help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Differences Between User Revoked Access and Deleted User Messages

ANSWERED

‎10-11-2021 11:45

‎10-11-2021 11:45

Looking for clarification on these two types of messages, as they have some subtle differences - I may not understand the purpose.

 

Ref: Notifications of Users Revoking Consent

Ref: Notifications of Deleted Users

 

Notifications of Users Revoking Consent

This action when done in the Fitbit user settings, revokes tokens and cancels all subscriptions for the user. We are sent one notification message via our subscription endpoint(s).

Example JSON:

   {
      "collectionType":"userRevokedAccess",
      "date":"2021-10-11",
      "ownerId":"9MB5F2",
      "ownerType":"user",
      "subscriptionId":"REV-4f11ed1d5dc94173a60c57a2ab636c90/"
   }

 

Notifications of Deleted Users

This action, when done in the Fitbit user settings (and the user responds to the email) revokes tokens and cancels all subscriptions for the user. We are sent one notification message per subscription via our subscription endpoint(s).

Example JSON:

   {
      "collectionType":"deleteUser",
      "date":"2021-10-11",
      "ownerId":"9MBJBN",
      "ownerType":"user",
      "subscriptionId":"391303303"
   }

 

Questions

If you please, can you confirm the following:

  • Both notification types (actions) revoke tokens and cancels all subscriptions for the user.
  • We should only get one "userRevokedAccess" notification, but "deleteUser" sends one notification for each subscription for the user.
    • Why the difference on this one? Wondering if I should be doing something special for each message on "deleteUser".
  • The subscriptionId on the revoke notification is the subscriptionId I provided. Is the subscriptionId on the deleteUser notification the internal Fitbit subscriptionId?
Best Answer
Labels:
0 Votes
1 BEST ANSWER

Accepted Solutions

‎10-15-2021 11:21 - edited ‎10-15-2021 13:20

‎10-15-2021 11:21 - edited ‎10-15-2021 13:20

Hi @Jeff_New_Ocean,

 

Thanks for the detailed questions, and I'll be happy to clarify.

 

  • Correct, both 'userRevokedAccess' and 'deleteUser' notifications share the same behavior with invalidating all tokens and subscriptions tied to the user. To clarify, you receive a notification for when a user revokes access to your application (userRevokedAccess), and when a Fitbit user deletes their Fitbit account (deleteUser). Sometimes, a user will delete their account before revoking access to your application, and you'd never get the userRevokedAccess notification.
  • The team confirmed that you should only be receiving one notification for userRevokedAccess and deleteUser. If this is not the case, could you PM me an example notification for a user which shows otherwise?
  • This is a bug and I filed a ticket to address this. Thanks for finding this!

I hope this helps, and thanks for your contribution to the developer community so far!

View best answer in original post

Best Answer
4 REPLIES 4

‎10-15-2021 11:21 - edited ‎10-15-2021 13:20

‎10-15-2021 11:21 - edited ‎10-15-2021 13:20

Hi @Jeff_New_Ocean,

 

Thanks for the detailed questions, and I'll be happy to clarify.

 

  • Correct, both 'userRevokedAccess' and 'deleteUser' notifications share the same behavior with invalidating all tokens and subscriptions tied to the user. To clarify, you receive a notification for when a user revokes access to your application (userRevokedAccess), and when a Fitbit user deletes their Fitbit account (deleteUser). Sometimes, a user will delete their account before revoking access to your application, and you'd never get the userRevokedAccess notification.
  • The team confirmed that you should only be receiving one notification for userRevokedAccess and deleteUser. If this is not the case, could you PM me an example notification for a user which shows otherwise?
  • This is a bug and I filed a ticket to address this. Thanks for finding this!

I hope this helps, and thanks for your contribution to the developer community so far!

Best Answer

‎10-15-2021 12:39 - last edited on ‎10-15-2021 13:23 by Fitbit Developer

In response to JohnFitbit

‎10-15-2021 12:39 - last edited on ‎10-15-2021 13:23 by Fitbit Developer

Hi @JohnFitbit 

 

Here's one I just deleted the Fitbit account for:

Client ID: {Redacted}
User EmailAddress: {Redacted}
Fitbit UserId: {Redacted}

Subscriptions: activity nutrition sleep weight

Subscription Notifications Received: (4 separate request to our API)

2021-10-15 19:27 UTC

 

[
   {
      "collectionType": "deleteUser",
      "date": "2021-10-15",
      "ownerId": "{Redacted}",
      "ownerType": "user",
      "subscriptionId": "391167651"
   }
]

[
   {
      "collectionType": "deleteUser",
      "date": "2021-10-15",
      "ownerId": "{Redacted}",
      "ownerType": "user",
      "subscriptionId": "391166627"
   }
]

[
   {
      "collectionType": "deleteUser",
      "date": "2021-10-15",
      "ownerId": "{Redacted}",
      "ownerType": "user",
      "subscriptionId": "391169889"
   }
]

[
   {
      "collectionType": "deleteUser",
      "date": "2021-10-15",
      "ownerId": "{Redacted}",
      "ownerType": "user",
      "subscriptionId": "391163355"
   }
]

 

 

 

Best Answer
0 Votes

‎10-15-2021 13:26 - edited ‎10-15-2021 14:03

In response to Jeff_New_Ocean

‎10-15-2021 13:26 - edited ‎10-15-2021 14:03

@Jeff_New_Ocean Thanks for sharing an example. I've edited your post to redact the user data as this is considered sensitive data. In the meantime, I'll take a look at the example with the team and see why this is occurring. I'll let you know what I find out after I get more information.

 

Update: The team confirmed that both 'deleteUser' and 'revokeUserAccess' notifications should send multiple notifications for each active subscription that user had. If you are only seeing one notification sent for 'revokeUserAccess', it's likely that user was not subscribed to all of your subscriptions. Could you test this by authorizing a test account to your application, then ensure that account is subscribed to all of your application's subscriptions, and then revoke afterwards to see if you receive a notification for each subscription tied to that test account?

 

 

Best Answer
0 Votes

‎07-11-2022 01:34

In response to JohnFitbit

‎07-11-2022 01:34

Hi John,
You mentioned that deleteUser notifications being sent with an internal Fitbit subscriptionId is a bug and that you filed a ticket to address it.
Is there any news on this matter? can that ticket be followed some how?

Thanks

Best Answer
0 Votes