04-18-2025 16:25 - edited 04-19-2025 12:28
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

04-18-2025 16:25 - edited 04-19-2025 12:28
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
- Who Voted for this post?
My users are reporting errors that just started happening today (April 18) where requests to activities and timeseries APIs like https://api.fitbit.com/1/user/-/activities/date/<date>.json are getting a 401 Unauthorized response (no error message or error details) to the CORS OPTIONS requests. Some other APIs like goals and profile are working.
This breaks functionality for our users since we make requests from the browser rather than a backend server.
04-21-2025 11:55
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post



04-21-2025 11:55
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
- Who Voted for this post?
Hi @jl__
I don't see any 401 errors from your application. Let me reach out to you directly through issue tracker to get some additional information from you.
05-02-2025 10:25
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

05-02-2025 10:25
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
- Who Voted for this post?
We're seeing the same issue in our application. Any activity endpoint calls (e.g. https://api.fitbit.com/1/user/-/activities/steps/date/<date>/<date>.json ) are getting rejected with a 401 Unauthorized in the OPTIONS preflight request. I'm not sure how long it has been happening, but it was reported to us yesterday. Was there any progress made on figuring out the issue when you reached out directly to the OP? We are also making requests in the browser and not from a backend server.
05-07-2025 18:45 - edited 05-07-2025 19:00
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

05-07-2025 18:45 - edited 05-07-2025 19:00
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
I'm also seeing the same issue in our application. Any resolution so far?
In my case we're hitting the `https://api.fitbit.com/1.2/user/-/sleep/list.json` endpoint. We're getting 401 Unauthorized from the OPTIONS pre-flight request. This was previously working (last tested perhaps 1-2 weeks ago) – no changes made to our codebase.
We are also making requests in the browser and not from a backend server, testing in Chrome.
As a note, the introspect endpoint `https://api.fitbit.com/1.1/oauth2/introspect` responds with 200 OK prior.
And the call works from Postman (where no pre-flight request is sent).

