help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to unsubscribe from subscription webhooks

‎08-22-2022 10:56 - edited ‎08-26-2022 11:17

‎08-22-2022 10:56 - edited ‎08-26-2022 11:17

The current Web API's Delete Subscription endpoint requires a valid access token (or refresh token that can be used to get an access token).  However, we have thousands of users who have deleted our app, leaving us with no way to refresh their expired tokens.  In short, we get thousands of webhook notifications a day for users who are not in our system.  

 

Trying to use an expired access token fails, as you'd expect:

{"success":false,"errors":[{"errorType":"expired_token","message":"Access token expired: eyJhbGciOiJIUzI1NiJ9.XXXXXXXXX.YYYYYYYYY. Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process."}]}

 

And attempting to get a new access token from an expired refresh token also fails.

 

Furthermore, there's no way to call this endpoint on their behalf (e.g. using Basic auth as described here).  When trying this, we get a pretty descriptive error message: "API client is not authorized by the resource owner to access the resource requested."

 

Example:

curl -X DELETE "https://api.fitbit.com/1/user/8NCR2K/activities/apiSubscriptions/8NCR2K-activities.json" \
 -H "accept: application/json" \
 -H "authorization: Basic <base64-encoded-client-id:client-secret>"

Response:

{ 
  "errors": [ 
    { 
      "errorType": "insufficient_permissions", 
      "message": "API client is not authorized by the resource owner to access the resource requested. Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process."
    }
  ],  
  "success": false
}

 

In this solved thread, the answer seems to indicate that Fitbit will allow client-level subscription management via a new feature.  When is this feature going to be available?

 

cc @GordonFitbit 

 

Best Answer
Labels:
0 Votes
2 REPLIES 2

‎08-25-2022 16:28

‎08-25-2022 16:28

Hi John,

 

I'm suspecting the problem might be related to your access token/refresh tokens getting out of sync with what you have in your database.   If a user revokes consent to your application, we should automatically delete the subscription for you.  I'll send you a private message to see if we can find a solution for you.

 

Best,

Gordon

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎08-26-2022 07:57

In response to GordonFitbit

‎08-26-2022 07:57

Hey Gordon,

 

Thanks for replying.  We definitely had a problem with refresh tokens getting out of sync due to concurrency mistakes.  We've got that under control.

 

The problem I'm describing is the inability to unsubscribe users from the webhook.  Users just delete our app, not realizing that this won't unsubscribe our service from the webhook calls.  We have no way to detect when users delete the app.  Often times, their refresh token is already invalid, anyways.  

 

The result is that we receive thousands of webhook calls every day for fitbit users that don't use our app/service.  This is always going to be a problem unless your API provides a way to unsubscribe users without their refresh tokens.

 

-- John

Best Answer
0 Votes