07-19-2022 00:40
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

07-19-2022 00:40
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
I'm trying to get my access token, but keep getting an "Authorization code verifier invalid" error when I step 4 from Authorization (fitbit.com).
The url I use is "https://api.fitbit.com/oauth2/token" and four parameters "client_id, code, code_verifier, grant_type", and I also pass two headers "Authorization, Content-Type"
I don't think there is anything wrong with the values, but I still can't solve this error.
Hope someone can let me know if I'm missing something, thanks you.
Answered! Go to the Best Answer.
Accepted Solutions
07-21-2022 10:02
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post



07-21-2022 10:02
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
- Who Voted for this post?
It appears creating the code challenge is where the problem lies. I can get your authorization to work without using the verifier/challenge and fails with it. You can generate the code challenge by looking at these pages. According to the spec, https://datatracker.ietf.org/doc/html/rfc7636#section-4.2, the syntax is
code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
The SHA256 should follow this spec: https://datatracker.ietf.org/doc/html/rfc6234. And, the BASE64URL-ENCODE should follow this spec: https://datatracker.ietf.org/doc/html/rfc4648.
We have an example in our documentation, https://dev.fitbit.com/build/reference/web-api/developer-guide/authorization/#Authorization-Code-Gra... that you can use to confirm you are converting the verifier correctly.
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
07-19-2022 13:16
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post



07-19-2022 13:16
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
- Who Voted for this post?
Hi @Guo0911
Would you please private message me your authorization URL from step 2, the authorization code generated, and the information you're sending on step 4. Please include the values so I can double check the information is correct. Do not publish this information in the public forums.
Thanks!
Gordon
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
07-19-2022 19:37 - edited 07-19-2022 21:58
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

07-19-2022 19:37 - edited 07-19-2022 21:58
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
I'm sorry, I don't know how to message you, can you tell me how?
Thanks you.
------

07-19-2022 21:56
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

07-21-2022 10:02
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post



07-21-2022 10:02
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
- Who Voted for this post?
It appears creating the code challenge is where the problem lies. I can get your authorization to work without using the verifier/challenge and fails with it. You can generate the code challenge by looking at these pages. According to the spec, https://datatracker.ietf.org/doc/html/rfc7636#section-4.2, the syntax is
code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
The SHA256 should follow this spec: https://datatracker.ietf.org/doc/html/rfc6234. And, the BASE64URL-ENCODE should follow this spec: https://datatracker.ietf.org/doc/html/rfc4648.
We have an example in our documentation, https://dev.fitbit.com/build/reference/web-api/developer-guide/authorization/#Authorization-Code-Gra... that you can use to confirm you are converting the verifier correctly.
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
07-21-2022 11:48
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

07-21-2022 11:48
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
After re-understanding the steps, I successfully got the access token, thank you very much for your help.
and provide here the php code I use to get the code challenge:
<?php
function pkce_code_challenge($verifier) {
$hash = hash('sha256', $verifier, true);
return rtrim(strtr(base64_encode($hash), '+/', '-_'), '=');
}
echo pkce_code_challenge('your code verifier');
?>
Assuming you set the code verifier to "01234567890123456789012345678901234567890123456789", you should get the corresponding return "-4cf-Mzo_qg9-uq0F4QwWhRh4AjcAqNx7SbYVsdmyQM".
Finally, thanks again to @Gordon-C for helping me solve this proble.

07-22-2022 05:37
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

07-22-2022 05:37
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
I'm trying to make a python program that automates the processing of access tokens, so I'm posting the python code for getting the code challenge here to prevent newbies like me from getting stuck with this problem again.
def verifier_to_challenge(verifier):
hash_code = sha256(verifier.encode('utf-8')).digest()
base_code = base64.b64encode(hash_code).decode("utf-8")
challenge = str(base_code).replace('+', '-').replace('/', '_').rstrip('=')
return challenge

