HTTP Status Codes
2xx Success
The 2xx status codes are returned when the HTTP request is successful.
200 OK
| Message Type |
Message |
Comments |
| No error (DELETE) |
{ <data> } |
|
| No error (GET) |
{ <data> } |
|
201 Created
| Message Type |
Message |
Comments |
| No error (POST) |
empty body |
|
| No error (POST) |
{ <data> } |
|
204 No Content
| Message Type |
Message |
Comments |
| No error (DELETE) |
empty body |
|
4xx Client Errors
The 4xx status codes are returned when a problem exists in the client
application code. Look at the response body elements,
errorType and message, for more information about
the problem.
Authorization Errors
These error messages will appear on the web form while authorizing consent.
You will not see a status code.
| Error |
Message |
Recommendation |
| client_id - invalid |
unauthorize_client - Invalid client_id |
|
| client_id - missing |
invalid_request - Missing parameters: client_id |
Verify the authorization URL contains the client_id parameter |
| code_challenge - invalid |
invalid_request - The code_challenge parameter is invalid |
|
| code_challenge - invalid |
invalid_request - The code_challenge parameter length must be between 43
and 128
|
|
| code_challenge_method - invalid |
invalid_request - Unsupported code_challenge_method |
|
| redirect_uri - invalid |
invalid_request - Invalid redirect_uri parameter value |
Verify the redirect_uri value in your application code matches
the setting in https://dev.fitbit.com/apps. |
| redirect_uri - missing and app has multiple redirect URIs |
invalid_request - Missing redirect_uri parameter value |
Verify the authorization URL contains the redirect_uri parameter |
| response_type - invalid |
unsupported_response_type - Invalid response_type parameter value |
|
| response_type - missing |
invalid_request - Missing response_type parameter value |
Verify the authorization URL contains the response_type parameter |
| response_type - unauthorized |
unauthorized_client - The client is not authorized to request an access
token using this method
|
Use the supported response_type value based on your application's "OAuth
2.0 Application Type" setting.
"server": response_type = code
"client": response_type = token
"personal": response_type = code or token
|
| response_type - unauthorized |
unauthorized_client - A "Personal" application is only authorized to
request access tokens from the owner of the application
|
Modify the application type to "server" or "client" when attempting to
access data from another user.
|
| scope - invalid |
invalid_scope - The requested scope is invalid, unknown or malformed:
[scope]
|
|
| scope - missing |
invalid_request - Missing scope parameter value |
Verify the authorization URL contains the scope parameter |
400 Bad Request
| Error Type |
Message |
Recommendation |
| invalid_grant |
Authorization code expired: [code] |
|
| invalid_grant |
Authorization code invalid: [code] |
|
| invalid_grant |
Missing parameters: refresh_token |
|
| invalid_grant |
Refresh token invalid: [refresh_token] |
|
| invalid_request |
Authorization code invalid: [code] |
|
| invalid_request |
Authorization code verifier invalid: null |
|
| invalid_request |
Authorization code verifier invalid: [code_verifier] |
|
| invalid_request |
Missing ‘grant_type’ parameter values |
|
| invalid_request |
Missing parameters: code |
|
| invalid_request |
Redirect_uri mismatch: null |
|
| invalid_request |
Redirect_uri mismatch: [redirect_uri] |
|
| invalid_request |
The code_verifier parameter is invalid |
|
| invalid_request |
The code_verifier parameter length must be between 43 and 128 |
|
| invalid_request |
There was an error reading the request body |
|
| request |
Food log entry without food could not be updated |
Editing a food entry requires a non-zero foodId |
| request |
Invalid parameter subscriberId: <subscriberId> |
The subscriberId in the error message does not exist. Check the
subscribers created for this application at dev.fitbit.com
|
| request |
Request to invalid domain: [domain] |
|
| request |
This request should use https protocol. |
Verify the endpoint or redirect_url is using https |
| unsupported_grant_type |
The authorization grant_type is not supported |
|
| validation |
Invalid time series resource path |
Request parameter is invalid or missing. Possible causes:
- The user does not have a device paired to the account
- The user does not have a device that supports the data requested
|
| validation |
Invalid time series period: <value> |
Verify the endpoint syntax contains "1d". See
Intraday API. |
| validation |
The number of days between time series start and end dates cannot exceed
MAX
|
Shorten the date range for the endpoint arguments |
| validation |
Invalid date: <date value> |
Verify date format is YYYY-MM-DD |
401 Unauthorized
| Error Type |
Message |
Recommendation |
| expired_token |
Access token expired: [access_token] |
The OAuth access_token has expired. Use the refresh token obtained
during consent to exchange for a new access_token and refresh_token pair.
