help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

401 error on creating subscription

‎01-18-2022 03:49

‎01-18-2022 03:49

Hi community!

 

I am integrating Fitbit API with the application of the company I work for.

 

I have successfully managed to implement all required steps for authentication (OAuth 2.0) through our app (on Android) and I can see my user's consent to Fitbit App -> Third Party Applications.

 

I am receiving an Access and Refresh Token, and after authentication I use this Access Token to create subscription of the related scopes for my user. However, I get an Unauthorized response error 401 with the following message 

 

{
    "success": false,
    "errors": [
        {
            "errorType": "invalid_token",
            "message": "Access token invalid: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJUcFh1Zl92clVOcExXTEpvUVdqUjhab2U0RzhRM2FkdEJzbTliNzNoZEFBIn0.eyJleHAiOjE2NDI1NDEyMTYsImlhdCI6MTY0MjUwNTIxNiwiYXV0aF90aW1lIjoxNjQyNTA1MjE1LCJqdGkiOiJjMDZlMTU4YS1mN2UzLTRlMjYtODViNS02YTJjNmQ4NTYxM2MiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLWJldGEuZWhlYWx0aHBhc3MuZ3IvYXV0aC9yZWFsbXMvZWhlYWx0aHBhc3MiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNDE0NjExMTEtMTk5Yi00NzgwLWJkZjEtNDQ3MDNjNjkxYmFlIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZWhlYWx0aHBhc3MiLCJzZXNzaW9uX3N0YXRlIjoiMGI2ZWUzNzEtN2RkNi00OWY5LTkzNjMtYWJlZTM0ZDlkZTFlIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJST0xFX1BBVElFTlQiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiZWhlYWx0aHBhc3MiOnsicm9sZXMiOlsiUk9MRV9QQVRJRU5UIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIG9mZmxpbmVfYWNjZXNzIiwiY291bnRyeSI6IkdSIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInJvbGUiOiJbUk9MRV9QQVRJRU5ULCBvZmZsaW5lX2FjY2VzcywgdW1hX2F1dGhvcml6YXRpb25dIiwiZ2VuZGVyIjoiZmVtYWxlIiwicGF0aWVudGlkIjoibnVsbC9udWxsIiwibmFtZSI6IkRlc3BvaW5hIEthemVwaWRvdSIsImxhbmd1YWdlIjoiZW5fR0IiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJka2F6ZXBpZG91IiwiZ2l2ZW5fbmFtZSI6IkRlc3BvaW5hIiwiZmFtaWx5X25hbWUiOiJLYXplcGlkb3UiLCJlbWFpbCI6ImRrQGVocC5nciJ9.MTk5knI58QPRUijexGy1l2iInnolBz3WfZDGxoFORjVm1coycrWxZFbzjK2lIQ4GJ7pZ6PtG2dojc4WJZGwKtTobkp0Jg88dDC5mne-EUESXEc2G4QZaxIipyROvwxhkroexXJDLxVwnX6hEEl9idDojye7PgdeLoIv9LF4kcGhWDXwk2qz8UhaSfM8x-tletphpRWZ1l3ag8pPmsu40b84s1oDgkRBYWwfvm3DPbWq02doT_u7ctUT5uaVAJnVfjpdo65_kwR4ALAkWXYKpKCkIeAENfLA6BMsUOn41DF4xUYkq9Eiq1pR70TQ7pMwB4Cy3_zimfFJn9ox95s0J-g. Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process."
        }
    ]
}

indicating that my Access Token is invalid. I get this response both programmatically and manually using POSTMAN.

 

In fact, I notice that this token is significantly larger than the ones I received in my previous trials, but since I have done LOTS of trials, I am not sure any more.

 

Yesterday, I was able to create subscriptions for my user using as "subscriptionId" randomly created UUID values. Later, I tried revoking consent and according to the docs, this action should have automatically deleted all existing subscriptions for my user.

 

Is there any chance that Fitbit servers have kept the association between my userId-subscriptionId and thus not allowing to create a new one? But even so, I would expect to receive a 200 response indicating that the subscription is already existent. Also, I was thinking if the subscriber I have declared in dev.fitbit.com is disabled, but I have no indication about this. It is still verified as far as I can see on dev portal. 

 

Any ideas on why do I get this 401 invalid access token error? 

 

Thank you in advance. 🙂

Best Answer
Labels:
0 Votes
3 REPLIES 3

‎01-19-2022 01:21

‎01-19-2022 01:21

Starting from the state described on the original post, what I did is to try to request a new access token using the refresh token.

 

This actually worked! I was able to receive a new access token and to create new subscriptions successfully.

 

However this is a behavior not clearly mentioned in the docs. Since I revoked access to my user's data, I would expect that in the next authorization process the Access Token should be... "brand new". Instead, after revoking when I authorize again I am getting an invalid access token (and yes the length of it is significantly larger) and in order to get it working I need to request for a new access token using the refresh token.

 

So the flow is: Revoke -> Authorize -> Get Access and Refresh Token (at this point the Access Token is invalid) ->Use the Refresh Token -> Get NEW Access Token -> Continue your work

 

I am not marking this reply as a solution because I might be missing something.

 

Please correct me if I have not understood something correctly.

Best Answer

‎01-27-2022 07:55

In response to KwnsTsak

‎01-27-2022 07:55

Hi @KwnsTsak 

 

First, please don't post PII data or tokens in the community forums.   The token you provided is not a Fitbit access token.   That's why you received the error.  When the revoke occurs, all tokens and subscriptions for that user should be deleted.   Then the user will need to go through the authorization process again for your application to get a brand new access token and refresh token.    When the access token expires, you'll use the refresh token to obtain a new access token and refresh token pair.   

 

Gordon

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎01-31-2022 06:37

In response to GordonFitbit

‎01-31-2022 06:37

Hi @GordonFitbit 

 

Thank you for your reply. Sorry for the personal data (token posted). I just wanted to demonstrate the difference against a valid access token.

 

I understand what you describe and this is how I would expect things to be. However, the invalid access token I posted is what I was getting as a response from Fitbit after the user (me in this case) revoked and gone through the authorization process again, just like you mention.

Best Answer
0 Votes