Hello John,

Thanks so much for your valuable input.

I tried doing those steps within 10 minutes but it still didn't work.

PFB client id details:

client iD: 22BR5V

Hello John,

I got stuck at this point after I finished refresh token steps.

@TJYNWA Thanks for providing me with your Client ID. After checking the logs, I can see that you were able to get an access token after authorization and that you used that access token successfully to fetch steps data.

Since you said you were encountering this error after you finished the refresh token steps, it sounds like you are using your auth code to refresh your access token. Please note that exchanging the authorization code for an access_token is intended only for users connecting to your app for the first time, or after they've previously revoked access to your app.

When your application redirects the user to the Fitbit authorization page, you'll receive an authorization code that you'll need to send back to Fitbit in exchange for an access_token and refresh_token pair using the access token request endpoint:

POST https://api.fitbit.com/oauth2/token
Authorization: Basic <Base64 clientId:clientSecret>
Content-Type: application/x-www-form-urlencoded

client_id=clientId&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fexample.com%2Ffitbit_auth&code=1234567890

When the request is successful, meaning the authorization code you returned matches the one you received after user consent, you should receive an access_token and refresh_token like so:

{
    "access_token": "access_token",
    "expires_in": 28800,
    "refresh_token": "abcdef01234567890abcdef01234567890abcdef01234567890abcdef0123456",
    "token_type": "Bearer",
    "user_id": "user_id"
}

The access token you receive has an expiration of 28800 (8 hours). When the access token expires, you need to use the refresh_token (not the authorization code) you received after exchanging the auth code. Using your refresh_token in the token refresh endpoint:

POST https://api.fitbit.com/oauth2/token
Authorization: Basic (Base 64 clientId:clientSecret)
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=abcdef01234567890abcdef01234567890abcdef01234567890abcdef0123456

A successful token refresh will return a new access_token and refresh_token pair. Once the new access token is used in an API call, the original refresh_token you used will become invalid and the new refresh_token you received will become the new active refresh token.

{
    "access_token": "access_token",
    "expires_in": 28800,
    "refresh_token": "b45173b54e50a9ed161499fa3446124fb9bdad455a270d90cdf5d526f3782381",
    "scope": "nutrition activity heartrate sleep location profile settings weight social",
    "token_type": "Bearer",
    "user_id": "user_id"
}

Can you make sure that you are storing your refresh_token along with your access_token and that you are using your refresh_token to get a new access_token/refresh_token pair? You can demo the authorization flow using the oAuth 2.0 tutorial found in your application settings to get a better understanding of how the authorization works.

Additional documentation for the Authorization Code Grant Flow can be found here: https://dev.fitbit.com/build/reference/web-api/oauth2/#authorization-code-grant-flow

I hope this helps. Let me know if you have additional questions.

Hello John,

We were able to succeed with Get OAuth Token and token is getting generated.

But I am receiving error 400 when I pass the code(parameter value) in POST method's HTTP QueryParameters from OAuth token window URL. 

https://dev63841.service-now.com/api/x_fitbit/fitbitauth?code=4023555f49429f4b6f7eb2c3f587edbe995187...

Error shown as below:

Kindly suggest the resolution - it will be very grateul.

Basically I'm unable to get the response when I'm doing test runs on HTTP Post  method.

@TJYNWA I'm unable to see anything on the screenshot you attached. Perhaps you could provide me a link to view the screenshot's original size?

Apologies for the inconvenience - I have attached the file as of now - Let me know if there's anything else required here.

@TJYNWA I think I can see the issue here. It looks like you're passing the code as a query parameter instead of including it in the body of your POST request.

Your request needs to ensure the proper Authorization, Content-Type, and Content-Length headers are applied. The body of your request should contain the client_id, grant_type, redirect_uri, and code. It should look like this:

POST https://api.fitbit.com/oauth2/token
Authorization: Basic (Base64 Client ID:Client Secret)
Content-Type: application/x-www-form-urlencoded
Content-Length: (Payload Size)

client_id=<client_id>&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fexample.com%2Ffitbit_auth&code=1234567890

cURL:

curl -i -X POST \
 -H 'Authorization: Basic (Base64 Client ID/Client Secret)' \
 -H 'Content-Type: application/x-www-form-urlencoded' \
 -H 'Content-Length: (Payload Size)' \
 --data "clientId=<client_id>" \
 --data "grant_type=authorization_code" \
 --data "redirect_uri=https%3A%2F%2Flocalhost" \
 --data "code=1234567890abcdefghijklmnop" \
https://api.fitbit.com/oauth2/token

Can you ensure that you've applied the correct syntax to your HTTP request? Alternatively, I can check for you if you copy/paste your cURL request here. If you do, make sure to redact your basic token to protect your application's credentials from public view.