 7662.
Request
| POST | /1.1/oauth2/introspect |
Body Parameters
| token required |
The OAuth 2.0 token to retrieve the current state. Different from the access token used in the Authorization header, this token can be any access token. Type: string |
Request Headers
| authorization | required | Specify the token type and Fitbit user’s access token. Token type: Bearer |
| content-type | required | The original media type of the resource. Supported: application/x-www-form-urlencoded |
| accept | optional | The media type of the response content the client is expecting. Supported: application/json |
| accept-language | optional | The measurement unit system to use for response values. See Localization. |
| accept-locale | optional | The locale to use for response values. See Localization. |
Examples
POST https://api.fitbit.com/1.1/oauth2/introspect
Authorization: Bearer <access_token>
Content-Type: application/x-www-form-urlencoded
token=<The OAuth 2.0 token to retrieve the state>
Authorization: Bearer <access_token>
Content-Type: application/x-www-form-urlencoded
token=<The OAuth 2.0 token to retrieve the state>
curl -X POST "https://api.fitbit.com/1.1/oauth2/introspect" \
-H "authorization: Bearer <access_token> \"
-H "content-type: application/x-www-form-urlencoded" \
-d "token=<The OAuth 2.0 token to retrieve the state>"
-H "authorization: Bearer <access_token> \"
-H "content-type: application/x-www-form-urlencoded" \
-d "token=<The OAuth 2.0 token to retrieve the state>"
Response
| Element Name | Description |
| active | Supported: true | false |
| scope | States the scope and ability to read/write. |
| client_id | The client ID for the granted application. |
| user_id | The Fitbit user ID. |
| token_type | Supported: access_token |
| exp | The token's expiration date. |
| iat | The token's issued date. |
{
"active":true,
"scope":"{ACTIVITY=READ_WRITE}",
"client_id":"<Client Id>",
"user_id":"<User Id>",
"token_type":"access_token",
"exp":<expiration date>,
"iat":<issued date>
}
or
{
"active": false
}
Response Headers
| content-type | The media type of the response content being sent to the client. Supported: application/json |
| fitbit-rate-limit-limit | The quota number of calls. |
| fitbit-rate-limit-remaining | The number of calls remaining before hitting the rate limit. |
| fitbit-rate-limit-reset | The number of seconds until the rate limit resets. |
Note: The rate limit headers are approximate and asynchronously updated. This means that there may be a minor delay in the decrementing of remaining requests. This could result in your application receiving an unexpected 429 response if you don't track the total number of requests you make yourself.
Response Type
| HTTP Status Code | HTTP response code. List of codes are found in the Troubleshooting Guide. |
| Status Message | Description of the status code. |
| Response Body | Contains the JSON response to the API call. When errors are returned by the API call, the errorType, fieldName and message text will provide more information to the cause of the failure. |
Response Codes
| 200 | A successful request. |
| 400 | The request had bad syntax or was inherently impossible to be satisfied. |
| 401 | The request requires user authentication. |
Note: For a complete list of response codes, please refer to the Troubleshooting Guide.
Additional Information
Inactive tokens
When the introspect endpoint response returns "active = false", the token
in parameter is not active.
RFC 7662 section 2.2
clearly states that the authorization server should not provide any more
detail about the reason for the inactive token. However, it is common
that inactive tokens have either expired or been revoked.
