06-05-2014 21:24
06-05-2014 21:24
Fitbit requires API requests to be signed using OAuth 1.0a, as standardized in RFC 5849. We strongly encourage you to use an OAuth 1.0a library for your language and framework.
We have created a request token signature debugging tool. Twitter also has an excellent tutorial for creating an OAuth 1.0a signature.
If you need assistance generating a valid OAuth 1.0a signature, please provide the raw HTTP request you're sending to the Fitbit API and the base string that was signed. We cannot debug your application code.
Answered! Go to the Best Answer.
06-10-2014 16:00
06-10-2014 16:00
One of the changes that we made after Heartbleed is that if a user re-authorizes, the old token/secret is expired and a new token/secret is generated. Previous to that, if a user re-authorized, they would get the same token/secret as they had before. Could that be what you are seeing?
06-10-2014 15:42
06-10-2014 15:42
We have been experiencing this particular error much more frequently and the timing appears to be around the Heartbleed security update.
Users will authorize their account and their access token will work for a period of time but then suddenly we'll start receiving this error. It doesn't appear to be affecting all user, but it has affected some of the same users repeatedly -- requiring them to reauthorize each time it happens.
{"errors":[{"errorType":"oauth","fieldName":"oauth_access_token","message":"Invalid signature or token 'XXXXXXXXXXXXX' or token 'XXXXXXXXXX'"}],"success":false}
Any ideas?
06-10-2014 16:00
06-10-2014 16:00
One of the changes that we made after Heartbleed is that if a user re-authorizes, the old token/secret is expired and a new token/secret is generated. Previous to that, if a user re-authorized, they would get the same token/secret as they had before. Could that be what you are seeing?
06-10-2014 16:58
06-10-2014 16:58
Yes, that's exactly the issue! Thank you.
We allow people to login to our site via Fitbit, but we've never needed to update the access token information after that login (since the access token was the same).
02-07-2015 04:14
02-07-2015 04:14
hi,
i use your tool to debug fitbit api request !
https://dev.fitbit.com/apps/oauthtutorialpage
this tool give me a signature for a specific set of data and the request via this tool send me a good response ( code 200 )...my app with the same specific set of data give me the same signature...but when my app request the fitbit api i receive an error : "Invalid signature: eSLse4cwkoadGI0tgeTWiU/5sHY=" !
the fitbit tool and my application (the server) send the same request (same data and same signature) but i receive 2 different responses !
can you help me ?
thank !
02-07-2015 04:26
02-07-2015 04:26
02-09-2015 19:29
02-09-2015 19:29
The only one possible reason for getting back "Invalid Signature" is that your signature is invalid. There is no way that there will be any other possible reason then this.
This also means that the request that is formed by Fitbit oauth Debug page and the request that your app generates are different.
03-05-2015 02:37
03-05-2015 02:37
I have a same issue:
if i make request right after the user authenticate the app, then everythings okay, i got the data.
Then i store the permanent token and token secret. I'm trying to reuse that tokent then i got Invalid Signature or token errors.
An i'm not the only one...
03-09-2015 07:16
03-09-2015 07:16
Invalid token or signature means exactly what it says:
you have invalid token OR/AND signature. There is no way that it can be something else.
Please use https://dev.fitbit.com/apps/oauthtutorialpage and see if you're able ot make requests with this tool.
05-25-2015 04:35 - edited 05-25-2015 06:13
05-25-2015 04:35 - edited 05-25-2015 06:13
Invalid signature - This is what I get when I try to POST.
Everything works fine when I am trying to get user information etc, but fails when I try to use the log food service. Is there any read write permission that needs to be worked at? I have given read and write access information while creating the application.
This is happening on the fitpit api debug tool page itself.
To be precise my access token is :4af46cce5fec5f14b317792da2864d93
Let me know if there is anything else I can provide.
05-26-2015 10:54
05-26-2015 10:54
What exact error message are you getting back?
05-26-2015 20:41
05-26-2015 20:41
HTTP/1.1 401 Unauthorized
Server: nginx
X-UA-Compatible: IE=edge,chrome=1
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: JSESSIONID=2A3BE2E660C3BBC774C4B96E5CA6B186.fitbit1; Path=/; HttpOnly
WWW-Authenticate: OAuth realm="https%3A%2F%2Fapi006-g4.prod.dal05.fitbit.com"
Content-Type: application/json;charset=UTF-8
Content-Language: en
Content-Length: 140
Vary: Accept-Encoding
Date: Wed, 27 May 2015 03:40:13 GMT
{"errors":[{"errorType":"oauth","fieldName":"oauth_signature","message":"Invalid signature: qKbhjK/+KdqspCvlAGaOBxwwy9w="}],"success":false}
I am able to process the get request, and in this case I am using the same url as the API Explorer:
Is there anything I missed?
05-26-2015 22:12
05-26-2015 22:12
Yes. you signing your request wrong.
This is what fitbit response sends back to you.
There is no other reason in the world. It's clearly says: "Invalid signature..."
05-26-2015 22:26
05-26-2015 22:26
Thank you for your response.
This is the signature being created by the debug tool. Do you mean to suggest that the API URL that is being passed has issues? That is the only parameter changing, because as I mentioned that GET user info method worked fine.
05-27-2015 14:55
05-27-2015 14:55
Please read this page: https://wiki.fitbit.com/display/API/OAuth+1.0a+Authentication
it may take time to understand it and get it right but it has all the information that you need to generate signature, and I'd say understanding this page is required so you can make proper Fitbit API requests. All oauth 1.0a signatures are built according to the rules described here: http://tools.ietf.org/html/rfc5849#section-3.4
You can play with fitbit debug tool more as well. Try changing different values and see if signature chanegs or not depending on values that you change.
08-13-2015 18:30 - edited 08-14-2015 04:56
08-13-2015 18:30 - edited 08-14-2015 04:56
Hi,
Starting few days ago we started to receive the same error for some of our users: invalid signature or token "..." or token "...". But what is strange is that it started without any change in our code.
We are using OAuth 1.0 since we started to use Fitbit API so no change of how we are doing the authentication and so on.
W really don't understand how come suddently we started to receive this kind of error. Maybe there is still a problem on Fitbit API end and not on the clients side.
We even tried the tool from https://dev.fitbit.com/apps/oauthtutorialpage with user's tokens and we receive the same error, so it's not our signature's fault.
I see that there are other devs having the same error so at least if someone who already solved the problem can share the solution, if any. If not then at least maybe someone from Fitbit can investigate a little bit why is not working for some users but for others it is working.
Any response/help will be much appreciated.
Thank you,
Bogdan