I reviewed the subscription API documentation and am stuck on how associations are being made between the app I have registered and the clients who will grant my app permissions using OAuth 2.0.  From what I gather from the documentation.  First, I create a new app for fitbit.  Next, I create my endpoint to receive the notification, which must respond with either a 204 or 404 depending upon if the correct verification code is sent.  This is where things begin to get confusing.  Where it talks about adding a subscription.  Am I making this post call:

POST https://api.fitbit.com/1/user/-/apiSubscriptions/320.json

for every user who's data I need notifications for or is this just where I am letting fitbit know which collection paths I want sent to my endpoint, denoted by the subscription id?