Starting today, two new security policies for the Fitbit Web API are in effect.

Email Address Verification

As announced last month, you must now have a verified email address to sign into Fitbit's developer site. To ensure you have uninterrupted access, you can verify your email address now.

Subscriber Endpoint Verification

The Subscriptions API allows applications to be notified by Fitbit when new data is available for a person who has authorized the app.

Starting today, applications must verify ownership of the URL they want Fitbit to send notifications to. This process is documented here. Existing subscriber endpoints are encouraged to implement this verification test, but are not required to do so.

Update: 2015-12-14

HTTP Response Header Improvements

The HTTP response headers from the Fitbit Web API have been updated. These changes better align with how the Web API is intended to be used and are notably smaller.

• Cookies are no longer being set, as no cookies are ever accepted in requests.
• X-Ua-Compatible header was removed.
• Pragma and Expires headers were removed.
• Cache-control now set to "no-cache, private".
• ETag header will be added to OAuth 2.0 requests soon.