I was also thinking of the following if anyone can help,

-Create web app where user will login provide access authorization.(how frequent would they need to login or once they give us access it would last a long time before they need to authorize again?)

-Once logged in code is saved on a secure file in the server

-Script running once per hour uses the provided code or token to get the data of the user using the web api and store it securely on the server.

Would this work or are their any flaws in this?

Hi,

I did everything according to the tutorial. The only concern is the lifetime of tokens from users. 8 hours of lifetime is not enough.

So, anyway to lengthen it to one year? The "Implicit grant flow" section is not available now for "client" app type.

Yes, you will need to refresh the tokens when they expire.   We do not recommend automatically refreshing the tokens but this generates unnecessary work if the user is not syncing their data.   Instead, you keep calling the endpoints with the user's access token until you get the HTTP Status 401 Unauthorized with the message "Access token expired".   See 401 Unauthorized.  After receiving this message, then refresh the user's token.

We have examples of what this would look like in the documentation.   See Refresh Token.

One the user goes through your authorization flow and your application generates the access and refresh tokens, the user should not need to go through the authorization flow again.   You'll want to keep the 2 tokens and keep refreshing them as the access token expires.   See Using Tokens Effectively.  Following these steps will allow your application constant access to the user's data until they revoke consent.

Again, I don't recommend refreshing the token automatically.   It makes it difficult troubleshooting why data is not populating for the user.   Instead, refresh the tokens when the access token expires.   Also, you can implement Subscriptions so your application get notified when a user has uploaded new data to be downloaded.   Lastly, if you are still not getting data for a user, you can use the Get Devices endpoint to find out when the user last synced their device.   

Hi @RogersSong 

The tutorial and documentation demonstrate the Authorization Code Grant Flow, which is the most secure method for consent.   As long as you maintain the access and refresh tokens, your application will have constant access to the user's data until the user revokes consent.   Using the implicit grant flow is not a great alternative.   One, it exposes the access token in the URL and opens your application to man-in-the-middle attacks.   Two, after the token expires, your application loses access to the user's data.   To gain access again, the user would need to complete the authorization flow again.

The only time I recommend using the implicit grant flow is testing your application against your own Fitbit account.  The security risk is low and you're putting your own data at risk.