---

@simon238 wrote:

Is this before requesting the bearer token? Why does it say token_type=Bearer?

---

Not sure that I understand you correctly, I'm folowing this guide https://dev.fitbit.com/apps/oauthinteractivetutorial and response is the same as in step 2

Ah ok, that is probably the maximum length of time allowed by the fitbit API. Typically you would just use the refresh_token to request a new bearer token when that one has expired. This wouldn't require revalidation by the user. You need to keep track of the expiration time and the refresh_token. This is done for security reasons; using the refresh token requires the client secret, whereas the bearer token does not.

604800 s — or 7 days — is actually a really long time for a bearer token to be valid for, typically default values are 1 hour.

But documentaiton says `The user may specify a lifetime for the access token up to one year.`) 
Via implicit grant flow i'm obtaining only access token, without refresh, so when it expires user should pass authorization again. 

Ah sorry, you're right. I've not used that implementation myself, but I have noticed other instances where the documentation isn't perfect. All I can do is suggest you switch to the recommended implementation, if you have the refresh token you shouldn't have any problems with expiration.

Probably yes, I just wanted to do this quickly.
Thank you mate

Thank you, it works for me too