Yes, that's exactly the issue!  Thank you.

We allow people to login to our site via Fitbit, but we've never needed to update the access token information after that login (since the access token was the same).

The only one possible reason for getting back "Invalid Signature" is that your signature is invalid. There is no way that there will be any other possible reason then this.

This also means that the request that is formed by Fitbit oauth Debug page and the request that your app generates are different.

I have a same issue:
if i make request right after the user authenticate the app, then everythings okay, i got the data.
Then i store the permanent token and token secret. I'm trying to reuse that tokent then i got Invalid Signature or token errors.
An i'm not the only one...

Invalid token or signature means exactly what it says:

you have invalid token OR/AND signature. There is no way that it can be something else.

Please use https://dev.fitbit.com/apps/oauthtutorialpage and see if you're able ot make requests with this tool.

What exact error message are you getting back?

HTTP/1.1 401 Unauthorized

Server: nginx

X-UA-Compatible: IE=edge,chrome=1

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Cache-control: no-cache, must-revalidate

Pragma: no-cache

Set-Cookie: JSESSIONID=2A3BE2E660C3BBC774C4B96E5CA6B186.fitbit1; Path=/; HttpOnly

WWW-Authenticate: OAuth realm="https%3A%2F%2Fapi006-g4.prod.dal05.fitbit.com"

Content-Type: application/json;charset=UTF-8

Content-Language: en

Content-Length: 140

Vary: Accept-Encoding

Date: Wed, 27 May 2015 03:40:13 GMT

{"errors":[{"errorType":"oauth","fieldName":"oauth_signature","message":"Invalid signature: qKbhjK/+KdqspCvlAGaOBxwwy9w="}],"success":false}

I am able to process the get request, and in this case I am using the same url as the API Explorer:

https://api.fitbit.com/1/user/-/foods/log.json?foodId=30414&mealTypeId=1&unitId=147&amount=1&date=20...

Is there anything I missed?

Yes. you signing your request wrong.

This is what fitbit response sends back to you.

There is no other reason in the world. It's clearly says: "Invalid signature..."

Thank you for your response.

This is the signature being created by the debug tool. Do you mean to suggest that the API URL that is being passed has issues? That is the only parameter changing, because as I mentioned that GET user info method worked fine. 

Please read this page: https://wiki.fitbit.com/display/API/OAuth+1.0a+Authentication

it may take time to understand it and get it right but it has all the information that you need to generate signature, and I'd say understanding this page is required so you can make proper Fitbit API requests. All oauth 1.0a signatures are built according to the rules described here: http://tools.ietf.org/html/rfc5849#section-3.4

You can play with fitbit debug tool more as well. Try changing different values and see if signature chanegs or not depending on values that you change.

Hi,

Starting few days ago we started to receive the same error for some of our users: invalid signature or token "..." or token "...". But what is strange is that it started without any change in our code. 

We are using OAuth 1.0 since we started to use Fitbit API so no change of how we are doing the authentication and so on.

W really don't understand how come suddently we started to receive this kind of error. Maybe there is still a problem on Fitbit API end and not on the clients side.

We even tried the tool from https://dev.fitbit.com/apps/oauthtutorialpage with user's tokens and we receive the same error, so it's not our signature's fault.

I see that there are other devs having the same error so at least if someone who already solved the problem can share the solution, if any. If not then at least maybe someone from Fitbit can investigate a little bit why is not working for some users but for others it is working.

Any response/help will be much appreciated.

Thank you,

Bogdan