12-14-2020 09:01
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

12-14-2020 09:01
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
We are integrating the Fitbit API into our Android app. However, to cut down on client side complexity, we planned use a web service on the back end to fetch user data. The authorization code flow is initiated on the client using PKCE and a random state value. We then send the refresh token to our server to handle data requests using client secret verification.
What is the appropriate OAuth2 application type for this flow? The client side PKCE only works with the application type set to “client”. However, as all data is collected on the backend, “server” feels more appropriate. Are there any downsides to setting the application type to “client”?
12-15-2020 09:21
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post



12-15-2020 09:21
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
If you're using a web service, then PKCE is not required and you should set the application type to "server". Application type "client" is used for applications that don't use a web service.
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google

