Can you explain the reasoning for this restriction...

PatrickT · ‎06-23-2014

Hi,

I'm trying to access data for friends' step records for a specific time period. The problem looks to be if that friend has set anything to private from the default settings, I'll receive the following error:

{
  "errors":  [
     {
      "errorType": "request",
      "fieldName": "n/a",
      "message": "API client is not authorized to access the resource requested."
    }
  ]
}

Taking this call for example,

http://api.fitbit.com/1/user/ABCDEF/activities/steps/date/2014-06-01/2014-06-07.json

and changing the ABCDEF to a friend's userid results in the above error. It shouldn't though since all I'm looking for is step data and that friend's step data is available to friends via the fitbit.com website when I'm logged in.

It looks like this bug has been around for a while if you take a look at the old Google Groups posts from July 2012 like this one: https://groups.google.com/forum/#!searchin/fitbit-api/API$20client$20is$20not$20authorized$20to$20ac...

or this one:

https://groups.google.com/forum/#!searchin/fitbit-api/API$20client$20is$20not$20authorized$20to$20ac...

Anyone know of a way around this? Am I using the API incorrectly?

Thanks,

Patrick

PatrickT · ‎06-23-2014

Can someone look into why this is occurring? It's easy to reproduce in the API Explorer. I did so below using a test oauth_consumer_key.

GET /1/user/2QZVJ7/activities/date/2014-06-07.json HTTP/1.1

Authorization: OAuth oauth_consumer_key="e315519ecb084d8d8000e3cb3926b70a",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1403587174",oauth_nonce="3522685286",oauth_version="1.0",oauth_signature="dpcP6ozX1UjDH%2BAYQ2WS6pFXCAs%3D" Host: api.fitbit.com X-Target-URI: http://api.fitbit.com Connection: Keep-Alive

HTTP/1.1 401 API is secure. Needs security Credentials WWW-Authenticate: OAuth realm="http%3A%2F%2Fapi005-g4.prod.dal05.fitbit.com" Content-Language: en Cache-control: no-store, no-cache, must-revalidate Fitbit-Rate-Limit-Limit: 150 Content-Length: 145 Expires: Thu, 01 Jan 1970 00:00:00 GMT X-UA-Compatible: IE=edge,chrome=1 Set-Cookie: JSESSIONID=A5F3B7FF988791B250BEBB6FF9D20A67.fitbit1; Path=/ Server: Apache-Coyote/1.1 Pragma: no-cache Date: Tue, 24 Jun 2014 05:19:33 GMT Vary: Accept-Encoding Fitbit-Rate-Limit-Remaining: 148 Fitbit-Rate-Limit-Reset: 2426 Content-Type: application/json;charset=UTF-8

{  "errors": [    {      "errorType": "request",
      "fieldName": "n/a",
      "message": "API client is not authorized to access the resource requested."
    }
  ],
  "success": false}

SunsetRunner · ‎06-24-2014

Hi Patrick,

If you can private message me the email addresses of both users, I can help you take a look.

Thanks

PatrickT · ‎06-24-2014

Thanks, sent!

DTCorp · ‎07-01-2014

Hi Guys,

I'm facing the same problem. Is there a solution for this?

Pete

SunsetRunner · ‎07-01-2014

@DTCorp wrote:

Hi Guys,

I'm facing the same problem. Is there a solution for this?

Pete

Can you provide more information including the API endpoint you are hitting?

DTCorp · ‎07-01-2014

Sure, I'm just trying to grab a friend's distance. (and steps with a separate call)

http://api.fitbit.com/1/user/ABCDE/activities/distance/date/2014-07-01/6m.json

For some friends, I get

"message":"API client is not authorized to access the resource requested."

But for others, I get the data just fine.

When looking at their privacy settings, they're all set to the defaul "anyone" for steps and distance.

SunsetRunner · ‎07-01-2014

They need to set their "Activities" privacy setting to Friend or Anyone and you'll be able to make that API call.

DTCorp · ‎07-01-2014

Thanks Dan,

That fixed the problem.

PatrickT · ‎07-01-2014

It's unfortunate though that you can't get friends' steps with the default privacy settings. I added this to the feature requests page. If you think it'd be useful, here's where you can vote for it: https://community.fitbit.com/t5/Feature-Requests/Friends-Step-Data/idi-p/353450

Doug · ‎07-30-2014

Can you explain the reasoning for this restriction when by not even logging in you can see that same data for other users (with default settings) by looking at their profile page 30 day graphs?

It is hard to claim a privacy reason when the website itself will display the data.

I think the frustration here is that the developer APIs can't access what is "publicly available" data.

Derek_210 · ‎08-05-2014

I've been testing this as well and it appears as though it is only working for me when the privacy setting is set to "Anyone". I tested this with a friend and had them change it to "Friends" and I was getting the same error message as listed here, and then when they changed it back to "Anyone" it worked fine.

I'm also finding that I am exceeding the API limit as I am attempting to automate the step gathering for a group challenge that has about 285 members. Not sure what to do about that one yet but first I am trying to get the code right to consistently retrieve the steps.

Has there been a change made that requires the value to be set to "Anyone" or am I doing something wrong?

Doug · ‎08-05-2014

@Derek_210 wrote:
I've been testing this as well and it appears as though it is only working for me when the privacy setting is set to "Anyone". I tested this with a friend and had them change it to "Friends" and I was getting the same error message as listed here, and then when they changed it back to "Anyone" it worked fine.

Which privacy setting? Last 30 days steps and distance? Or Activities? Or both?

My understanding is that it is the Activities setting which must be allowed, even though only the last 30 days steps and distance must be enabled in order for their website profile page to show the numbers in the graph.

Please correct me if I'm wrong.

But what I don't understand is why the API would be blocked from the last 30 days steps and distance if that is enabled, if anyone can see them by displaying the profile page.

@Derek_210 wrote:
I'm also finding that I am exceeding the API limit as I am attempting to automate the step gathering for a group challenge that has about 285 members. Not sure what to do about that one yet but first I am trying to get the code right to consistently retrieve the steps.

I've given some thougtht to that myself, and unless Fitbit will grant requests to raise your app's limit (I have not tried), then I think the other alternative is:

Create a website where your group members will need to register and do the Oauth login
Have website subscribe to notifications for each registered member
Have website collect the stats you need after each sync notification (may require multiple API calls)
Optionally, have website collect current stats on user when they visit website to view data
Store all this stuff in your own database
Have website display all the current group statistics based on its own database

Since each app gets a separate API count for each user, depending on how many API calls you need per sync and how often each person syncs in an hour, you should stay under the limit. Or if you did exceed the hourly limit, you'd at least have done numerous syncs for that user in the previous hour. So you'd be relatively current.

I'd don't see any other way of a single app key and oauth login to collect data on 285 members, at least in a timely fashion.

Perhaps somebody else will have another suggestion.

While I have given some thought to this because I want to do something similar, so far I'm just collecting my own stuff in a google spreadsheet, and a mobile app I wrote. But the mobile app just uses API calls and can't subscribe to notifications, AFAIK. So I haven't gone down this road myself yet.

Doug

Join us on the Community Forums!

Community Guidelines

Learn the Basics

Join the Community!

Not finding your answer on the Community Forums?

Go to the Help Site

Contact Support

API client is not authorized to access the resource requested.

PatrickT

PatrickT

SunsetRunner

PatrickT

DTCorp

SunsetRunner

DTCorp

SunsetRunner

DTCorp

PatrickT

Doug

Derek_210

Doug