help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Why am I getting invalid signature errors?

‎11-23-2014 10:53

‎11-23-2014 10:53

Hey,

 

I'm trying to POST to the api to set an alarm, but it always returns "Invalid signature". Get requests seem to work fine.

 

I've tried using:

 

- fitbit-passport - https://github.com/jaredhanson/passport-fitbit

- fitbit-js - https://github.com/smurthas/fitbit-js

- debug tutorial - https://dev.fitbit.com/apps/oauthtutorialpage

 

All of them work for authorizing and getting my user data, but won't even POST properly.

 

What can I provide that would be useful in debugging?

 

Thanks,

 

Matt

Best Answer
0 Votes
8 REPLIES 8

‎11-23-2014 11:00 - edited ‎11-23-2014 11:02

‎11-23-2014 11:00 - edited ‎11-23-2014 11:02

Since you're saying that your GET requests are woring fine I may guess that you hardcoded request type in your signature generation. Since signature also take in account request type.

Basically signature is based on base string + token that it signed with.

First thing that goes in base string is request type.

Please check that when you're making POST requests you have your base string starting with "POST".

 

Alto Fitbit debugging tool generates CURL string for post requests too and works fine, please scroll to the bottom of the page where you'll be able to generate CURL for any request you want, you just need to enter all required parameters.

Ivan Bahdanau
Senior Software Developer at Fitbit
Best Answer
0 Votes

‎11-23-2014 11:06 - edited ‎11-23-2014 11:06

In response to ibahdanau

‎11-23-2014 11:06 - edited ‎11-23-2014 11:06

The request type is set to POST on the debugging tool.

 

This is the string it's outputting:

 

curl -X POST -i -H 'Authorization: OAuth oauth_consumer_key="REMOVED", oauth_nonce="random%20string", oauth_signature="16iwpH1gWz%2FccLBhdwqk%2FSi6LBQ%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1416769459", oauth_token="01a5bb96b049562e9a5da4f79b6993bc", oauth_version="1.0"' https://api.fitbit.com/1/user/-/devices/tracker/REMOVED/alarms.json

 

Best Answer
0 Votes

‎11-23-2014 16:12 - edited ‎11-23-2014 16:13

In response to MattVickers

‎11-23-2014 16:12 - edited ‎11-23-2014 16:13

So, after some debugging -- it seems like the POST to alarms.json is having issues,

 

I'm making 4 calls one after the other and these are the results:

 

GET - /user/-/devices.json - Works
POST - /user/-/profile.json - Works
GET - /user/-/devices/tracker/15715183/alarms.json - Works
POST - /user/-/devices/tracker/15715183/alarms.json - Error "Invalid signature: ols96xKstmJgxcq36qvLyI0jMiE="

At least know I know I can hit the API properly, but I'm not sure why I can't POST to the alarms url.

 

Best Answer
0 Votes

‎11-23-2014 17:18

In response to MattVickers

‎11-23-2014 17:18

When you try to run this CURL from command line does it works?

Ivan Bahdanau
Senior Software Developer at Fitbit
Best Answer
0 Votes

‎11-23-2014 18:11

In response to ibahdanau

‎11-23-2014 18:11

No -- same error as before.

Best Answer
0 Votes

‎11-24-2014 07:48

In response to MattVickers

‎11-24-2014 07:48

 

Please PM to me following things:

1) Your client(consumer) key

2) Your client(consumer) key secret

3) Your access token

4) Your access token secret

5) API request url.

Ivan Bahdanau
Senior Software Developer at Fitbit
Best Answer
0 Votes

‎11-24-2014 10:19

In response to ibahdanau

‎11-24-2014 10:19

Ok, thanks for provided information

Two things:

1) the API request URL you send to me does not begins with /1/...

you should be using this url:

https://api.fitbit.com/1/user/-/devices/tracker/*******/alarms.json

instead of this one:

https://api.fitbit.com/user/-/devices/tracker/*******/alarms.json

2) I tested those parameters that you sent with Fitbit API debug tool and everything worked.

I assume you're not entering parameters correctly on the Fitbit API debug page.

Please make sure that you pass required parameters to the API endpoint when you use POST method. Required parameters are listed here: https://wiki.fitbit.com/display/API/API-Devices-Add-Alarm

You can also pass those parameters as if they were get parameters.

Please keep in mind that you need to escape the time value, So for instance for 

time=00:00+00:00

you actually need to pass 

time=00%3A00%2B00%3A00

 

Ivan Bahdanau
Senior Software Developer at Fitbit
Best Answer
0 Votes

‎11-24-2014 17:08

In response to ibahdanau

‎11-24-2014 17:08

Hey,

 

Sorry about that -- I left off the https://api.fitbit.com/1/ because it's added automatically by fitbit-js.

 

How are you adding parameters to the POST request. I've tried a few different ways and can only seem to get it to POST via postman.

 

Even if I copy the CURL request from postman -- I can't get it to work via the command-line. It still returns 

{"errors":[{"errorType":"oauth","fieldName":"oauth_signature","message":"Invalid signature: ZCvenS/XFZAOA8HW8mN6q+JMxDI="}],"success":false}

 Would you be able to PM me a working curl request and I'll change the timestamp value?

Best Answer
0 Votes