See Refresh Token. |
| invalid_client |
Authorization header required |
|
| invalid_client |
Incorrect authorization method |
|
| invalid_client |
Invalid authorization header. Client id invalid |
The Authorization header must be set to Basic, followed by a space, then
the Base64 encoding of your application’s client id and secret
concatenated with a colon. See OAuth 2.0 documentation.
|
| invalid_client |
Invalid authorization header. Client secret invalid |
|
| invalid_client |
Invalid authorization header format |
|
| invalid_request |
Authorization header required |
|
| invalid_token |
Access token invalid: [access_token] |
The OAuth token provided is invalid or was revoked. See Revoked Tokens. |
| system |
Authorization error: invalid authorization token type |
The Authorization header must be set to Bearer, followed by a space,
then the user's access token. See documentation for making requests.
|
403 Forbidden
| Error Type |
Message |
Recommendation |
| insufficient_permissions |
API client is not authorized by Fitbit to access the resource
requested |
If you application type is “Personal”, then the owner of the
application can only query their intraday data. |
| insufficient_permissions |
API client is not authorized by the resource owner to access the
resource requested |
Verify the user has authorized the scope for the endpoint being
executed. |
| insufficient_permissions |
Read-only API client is not authorized to update resources |
Verify the application is registered for read / write access. Changing
this setting will invalidate all Bearer tokens. |
| insufficient_scope |
This application does not have permission to [access-type]
[resource-type] data |
Verify the Authorization header is set to Bearer
Verify the user has authorized the scope for the endpoint being
executed.
|
404 Not Found
| Error Type |
Message |
Recommendation |
| invalid_request |
Refresh token not found |
The refresh token does not exist in our database. See
Revoking refresh tokens
for details.
|
| not_found |
The API you are requesting could not be found |
Verify the syntax of the endpoint. See Web API
documentation
|
| not_found |
Requested entity was not found |
Verify the syntax of the endpoint. See Web API
documentation
|
405 Method Not Allowed
| Error Type |
Message |
Recommendation |
|
The request method being used is not allowed to be executed
against the server. |
Verify the syntax of the endpoint. See
Web API documentation
|
409 Conflict
| Error Type |
Message |
Recommendation |
|
{
"collectionType": "<value>",
"ownerId": "<value>",
"ownerType": "<value>",
"subscriberId": "<value>",
"subscriptionId": "<value>",
}
|
Returned if the given user is already subscribed to this stream using a
different subscription ID, OR if the given subscription ID is already
used to identify a subscription to a different stream.
|
|
invalid_request
|
Concurrent refresh token requests were made by the same client for the
same user, and while one of these requests probably succeeded, this one
did not due to an update conflict.
|
Avoid making multiple, concurrent refresh token requests within a short
period of time. Try executing the token refresh endpoint once if
possible. If necessary, wait a few seconds before executing the token
refresh endpoint again.
|
411 Length Required
| Error Type |
Message |
Recommendation |
| MissingContentLength |
The Content-Length HTTP header is missing |
According to RFC 7230, section
3.3.2 , this HTTP
request requires the Content-Length header field containing the
anticipated size of the payload body.
|
429 Too Many Requests
| Error Type |
Message |
Recommendation |
| system |
Too many requests |
Returned if the application has reached the rate limit for a specific
user. The rate limit will be reset at the top of the hour.
|
5xx Server Errors
The 5xx status codes are returned when a problem exists on the server. Look at
the response body elements, errorType and message,
for more information about the problem.
500 Internal Server Error
| Error Type |
Message |
Recommendation |
| request |
An error occurred with the Fitbit Web API while processing the request.
|
Try your request later. |
502 Bad Gateway
| Error Type |
Message |
Recommendation |
|
Bad Gateway |
Try your request later. |
503 Service Unavailable
| Error Type |
Message |
Recommendation |
| back_off_app_maintenance |
The Fitbit service is temporarily offline for maintenance. We'll be back
soon.
|
Please check
https://www.fitbitstatus.com/ for the
latest update.
|
504 Gateway Timeout
| Error Type |
Message |
Recommendation |
|
Gateway time-out |
Try your request later. |
