I am reporting a breaking issue with the legacy Fitbit Web API that seems to be affecting accounts recently migrated to Google Identity.

• Endpoint: GET https://api.fitbit.com/1/user/-/devices.json

• Error: 403 Forbidden / "The caller does not have permission"

• App Type: Personal

• Account Status: Migrated to Google Login (@gmail.com)

• Hardware: Sense 2

• Handshake Status: OAuth2 authorization is successful. The scope settings is requested and appears on the consent screen.

• Permissions: All boxes are checked during the OAuth flow.

The Issue:
Other endpoints (like /activities/) work perfectly with the same access token. Only the devices.json endpoint is returning a 403. This suggests that the legacy settings scope is being stripped or ignored by the new Google-managed resource servers for "Personal" application types, despite being explicitly granted by the user.

Steps Taken:

1. Revoked all application access via Fitbit Settings.

2. Reset Client Secret in the Dev Portal.

3. Deleted and recreated OAuth2 credentials in my integration (n8n).

4. Verified "Personal" application type in settings.

5. Confirmed that the "Settings" checkbox appears and is selected on the Google-Fitbit authorization page.

Since the documentation states the legacy API is supported until September 2026, why is hardware/device access being blocked for Personal apps now?