help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Introspect refresh token

‎05-06-2020 04:44

‎05-06-2020 04:44

Hi,

 

Can Introspect capability test also Refresh Token validity, like that ?

 

url: "https://api.fitbit.com/1.1/oauth2/introspect",
method: "POST",
headers: {      "Authorization": "Bearer " + access_token,
                      "Content-Type": "application/x-www-form-urlencoded"
               },
data: 'token=' + refresh_token

 

 

PS. I always got  {"active":false}

 

Thanks,

 

Charles

 

Best Answer
Labels:
0 Votes
1 REPLY 1

‎05-06-2020 12:25 - edited ‎05-06-2020 12:25

‎05-06-2020 12:25 - edited ‎05-06-2020 12:25

Hi @Chuil

 

Welcome to the forums!

 

According to our documentation, it does appear that only access tokens are supported in our version of the introspect endpoint. I was also able to reproduce the same response {"active":false} when entering a valid refresh token in the body of this request.

 

The OAuth 2.0 spec indicates that refresh tokens are also supported. With that in mind, I'll reach out to the team to see if we can implement the usage of refresh tokens in this endpoint.

 

For now, the best way to check the validity of a refresh token is to use the refresh token in a token refresh request. If your refresh token is valid, you'll be provided with a new refresh token and access token. If its invalid, you should see a 400 returned along with the message:

 

{"errors":[{"errorType":"invalid_grant","message":"Refresh token invalid: [access_token]"}],"success":false}

 

See: https://dev.fitbit.com/build/reference/web-api/oauth2/#refresh-token-errors

 

Thanks for bringing this to our attention! Let me know if you have any questions in the meantime.

Best Answer
0 Votes