02-05-2020 14:51 - edited 02-05-2020 15:26
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

02-05-2020 14:51 - edited 02-05-2020 15:26
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
Hello,
I have a simple question.
After the user gives my app permission to access Fitbit data.
I retrieved the access token successfully. 🙂
What is the next step?
Should I save the (Access token) for every user in my database? or is it preferable to save it in the shared preferences?
I think it should be saved in a secure place, but I don't know what is the best way to do this.
Note :
I want to access the user data from server-side code also, so in this case, should I save it in DB?
to summarize: I will get the access token using my Android App, & I want to use the access token for both sides ( server and client side ).
Thank you for your time.
#Android #Java #WebAPI #Fitbit
Answered! Go to the Best Answer.
Accepted Solutions
02-07-2020 13:56
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post



02-07-2020 13:56
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
Hi @Ria2,
Welcome to the forums!
It depends on which authorization flow you chose.
- If you use the Authorization Code Grant Flow, access tokens and refresh tokens should be stored on your application. Your application will use the access token to make requests to the Fitbit API. It will use the refresh token to obtain a new access token when the access token expires without having to prompt the user.
- If you used the Implicit Grant Flow, access tokens should only be stored on the device used to obtain the authorization. Unlike the Authorization Code Grant Flow, the refresh tokens are not issued with the Implicit Grant Flow. Refreshing a token requires the use of the client secret, which cannot safely be stored in distributed application code. When the access token expires, users will need to re-authorize your app.
I hope this helps. Please let me know if you have any additional questions.

02-07-2020 13:56
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post



02-07-2020 13:56
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
Hi @Ria2,
Welcome to the forums!
It depends on which authorization flow you chose.
- If you use the Authorization Code Grant Flow, access tokens and refresh tokens should be stored on your application. Your application will use the access token to make requests to the Fitbit API. It will use the refresh token to obtain a new access token when the access token expires without having to prompt the user.
- If you used the Implicit Grant Flow, access tokens should only be stored on the device used to obtain the authorization. Unlike the Authorization Code Grant Flow, the refresh tokens are not issued with the Implicit Grant Flow. Refreshing a token requires the use of the client secret, which cannot safely be stored in distributed application code. When the access token expires, users will need to re-authorize your app.
I hope this helps. Please let me know if you have any additional questions.

02-07-2020 16:06
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

02-07-2020 16:06
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
Okay Thank you , this is almost the perfecr answer! Very useful:-)
But i still have simple inquery, when i save the access key (which retrieved by Implicit Grant flow ), should I save it in an encoded form?

02-10-2020 16:59
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post



02-10-2020 16:59
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
@Ria2 The access token you receive through the implicit grant flow is already encoded when you receive it. If you'd like to see them decoded, you can use https://jwt.io/.

07-17-2022 02:15
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

07-17-2022 02:15
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
- Who Voted for this post?
I have a question, too. I'm building a server-side application that allows users access via web browsers. I can save the access token for every user. But when a user visit, I can't know which user he is. Is there a way to tackle this?
