Access token validation end point

Marcus_kem · ‎01-28-2016

Hi,

Firstly, it has been a real pleasure working with the Fitbit API.

Are there any plans to offer an endpoint that allows developers to easily validate access tokens? Similiar to what Google and Facebook offer.

Facebooks:

https://graph.facebook.com/debug_token?input_token={0}&access_token={1}

Google:

https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={0}

Thanks

Marcus

JeremiahFitbit · ‎01-28-2016

Hi @Marcus_kem,

We don't yet have this feature, but it's a good idea. Thank you for the suggestion.

If you're wanting to know if a token has expired, you could call a basic endpoint like Get User Profile and look at the response. We distinguish between expired and revoked tokens.

Marcus_kem · ‎01-28-2016

Thanks for your response.

I want to confirm that the access token was created with my apps OAuth Client ID, those endpoints I referenced provide the Client ID in the response.

Regards

Marcus

JeremiahFitbit · ‎01-28-2016

How would you have gotten a user access token for another app?

Marcus_kem · ‎02-12-2016

My question was in response to the below information.

https://developers.google.com/identity/protocols/OAuth2UserAgent#validatetoken

Validating the token

Tokens received on the fragment MUST be explicitly validated. Failure to verify tokens acquired this way makes your application more vulnerable to the confused deputy problem.

You can validate a token by making a web service request to an endpoint on the Google Authorization Server and performing a string match on the results of that web service request.

Thanks

Join us on the Community Forums!

Community Guidelines

Learn the Basics

Join the Community!

Not finding your answer on the Community Forums?

Go to the Help Site

Contact Support

Access token validation end point

Marcus_kem

JeremiahFitbit

Marcus_kem

JeremiahFitbit

Marcus_kem