help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Customer Authorization Flow

ANSWERED

‎05-13-2024 07:20 - edited ‎05-13-2024 08:39

‎05-13-2024 07:20 - edited ‎05-13-2024 08:39

To access fitbit data of multiple users, instead of using the customer access token and refresh token, Can we use my registered application access token and refresh token with the customer user-id which I get during their first time authorization grant flow. Will it work for all the customers using my access token and their user-id ?

Best Answer
Labels:
0 Votes
1 BEST ANSWER

Accepted Solutions

‎05-21-2024 17:44

In response to sanmitha

‎05-21-2024 17:44

When calling the Refresh Token endpoint, the user does not go through the consent flow again. The refresh token endpoint is executed on the backend in which your application exchanges the refresh token you stored for the user after they went through the initial consent flow. When the refresh token is used to obtain a new access token and refresh token, your application must discard the old tokens and replace them with the new tokens, as the old ones are now invalidated.

Your application's client secret should only be passed in a Base 64 encoded token for the following endpoints:

Your Client ID and Client Secret can be found in your application details page after registering your application. See Getting Started.

View best answer in original post

Best Answer
0 Votes
4 REPLIES 4

‎05-13-2024 07:28

‎05-13-2024 07:28

I have two questions 

1.How to use the authorize api through postman ? When I call the url in the browser i am getting the redirection url and getting the authorization code. The same api how to call in the postman. When I tried calling the api using postman html script is getting loaded, help me how to get the authorization via postman 

2. To access fitbit data of multiple users, instead of using the customer access token and refresh token, Can we use my registered application access token and refresh token with the customer user-id which I get during their first time authorization grant flow. Will it work for all the customers using my access token and their user-id ?

Best Answer
0 Votes

‎05-13-2024 12:53

In response to sanmitha

‎05-13-2024 12:53

Hi @sanmitha,

Welcome to the forums!

When a Fitbit user authorizes consent to share data with your application, your application receives a unique access_token and refresh_token associated to that user only. This means that in order to pull their data, you must use the access token associated to that user in your API call to successfully retrieve that data.

With that in mind, there isn't a way to use a single access_token to pull data from multiple users at once. You can only execute an API call one user at a time using the correct access_token stored for that user.

For your postman setup, can you clarify what you are seeing when you send the authorize URL? To my knowledge, there isn't a way to return the authorization code through postman. You'll need to copy it out of the redirect url from your web browser and attach it to your Postman request. 

Best Answer
0 Votes

‎05-20-2024 18:43 - edited ‎05-20-2024 20:32

In response to JohnFitbit

‎05-20-2024 18:43 - edited ‎05-20-2024 20:32

Hi,
In order to call the get refresh token api I have to pass the base64 client secret again, but once the user authoizes the consent to share data how to get the client secret again ? 
I have an mobile app and backend server here to fetch the customer fitbit data how to get the client secret and client id ?
Which api to be used to get users all the activity data after a particular date ? Activity here is the exercises initiated by the user through fitbit device

Best Answer
0 Votes

‎05-21-2024 17:44

In response to sanmitha

‎05-21-2024 17:44

When calling the Refresh Token endpoint, the user does not go through the consent flow again. The refresh token endpoint is executed on the backend in which your application exchanges the refresh token you stored for the user after they went through the initial consent flow. When the refresh token is used to obtain a new access token and refresh token, your application must discard the old tokens and replace them with the new tokens, as the old ones are now invalidated.

Your application's client secret should only be passed in a Base 64 encoded token for the following endpoints:

Your Client ID and Client Secret can be found in your application details page after registering your application. See Getting Started.

Best Answer
0 Votes