help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Client credentials

ANSWERED

‎12-17-2020 12:01

‎12-17-2020 12:01

Hello everyone,

 

First of all, thank you for having me!

 

I am new to the community and I'm trying to learn about oauth2 and all its inner workings, as well as the Fitbit API. The fitbit API documentation is incredibly clear, clean, and thorough. I've learned a lot from it so far. 

What I have not been able to make very clear for myself is what the 'basic' token, or the client id and, more specifically, client secret are used for. From what I understand they are needed for the Authorization Code Grant Flow only, and even then only when requesting a refresh token. Is that correct?

And then there is the "client access key", which can be retrieved from /oauth2/token using the basic token and setting grant type "client_credentials". The docs showed me how to get it, but I am utterly clueless about its use. What API endpoints take this key? It appears to have no scope whatsoever. 

 

Kind regards,

Alfred

Best Answer
Labels:
0 Votes
1 BEST ANSWER

Accepted Solutions

‎12-17-2020 19:34

‎12-17-2020 19:34

Hi @AlfredJP 

 

Welcome!   Let me try to clarify some things for you.

 

"grant_type=client_credentials" is not supported for querying user data.  We recommend you use the Authorization Code Grant Flow instead, "grant_type=authorization_code".   When the user consents and is redirected to your callback URL, the authorization code for that user is provided in the URL.   The Basic token is used to signal Fitbit that your registered application defined by the basic token is allowed to obtain the access token and refresh token for this user.   Once you have these tokens, you'll use the access token or Bearer token to query the user data.

 

 

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google

View best answer in original post

Best Answer
3 REPLIES 3

‎12-17-2020 19:34

‎12-17-2020 19:34

Hi @AlfredJP 

 

Welcome!   Let me try to clarify some things for you.

 

"grant_type=client_credentials" is not supported for querying user data.  We recommend you use the Authorization Code Grant Flow instead, "grant_type=authorization_code".   When the user consents and is redirected to your callback URL, the authorization code for that user is provided in the URL.   The Basic token is used to signal Fitbit that your registered application defined by the basic token is allowed to obtain the access token and refresh token for this user.   Once you have these tokens, you'll use the access token or Bearer token to query the user data.

 

 

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer

‎12-18-2020 00:12

In response to GordonFitbit

‎12-18-2020 00:12

Hey @GordonFitbit 

 

Thank you for your explanation. That clears things up a bit for me.

 

I am now only left wondering why the client access key is implemented by Fitbit at all. It does give me a Bearer token, but like you said, it grants no access to user data (which is only right, of course). What's the use of this option? From what I gather from the official oauth2 docs (rfc6749 section 4.4) it is used to access resources under the control of my registered app. But what resources would those be for say a web-app?  Will any potential app I create have to host files on the web-api.fitbit.com server?

Best Answer
0 Votes

‎12-18-2020 15:02

In response to AlfredJP

‎12-18-2020 15:02

Client Credential authorization flow is used for APIs that don't access Fitbit user data.  Those APIs are not documented in the Web API documentation.  Your application should focus on the Authorization Code Grant Flow.

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes