help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Refresh token invalid

ANSWERED

‎05-20-2022 02:50

‎05-20-2022 02:50

Hello,

Sorry, I already posted this but in the wrong section of the forum (Sdk development), so I repost here

 

Context:

I have an application that uses OAuth2 to get the number of steps once a day.

 

The problem is:

At some point, we get an error while using the refresh token to get a new access token

 

 

{"errors":[{"errorType":"invalid_grant","message":"Refresh token invalid: 6e7......... Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process."}],"success":false}

 

 

 

How do we proceed:

 - We're always getting the access_token and refresh_token successfully the first time.

 - We successfully get the number of steps right after getting the first access token.

 - The following day, we try with the old access token, and if the API response says that the access token is invalid, then we use the refresh token to get a new access token.

At this point, sometimes it works, and sometimes we get an error message saying "invalid refresh token".

 

A lot of weird things happen with this bug:

 - It perfectly works on our dev environment (its the remote plateform for internal testers, not the local environment)

 - It worked for a watch (linked to a fitbit application) but not for another one (linked to another fitbit application) on the staging environment. Both applications are configured exactly the same way.

 

If someone knows what happens here, some help would be much appreciated

Thanks

Best Answer
Labels:
0 Votes
1 BEST ANSWER

Accepted Solutions

‎06-24-2022 12:59

In response to qlerebours

‎06-24-2022 12:59

Thank you for providing me with the requested information.   I was able to find your recent use case in our logs.   It appears your code is not updating the refresh token and using the new token in a future request.   For example,

 

On 2022-06-18 06:00:00, you use refresh token 0596c7dd... successfully.  We provide you with the new access token and refresh token.   The new refresh token is 24514645...  However, all future refresh token requests are using the refresh token 0596c7dd...

 

Each time you refresh your token, your application will receive a new access token and new refresh token.  You'll need to store the new refresh token.  After a refresh token is used once, it become invalid.  You'll need to use the new refresh token to obtain the next set of access and refresh tokens.  See https://dev.fitbit.com/build/reference/web-api/developer-guide/best-practices/#Using-Tokens-Effectiv... for more information.

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google

View best answer in original post

Best Answer
0 Votes
10 REPLIES 10

‎05-20-2022 11:53

‎05-20-2022 11:53

Hi @qlerebours 

 

When you try to refresh the access token, are you getting a 500 error and then trying the request again?

 

Gordon

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎05-24-2022 07:07

In response to Gordon-C

‎05-24-2022 07:07

We are getting an error but I don't know which error code this is since it's not writter in my logs, it says:

{"success":false,"errors":[{"errorType":"expired_token","message":"Access token expired: eyJhbGciOiJIUzI1NiJ9.eyJhd.... Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process."}]}

Then we try to get a new access token, using the refresh token, but we get a 400 that says:

error [400 ] during [POST] to [https://api.fitbit.com/oauth2/token?grant_type=refresh_token&refresh_token=97df*****ae3a] [FitbitApiClient#refreshTokens(String,String)]: [{"errors":[{"errorType":"invalid_grant","message":"Refresh token invalid: 97df375d37f********ae3a. Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process."}],"success":false}]

 

Best Answer
0 Votes

‎05-26-2022 18:25

In response to qlerebours

‎05-26-2022 18:25

Hi @qlerebours,

 

Could you please PM me your Client ID and the most recent refresh token that you're seeing an invalid grant error with?

Best Answer
0 Votes

‎05-27-2022 01:02

In response to JohnFitbit

‎05-27-2022 01:02

I just sent it, thanks 🙂

Best Answer
0 Votes

‎06-08-2022 07:29

In response to qlerebours

‎06-08-2022 07:29

Hi @qlerebours 

 

Somehow the tokens appear to have gotten out of sync.   Please send the user through the authorization flow again to obtain the most recent access and refresh tokens.

 

Is this problem occurring often or was this the only instance?

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎06-08-2022 08:58

In response to Gordon-C

‎06-08-2022 08:58

Hi @Gordon-C 

It appears everytime. It works the first time, then it never works again, and we tried with multiple watches and fitbit applications and had the same results

Best Answer
0 Votes

‎06-24-2022 12:59

In response to qlerebours

‎06-24-2022 12:59

Thank you for providing me with the requested information.   I was able to find your recent use case in our logs.   It appears your code is not updating the refresh token and using the new token in a future request.   For example,

 

On 2022-06-18 06:00:00, you use refresh token 0596c7dd... successfully.  We provide you with the new access token and refresh token.   The new refresh token is 24514645...  However, all future refresh token requests are using the refresh token 0596c7dd...

 

Each time you refresh your token, your application will receive a new access token and new refresh token.  You'll need to store the new refresh token.  After a refresh token is used once, it become invalid.  You'll need to use the new refresh token to obtain the next set of access and refresh tokens.  See https://dev.fitbit.com/build/reference/web-api/developer-guide/best-practices/#Using-Tokens-Effectiv... for more information.

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎04-10-2024 03:43 - edited ‎04-10-2024 03:46

In response to Gordon-C

‎04-10-2024 03:43 - edited ‎04-10-2024 03:46

Even I use the Refresh Token for the first time, it gives 400 error. "{\"errors\":[{\"errorType\":\"invalid_grant\",\"message\":\"Refresh token invalid: beee772c1..... Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process.\"}],\"success\":false}". What is the reason for this? Tried all the ways, but all the time gets the same error. 

Best Answer
0 Votes

‎04-10-2024 12:16

In response to nadun

‎04-10-2024 12:16

Hi @nadun,

Welcome to the forums!

My first initial thought from your error response is that your refresh token is strangely generated (I've never seen it begin with 4 letters), which makes me wonder if you're capturing your refresh token correctly or if that was an unintentional typo.

When you exchange the authorization_code to obtain an access_token and refresh_token, are you storing both tokens? When you refresh your tokens, are you updating your backend with the new updated access_token and refresh_token?

If you've lost your refresh token, I recommend going through the authorization flow again to obtain a new access_token and refresh_token pair. Then refer to our Best Practices for using tokens efficiently.

If you're still encountering issues with refreshing your token, please submit a Web API Support Case

Hope this helps!

Best Answer

‎04-10-2024 21:46

In response to JohnFitbit

‎04-10-2024 21:46

Hello John, thank you very much for your feedback. However, I could solve it myself after spending few hours on it. There was a typo in a variable returns as JSON where the debugging did not help with it. 

Best Answer