Hi,

We are using Fitbit for a Java based web application. 

Our Fitbit API requests are present in a properties file where the URLs are of this form:

//www.fitbit.com    and     api.fitbit.com

We are not specifying HTTP/HTTPS here. 

The way it works for us is that we can assign a fitbit to a person in our application. Clicking on an HTML button brings up a pop-up window which communicates with the Fitbit server.

Then the person sees a form where the username and password that was used for registering the Fitbit in fitbit.com have to be entered.

The URL in the pop-up changes according to the type of connection used to connect to the Fitbit server.

Eg. If I run my web application using HTTP, the pop-up window has the following URL:

http://www.fitbit.com/oauth/authorize?oauth_token=<some token>&display=touch&requestCredentials=true

The URL has HTTP in it.

If I run the application using HTTPS, the pop-up URL has the following URL: 

https://www.fitbit.com/oauth/authorize?oauth_token=<some token>&display=touch&requestCredentials=tru...

This URL has HTTPS in it.

Once the login is successful, we can collect data for that Fitbit from the Fitbit server.

I don't know for sure if we got the warning mail from the Fitbit team because we were using HTTP for development and testing (our production uses HTTPS) or because there is really something that we need to change. Can you let me know if the above hints that our application communicates with Fitbit server using HTTPS?

Thanks.