help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Access token validation end point

‎01-28-2016 04:50

‎01-28-2016 04:50

Hi,

 

Firstly, it has been a real pleasure working with the Fitbit API. 

 

Are there any plans to offer an endpoint that allows developers to easily validate access tokens? Similiar to what Google and Facebook offer.

 

Facebooks:

https://graph.facebook.com/debug_token?input_token={0}&access_token={1}

 

Google:

https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={0}

 

Thanks

Marcus

Best Answer
Labels:
0 Votes
4 REPLIES 4

‎01-28-2016 11:13

‎01-28-2016 11:13

Hi @Marcus_kem,

 

We don't yet have this feature, but it's a good idea. Thank you for the suggestion.

 

If you're wanting to know if a token has expired, you could call a basic endpoint like Get User Profile and look at the response. We distinguish between expired and revoked tokens.

Best Answer
0 Votes

‎01-28-2016 13:38

In response to JeremiahFitbit

‎01-28-2016 13:38

Thanks for your response.

 

I want to confirm that the access token was created with my apps OAuth Client ID, those endpoints I referenced provide the Client ID in the response. 

 

Regards

Marcus

 

 

Best Answer
0 Votes

‎01-28-2016 13:53

In response to Marcus_kem

‎01-28-2016 13:53

How would you have gotten a user access token for another app?

Best Answer
0 Votes

‎02-12-2016 05:55

In response to JeremiahFitbit

‎02-12-2016 05:55

My question was in response to the below information.

 

https://developers.google.com/identity/protocols/OAuth2UserAgent#validatetoken

 

Validating the token

Tokens received on the fragment MUST be explicitly validated. Failure to verify tokens acquired this way makes your application more vulnerable to the confused deputy problem.

 

You can validate a token by making a web service request to an endpoint on the Google Authorization Server and performing a string match on the results of that web service request.

 

Thanks

Best Answer
0 Votes