what did you paste in the box to get the auth token? Never run a curl request before and have 0 idea how to 

Most computers these days have curl installed as part of the operating system.   If not, you can download the tools from https://curl.se/.   Once setup, cut/paste the curl statement provided and execute it at a command prompt.   The result will provide the access token and refresh token, similarly to this

{"access_token":"eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiIyMkJYVEwiLCJzdWIiOiI2SzVaXQiLCJ0eXAiOiJhY2Nlc3NfdG9rZW4iLCJzY29wZXMiOiJ3aHIgd251dCB3cHJvIHdzbGUgd3dlaSB3c29jIHdhY3Qgd3NldCB3bG9jIiwiZXhwIjoxNjQ5ODA1ODAwLCJpYXQiOjE2NDk3NzcwMDB9.6I8wkZZ_ytudFujdXGDIK85QSNNlm6274Pt93c34xAI","expires_in":28800,"refresh_token":"3e46e3a7cdcb6c19943a7cc9f0f18c3cca54fe08757df12e5449","scope":"heartrate nutrition sleep social activity location profile settings weight","token_type":"Bearer","user_id":"123ABC"}

Enter your response into the field at step 2.

So do I copy/paste everything starting from "curl" and ending at ..."/token"? Instructions aren't clear to me.

Yes, you will copy the entire curl statement and execute it at a command prompt on your machine.   If you get an error that curl cannot be found, then you will need to download and install the curl application (https://curl.se/).   

Is there any flow that can allow for indefinite valid authentication?  I want to have a stand-alone device running that can access a personal fitbit, but the token would eventually time out and I'd need to get back in and get a new code.  Is there any way to make it so the stand-alone device can just keep running?

Hi @donutsorelse 

Fitbit does not support an authorization flow that creates a single, non-expiring access token.   But, there are 2 options that are close

1. Authorization Code Grant Flow - this authorization flow creates a short-lived token and a single use, refresh token.  When the access token expires, you use the refresh token to obtain a new access token and refresh token.   By maintaining the tokens through this process, the application maintains access to the user's data until the Fitbit user revokes consent.   See https://dev.fitbit.com/build/reference/web-api/developer-guide/best-practices/#Using-Tokens-Effectiv...

2. Implicit Grant Flow - this authorization flow is less secure than the Authorization Code Grant Flow because it is susceptible to man-in-the-middle attacks.  However, this flow will create an access token that can last for up to 1 year.  The application will not receive a refresh token.  When the access token expires, the user will need to go through the authorization flow again for the application to obtain an new access token.

Gordon

Hi @knaveen 

The deprecation dashboard has no impact to the Web API.   The dashboard, found by logging into https://www.fitbit.com, is one of the tools Fitbit users can use to see or edit their data.   We will be focusing our resources on the mobile experience.

Thank you so much.

From my understanding, Fitbit's OAuth2.0 services, including the authorization endpoint at https://www.fitbit.com/oauth2/authorize, continue to operate as usual after dashboard deprecated on fitbit.com.

Is this correct? please confirm.

Hi @YvonneLee 

Try changing the redirect URI to https://localhost:0808/ and see if that works.