help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Still missing access control headers in API responses

‎07-21-2025 23:19 - edited ‎07-22-2025 12:37

‎07-21-2025 23:19 - edited ‎07-22-2025 12:37

Dear Fitbit developers,

I’ve noticed that I’m still encountering many preflight (CORS policy) errors because not all endpoints return the required access control headers in their responses. Some endpoints do this correctly and don't cause any issues.

I see this topic mentioned in various threads on this forum, such as:

https://community.fitbit.com/t5/Web-API-Development/401-Unauthorized-error-for-OPTIONS-preflight-req...
https://community.fitbit.com/t5/Web-API-Development/Missing-CORS-response-header-for-activity-APIs/t...

However, when users ask for updates, there is no response. This is very frustrating, as this issue is breaking many of your users’ apps.

In our case, the following endpoints are affected:

https://api.fitbit.com/1/user/-/activities/calories/date/startdate/enddate.json
https://api.fitbit.com/1/user/-/body/weight/date/startdate/enddate.json
https://api.fitbit.com/1/user/-/body/fat/date/startdate/enddate.json

The other endpoints are working fine at this moment.

Hopefully, someone can respond. As this problem keeps recurring, it is becoming impossible to develop stable apps. 😞

[EDIT] Anyone? @GordonFitbit @JohnFitbit Any other Fitbit dev? Do you need more information? I also tried to email but it looks impossible to get in contact about this subject. 😞 Please help, my app is broken....

Kind regards,
Robert

Best Answer
Labels:
0 Votes
2 REPLIES 2

‎07-24-2025 09:03

‎07-24-2025 09:03

Hi @RobertDev 

Thank you for your patience.   I'm currently research this problem and will reply once I get an answer.

Best Answer

‎07-24-2025 14:06 - edited ‎07-24-2025 23:05

In response to GordonFitbit

‎07-24-2025 14:06 - edited ‎07-24-2025 23:05

Thank you so very much @GordonFitbit !

Some information that might help. Below we see a request that succeeds and other requests that fail. The first one has all the required headers:

RobertDev_1-1753423231569.png

Now look at a request that fails:

RobertDev_4-1753423445277.png

Because there are missing headers, this results in:

 

RobertDev_5-1753423488629.png

Hope this helps. Other information that maybe helps: The same problem existed on other endpoints early this year. That has been fixed then. The current issue is exactly the same as then but now for the other endpoints I mentioned.

Do I need to provide you with my clients ID's?

Thanks in advance for your support! 

Best Answer
0 Votes