Getting Started with the Fitbit APIs
Creating a Fitbit Developer Account
To use the Fitbit APIs, you need to have a Fitbit developer account. To create a developer account,
- Go to https://accounts.fitbit.com/signup to register for a fitbit.com account. The email address must be valid to complete the verification process. An existing fitbit.com account can be used.
- A verification email will be sent to the user requesting a response.
Once the email address is verified, the user will be able to access https://dev.fitbit.com/apps to register new applications used to query the Web APIs.
To change the registered email address of the Fitbit developer account, please contact Fitbit Web API support for assistance.
TIP: For larger organizations, we recommend the developer account email address be a distribution list. Distribution lists are easier to manage ownership as people migrate throughout the company.
Registering an Application
An application must be registered within the developer account prior to calling the Fitbit Web APIs for the first time. Each registered application is provided with a client ID and secret. These client credentials will need to be referenced by the application during user authorization.
Steps to register your application with Fitbit
- Go to https://dev.fitbit.com/apps
- In the upper right hand corner, click the link "Register a new application"
or
- Go to https://dev.fitbit.com
- In the upper right hand corner, click on Manage -> Register an App
Fill out the following fields:
| Application Name | required | The name of your application. |
| Description | required | Describe what your application does. |
| Application Website | required | The URL that points to your application website or download page. This URL is presented to the user during consent. |
| Organization | required | The name of your company or organization. |
| Organization Website | required | Your company or organization website URL. |
| Terms of Service URL | required | The link to your Terms of Service document related to this application. It will be presented to the user during consent. |
| Privacy Policy URL | required | The link to your Privacy Policy document related to this application. It will be presented to the user during consent. |
| OAuth 2.0 Application Type | required | Supported: Server | Client | Personal See Application Types |
| Callback URL | required | A link sending the onboarding user back to your application. The URL must be absolute. See Redirect URL. |
| Default Access Type | required | Supported: Read-only | Read & Write See Access Types |
| Add a Subscriber | optional / recommended | This is required if you want to received webhook / push notifications for updates to user data. Not required for registering an application. See Subscriptions |
NOTE: All URLs must use https.
Application Types
When registering your application, select the appropriate “OAuth 2.0 Application Type”. A description of the application types can be found at Application Types. See Authorization to determine the recommended OAuth 2.0 authorization flow that should be used for your application type.
Access Types
Applications operate in a read-only or read & write manner. This is an application-level setting and applies to all scopes. This is configured in the application settings at https://dev.fitbit.com/apps.
Only configure "Read & Write" access if you're sending data to Fitbit.
WARNING: Changing the access type settings will immediately invalidate all existing access tokens.
Registration Page Example
Application Settings
All registered applications will appear under the developer’s account at https://dev.fitbit.com/apps. Selecting one of the applications will display a summary of the application settings (see image).
NOTE: Never put your client secret in distributed code, such as apps downloaded through an app store or client-side JavaScript. Also, never give your client secrets to external people or post it on a public forum. Fitbit employees may ask for this information to troubleshoot problems. The information should be sent privately, and only the first 10 characters of your client secret will typically be requested to verify application ownership.
Application Settings Example
