help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Fail to refresh tokens

‎11-20-2025 10:41

‎11-20-2025 10:41

In my setup I get the initial access/refresh tokens properly using PKCE.
When I try to refresh the tokens I get an error of type 'invalid_grant' and text 'Refresh token invalid: ....'.
This happens both before and after access token expiration. This started happening recently.

The flow was working until a week ago. Access token is working fine until expiration.

We tried all possible solution, including going through the whole process from CURL and we still get the same error.

This is the last refresh token we got and tried: 

a1ae1da70fbd3bf9226de40b613d99f41f58f26f623d7522c946dc86a8d94a60

Please advise how to pinpoint the error, because we can't really find it in our app/server.

Thank you in advance

Best Answer
Labels:
0 Votes
1 REPLY 1

‎11-25-2025 16:04

‎11-25-2025 16:04

Hi @Belev 

Thank you for sharing your question!

We have reviewed the logs and identified the cause of the issue. It appears that the refresh token being used was originally generated for Client ID 1, but the refresh request was attempted using Client ID 2.

For security reasons, access and refresh tokens are strictly bound to the specific Client ID they were generated with. Please ensure that you are using the matching Client ID when making the refresh request.

A quick reminder on token rotation: Once a refresh token is used, it becomes invalid immediately. Your application should always store the new refresh token returned in the response and discard the old one.

Best Answer
0 Votes