04-18-2025 16:25 - edited 04-19-2025 12:28
04-18-2025 16:25 - edited 04-19-2025 12:28
My users are reporting errors that just started happening today (April 18) where requests to activities and timeseries APIs like https://api.fitbit.com/1/user/-/activities/date/<date>.json are getting a 401 Unauthorized response (no error message or error details) to the CORS OPTIONS requests. Some other APIs like goals and profile are working.
This breaks functionality for our users since we make requests from the browser rather than a backend server.
04-21-2025 11:55
05-02-2025 10:25
05-02-2025 10:25
We're seeing the same issue in our application. Any activity endpoint calls (e.g. https://api.fitbit.com/1/user/-/activities/steps/date/<date>/<date>.json ) are getting rejected with a 401 Unauthorized in the OPTIONS preflight request. I'm not sure how long it has been happening, but it was reported to us yesterday. Was there any progress made on figuring out the issue when you reached out directly to the OP? We are also making requests in the browser and not from a backend server.
05-07-2025 18:45 - edited 05-07-2025 19:00
05-07-2025 18:45 - edited 05-07-2025 19:00
I'm also seeing the same issue in our application. Any resolution so far?
In my case we're hitting the `https://api.fitbit.com/1.2/user/-/sleep/list.json` endpoint. We're getting 401 Unauthorized from the OPTIONS pre-flight request. This was previously working (last tested perhaps 1-2 weeks ago) – no changes made to our codebase.
We are also making requests in the browser and not from a backend server, testing in Chrome.
As a note, the introspect endpoint `https://api.fitbit.com/1.1/oauth2/introspect` responds with 200 OK prior.
And the call works from Postman (where no pre-flight request is sent).
05-18-2025 16:51
05-18-2025 16:51
Hi, I'm still having this issue. Any help would be appreciated. This is breaking our app for customers.
05-19-2025 03:51
05-19-2025 03:51
Try https://api.fitbit.com/1/user/-/sleep/list.json .
This worked for me.
05-20-2025 18:20
05-20-2025 18:20
Hi @carrotflakes this does work, thanks for the temporary workaround.
I can use this for now however, functionality is still broken because the data from this version of the API has a few differences, namely:
@GordonFitbit any chance the original issue with the unauthorized preflight be looked into?
05-27-2025 21:53
05-27-2025 21:53
I wrote this on the issue tracker, but since there's no progress on there, I'll repeat my notes here:
To fix this, the API needs to:
- Return 200 OK for OPTIONS requests. The OPTIONS requests are not performing any actions, so they don't need authentication (the browser spec in fact prohibits sending authentication with OPTIONS requests).
- The OPTIONS response headers should have the appropriate Access-Control-Allow- headers to let the browser know that it can use those methods/headers. You can look at at https://api.fitbit.com/1/user/-/profile.json response for the correct headers, which are:
Access-Control-Allow-Headers: Accept,Authorization,Content-Type,Device-Data-Encoding,Fitbit-Code-Version,Fitbit-Transport-Info,Origin,X-App-Version,X-Requested-With,Accept-Locale,Accept-Language Access-Control-Allow-Methods: GET,PATCH,POST,PUT,DELETE,OPTIONS Access-Control-Allow-Origin: <the origin that was sent with the request>(Ideally it'd also allow access to Fitbit-Rate-Limit-Limit,Fitbit-Rate-Limit-Remaining,Fitbit-Rate-Limit-Reset)
As mentioned, the CORS OPTIONS headers/responses work correctly on APIs like profile, and previously worked until April 18 or so, but recently broke on timeseries and activity APIs.
05-30-2025 13:31
05-30-2025 13:31
Just wanted to add more weight to this request.
I also cannot call the activities endpoint (/1/user/-/activities.json) with a browser API call, even through the web-api explorer. I get the 401 unauthorized error on the OPTIONS preflight request which then blocks the browser from calling the endpoint because no CORS Access-Control-Allow-Origin is present in the response.
Screenshots from web-api explorer with network and console browser tools: