Solved: Re: 403 Forbidden Writing Weight Data – Works Unti...

Deabel · ‎05-21-2025

We're encountering a persistent issue when calling the Fitbit Web API to write weight data using the endpoint:

POST /1/user/-/body/log/weight.json

Starting from the evening of **May 20, 2025**, this call consistently returns `403 Forbidden`. Before that, it had been working reliably for months.

---

**Platform & Scope Info:**

- Client ID: 22C4KQ
- App Type: Server (recently changed from Client)
- OAuth Flow: Authorization Code Grant (server-side)
- Affected Platforms: Both iOS and Android
- Token Scopes Granted: SETTINGS=READ_WRITE, PROFILE=READ_WRITE, WEIGHT=READ_WRITE, ACTIVITY=READ_WRITE

Token introspection confirms all scopes are active.

---

**What's Working (Confirmed):**

- Reading weight data via GET /body/log/weight.json
- Writing steps, calories, and distance data (via /activities.json)
- Reading profile, activity, and settings
- Fitbit user account is functional with other third-party Fitbit apps (writing weight still works there)

**What’s Not Working:**

- Only `POST /body/log/weight.json` returns 403 Forbidden, even with proper request body and valid token

---

**Hypothesis:**

We suspect Fitbit recently added additional restrictions to writing sensitive health data (such as weight) based on app identity (e.g. client_id-level policy). Our app may now require whitelisting or explicit approval.

---

**Request for Assistance:**

1. Was there a recent backend policy change affecting `/body/log/weight.json`?

2. Does our app now require additional authorization to write sensitive data like weight?

3. What is the formal procedure to apply for this level of access?

Any guidance is appreciated. This feature had been functioning as expected until May 20.

Thank you!

Sword123 · ‎05-27-2025

On May 20th, I also encountered a problem with uploading body fat and weight reporting errors. It may be that the Fitbit server has been updated. The final solution is to append a user_Id to the URL:
https://api.fitbit.com/1/user/-/body/log/weight.json --> https://api.fitbit.com/1/user/YOUR_USER_ID/body/log/weight.json
https://api.fitbit.com/1/user/-/body/log/fat.json --> https://api.fitbit.com/1/user/YOUR_USER_ID/body/log/fat.json

View best answer in original post

patrick40 · ‎05-25-2025

Any updates from Fitbit here? I am also hitting this issue, I have the correct scopes and this used to work.

IncaFitbit · ‎05-26-2025

Hi @Deabel and @patrick40 ,

Thanks for reaching out this issue.
I tried to reproduce this on my end using both GET and POST requests for Weight logs via the Fitbit Web API Explorer, and both worked as expected.
Could you please share more details about the post request?
1. Query Parameters
2. Request Headers

Thanks,
Inca

patrick40 · ‎05-26-2025

Ok thank you @IncaFitbit

Are you aware of any changes on your end? This has been working for years, I am still able to refresh tokens just unable to POST to that specific endpoint, it returns a 403 exactly as @Deabel described.

Here's an example that fails with 403:

Query Parameters:
weight=23&date=YYYY-MM-DD

Please note: for some reason the forum doesn't let me post a date, it says "The message body contains <Insert Date>, which is not permitted in this community. Please remove this content before sending your post." So I had to replace it here with YYYY-MM-DD but when I make the query I am using a real date

Headers:

Authorization: Bearer eyJHb....

Accept: application/json

patrick40 · ‎05-26-2025

Ok well not sure if this is the same issue but for starters it doesn't look like you can pass in decimals anymore to the https://dev.fitbit.com/build/reference/web-api/explore/ tool, you are forced to enter an integer without decimals. This is a regression. It doesn't let me submit the decimal so I can't tell if it would return a 403.

update: ok this is unrelated, when I restrict my POSTs to integers only my code still returns a 403, so this is not the issue and should probably be handled in a different thread.

can't pass in decimals

Sword123 · ‎05-27-2025

On May 20th, I also encountered a problem with uploading body fat and weight reporting errors. It may be that the Fitbit server has been updated. The final solution is to append a user_Id to the URL:
https://api.fitbit.com/1/user/-/body/log/weight.json --> https://api.fitbit.com/1/user/YOUR_USER_ID/body/log/weight.json
https://api.fitbit.com/1/user/-/body/log/fat.json --> https://api.fitbit.com/1/user/YOUR_USER_ID/body/log/fat.json

patrick40 · ‎05-27-2025

Thank you @Sword123 !

That fixed things.

So just to recap @IncaFitbit ; previously we were able to pass in "-" as the user id, and this would map to the currently logged in user according to the bearer token. The functionality is now broken for the weight upload endpoint and you have to explicitly provide the user id.

@Sword123 wrote:
On May 20th, I also encountered a problem with uploading body fat and weight reporting errors. It may be that the Fitbit server has been updated. The final solution is to append a user_Id to the URL:
https://api.fitbit.com/1/user/-/body/log/weight.json --> https://api.fitbit.com/1/user/YOUR_USER_ID/body/log/weight.json
https://api.fitbit.com/1/user/-/body/log/fat.json --> https://api.fitbit.com/1/user/YOUR_USER_ID/body/log/fat.json

Deabel · ‎05-27-2025

@Sword123 Thanks a lot, it does work! You saved my day!

Join us on the Community Forums!

Community Guidelines

Learn the Basics

Join the Community!

Not finding your answer on the Community Forums?

Go to the Help Site

Contact Support

403 Forbidden Writing Weight Data – Works Until May 20, Only Weight Fails (Steps/Calories OK)

Deabel

Sword123

patrick40

IncaFitbit

patrick40

patrick40

Sword123

patrick40

Deabel