Hi,

Yeah the access token and refresh token were stored together and there is no way that the access token got refreshed and stored and the refresh token didnt. Both were generated at the same time. 

I believe I am seeing the same issue. In extremely rare cases (approximately 0.04%) when we try to get new tokens, we get an invalid_grant error saying the refresh token is bad. I have logged the first few characters of the token and can verify that we are using the most recently obtained refresh token.

The refresh token cannot be used more than once. We are getting the `invalid_grant` issue the first time it's used. We have tens of thousands of connected consumers and the failure happens only about 0.04% of the time.

If you PM me your client IDs with specific examples of users, then I can look into it. Also would be good to know when/how often this occurs.

We are seeing the issue since last few days. Everything was working correctly for 3-4 months, but since last week, we have started getting Refresh token invalid error. This happens sporadically, generally after a few hours of authentication. I have verified that we are using latest Refresh token and only using it once. 

What I don't understand is, how does work for a few hours and then suddenly stop working. This makes it very difficult to debug.

In the past couple of weeks we're experiencing a lot of Refresh token invalid problems. Can someone escalate this issue. The fitbit api and our system has been running without problems for 6 months until 2 weeks ago. 

@SteveWT @rohanj I've sent you both PMs asking for more information.

---

@DavidSFitbit wrote:

@SteveWT @rohanj I've sent you both PMs asking for more information.

---

@DavidSFitbit we've started seeing this issue happen in our app as well, would you be able to help us troubleshoot? Are there any signs this is a wider, API issue?

We are still seeing the issue here. It happens extremely rarely (we lose just a few customers a day out of tens of thousands, less than 0.01% (i.e. less than 1 in 10,000).

I tested disconnecting via Fitbit but was some time ago so I don't remember exactly what happens but it was not the invalid_grant error.

As AndrewFitbit requested in March, I sent some examples but have not heard back yet. It does seem to be happening less often now than it used to. I may just have more accurate data now, though. In the meantime, we disconnected several thousand consumers that were in this broken state and we now automatically disconnect consumers who no longer have access to our software.

We are unwilling to automatically disconnect consumers as a result of this error since it can also be caused by a misconfiguration of the api key and secret.

Thanks @rossiam for your answer.

I noticed this happens only with accounts we use to test the Fitbit integration. We have multiple test environments in addition to the production one and all of them use the same Fitbit dev account (maybe we should not ?).

While I am connected to only one environment, it works. But as soon as I connect my account to another environment, I get this issue (not always at the first refresh but it always ends up happening).

When I revoke the access to our application from the Fitbit account manager and I reconnect it, I do not have the issue. It sounds like the authorization revocation clears everything associated to the account.

I don't know why using the same Fitbit account in multiple environments could cause this issue. Maybe because there are multiple valid refresh tokens associated to the same Fitbit account and client application that are sometimes renewed? As far as I know, this should be possible.

And I just come to test what happens when I revoke the authorization to our application. I get a 400 status code with the following body:

{"errors":[{"errorType":"invalid_grant","message":"Refresh token invalid: {myRefreshToken}. Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process."}],"success":false}

It is the reason why we chose to disconnect the consumer. Indeed, as soon as the refresh token is invalid, how can we have a chance to get another valid one?

But you are right, I did not think about a misconfiguration regarding the API key and secrets. In this case we would disconnect all of our customers. I am going to think about this question...

Have a good day!

We are still experiencing this issue. I don't think its the result of the user disconnecting from our app because it would also remove the subscriptions.

@sparkwatson, you are right, according to my tests I can confirm that when you revoke the authorization it removes the subscriptions. If it was not the case, you would continue to receive some informations from Fitbit.

Moreover, I could easily reproduce this issue with my account (by using my account in multiple environments as described above) without revoking the authorization.

To sum-up, we receive the same error message as if the user has revoked the authorization but it is not the case.

We would go days without a refresh token issue, now we're seeing about the same error rate as you (rossiam).

I came across this thread just now because ...

Our support team just approached me and said they are now sending a number of emails a day, every day, to have our customers re-authorize our application with Fitbit because Fitbit reported their refresh token was invalid. This looks to have started in/around early July, per my logs -- months after our last change to our Fitbit interface (which was just for logging).

I am still looking for a workaround. I was wondering whether there is any chance it can work if we immediately retry to refresh the token when we get this error. Did someone test this idea?

We pause for 2 seconds and then try one more time.  I didn't see in our logs where this was successful.

Indeed, I tried this tip and I got the same result in the second call.

Could someone from Fitbit could help us fix this issue?