Revoke Token
Used to disable a user's authorization for an application. The revoke endpoint, specifying either the access token or refresh token, will remove the user's authorizations and all associated tokens. This endpoint conforms to RFC 7009.
Revoking the access token or refresh token will provide the same result. When the token is revoked, all tokens are revoked for that user. If an application has multiple sessions (web, mobile, etc.) for the same user, the revocation will remove all sessions (web, mobile, etc.) associated with that user.
In addition, a revocation request can be made for tokens used by public clients. The Authorization header is not used. Instead, the public client's client_id and associated token will need to be specified as parameters in the revocation request.
Request
| POST | /oauth2/revoke |
Body Parameters
| token required |
The access_token or refresh_token to be revoked, or The access_token or refresh_token to be revoked on the associated public client. Type: string |
| client_id (For use with public clients only) optional |
The public client's client_id. Type: string |
Request Headers
| authorization | (For use with server apps only) required |
Must be set to Basic followed by a space, then the Base64 encoded string of your application's client id and secret concatenated with a colon. For example, the Base64 encoded string, Y2xpZW50X2lkOmNsaWVudCBzZWNyZXQ=, is decoded as "client_id:client secret". Token type:Basic |
| accept | optional | The media type of the response content the client is expecting. Supported: application/json |
| accept-language | optional | The measurement unit system to use for response values. See Localization. |
| accept-locale | optional | The locale to use for response values. See Localization. |
Examples
Authorization: Basic <basic_token>
Content-Type: application/x-www-form-urlencoded
token=<access_token or refresh_token to be revoked>
Revoking tokens used by public clients
POST https
Content-Type: application/x-www-form-urlencoded
client_id=<public_client_id>&token=<access_token or refresh_token to be revoked>
-H "content-type: application/x-www-form-urlencoded" \
-H "Authorization: Basic <basic_token>" \
-d "token=<access_token or refresh_token to be revoked>"
Revoking tokens used by public clients
curl -X POST "https
-H "content-type: application/x-www-form-urlencoded" \
-d "client_id=<public_client_id>&token=<access_token or refresh_token to be revoked>"
Response
Response Headers| content-type | The media type of the response content being sent to the client. Supported: application/json |
| fitbit-rate-limit-limit | The quota number of calls. |
| fitbit-rate-limit-remaining | The number of calls remaining before hitting the rate limit. |
| fitbit-rate-limit-reset | The number of seconds until the rate limit resets. |
Note: The rate limit headers are approximate and asynchronously updated. This means that there may be a minor delay in the decrementing of remaining requests. This could result in your application receiving an unexpected 429 response if you don't track the total number of requests you make yourself.
Response Type
| HTTP Status Code | HTTP response code. List of codes are found in the Troubleshooting Guide. |
| Status Message | Description of the status code. |
| Response Body | Contains the JSON response to the API call. When errors are returned by the API call, the errorType, fieldName and message text will provide more information to the cause of the failure. |
Response Codes
| 200 | A successful request. |
| 400 | The request had bad syntax or was inherently impossible to be satisfied. |
| 401 | The request requires user authentication. |
Note: For a complete list of response codes, please refer to the Troubleshooting Guide.
Additional Information
Revoked tokens
Users have granular control over read/write access to their data through the Fitbit Web API. When a user revokes consent to your application, their access token becomes invalid and your access to that user's data through the Web API is no longer available. What you do with the data that has already been collected should be clearly documented in your Terms of Service and Privacy Policy. Any guidelines or requirements defined by Fitbit will be specified in our Platform Terms of Service.
Revoking refresh tokens
When a /oauth2/revoke request is made with a refresh_token
that is not present in our database, the service will respond with an
HTTP status code of 404 (NOT_FOUND). This signifies that the client can safely
remove the corresponding refresh_token from their own storage, as it is no
longer valid on the server-side. This provides clients with a clear
indication to the status of their refresh tokens, enabling them to maintain
accurate and efficient token management practices.
