help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

401 - invalid authorization header format on client type application

ANSWERED

‎07-21-2023 02:21

‎07-21-2023 02:21

I am developing an Android app where I use Fitbit to show sleep data to users.

At some point I was retrieving data from Fitbit API with no problems, but now I noticed that the login no longer works. Redirect happens correctly and I get the authorization code and state. When I try to exchange these for access and refresh tokens, I get this error: 

{"errors":[{"errorType":"invalid_client","message":"Invalid authorization header format. The header was not recognized to be a valid header for any of known implementations or a client_id was not specified in case of a public client Received header = null. Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process."}],"success":false}

I also tried to debug this with the help of the troubleshooting guide on the website https://dev.fitbit.com/build/reference/web-api/troubleshooting-guide/oauth2-tutorial , but the website also returns the same error. I also tried to change my values (code challenge, state etc.) to be the same as on the site and still the same error occurs. 

Here is the POST request I am sending (I redacted the values): 

POST https://api.fitbit.com/oauth2/token
Body : client_id=CLIENT_ID&code=AUTH_CODE&code_verifier=CODE_VERIFIER&redirect_uri=REDIRECT_URL&grant_type=authorization_code
Headers : (1)
Content-Type : application/x-www-form-urlencoded

I have been searching for days for an answer to this and can not seem to find one. Am I missing something? I feel like it's weird that I even get the same error when trying it with the troubleshooting tool on the website so has something changed?

Best Answer
Labels:
0 Votes
1 BEST ANSWER

Accepted Solutions

‎07-24-2023 08:31

‎07-24-2023 08:31

Hi @Snowwhitee 

Would you please provide your authorization URL (i.e. https://www.fitbit.com/oauth2/authorize) so I can see what parameters and the values are being used when someone consents to your application?   I'll also try to consent to your application to see if I can replicate the problem.

Thanks!

Gordon

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google

View best answer in original post

Best Answer
6 REPLIES 6

‎07-24-2023 08:31

‎07-24-2023 08:31

Hi @Snowwhitee 

Would you please provide your authorization URL (i.e. https://www.fitbit.com/oauth2/authorize) so I can see what parameters and the values are being used when someone consents to your application?   I'll also try to consent to your application to see if I can replicate the problem.

Thanks!

Gordon

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer

‎07-24-2023 09:13

In response to Gordon-C

‎07-24-2023 09:13

The authorization URL is: https://www.fitbit.com/oauth2/authorize?client_id=CLIENT_ID&response_type=code&redirect_uri=REDIRECT...

I sent CLIENT_ID and REDIRECT_URL to you as personal message

Best Answer
0 Votes

‎07-24-2023 10:10

In response to Snowwhitee

‎07-24-2023 10:10

Thank you!   When you exchange the authorization code for the access token and refresh token using the /oauth2/token endpoint, are you providing the authorization header along with the Basic token?  For example

POST https://api.fitbit.com/oauth2/token
Authorization: Basic QUJDMTIzOkRFRjQ1Ng==
Content-Type: application/x-www-form-urlencoded

client_id=ABC123&code=<authorization_code>&code_verifier=<code_verifier>&grant_type=authorization_code
Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎07-24-2023 10:23 - edited ‎07-24-2023 10:26

In response to Gordon-C

‎07-24-2023 10:23 - edited ‎07-24-2023 10:26

Currently, no I am not. I though it was not needed for client type application, the request I'm making is posted on the original message I posted. Also, I did try it with adding a header like described on the documentation, which is Authorization: Basic [base64encodedString(CLIENT_ID:CLIENT_SECRET)] but it still returned the same error. Additionally, the code I have has been working earlier last week even though I did not have the authorization header with the basic token in the exchange request.

Best Answer

‎07-26-2023 10:26

In response to Snowwhitee

‎07-26-2023 10:26

 You are correct.   Is your application type set to "client" or "server" at https://dev.fitbit.com/apps?

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer

‎07-26-2023 11:37 - edited ‎07-26-2023 11:47

In response to Gordon-C

‎07-26-2023 11:37 - edited ‎07-26-2023 11:47

Ugh. Apparently when debugging the issue I changed it to 'server' and thought I changed it back to 'client' but it was still set to 'server'. So the issue resolved by changing the application type. Sorry for the trouble! I don't know where the original issue came from though, because I didn't make the change until I received the error and was trying out different things to resolve it.

 

But it's working now!

Best Answer