Hi,

I have an Android/iOS app and a web server, I would like to authenticate access to the Fitbit Web API from my app.  (Eventually I'd like to be able to pass the authorization to the server so I can query the user's data from there, but to start I'm just trying to get the basic authentication working.)

I'm using AppAuth as my OAuth client on iOS. 

The docs say: "Never put your client secret in distributed code, such as apps downloaded through an app store or client-side JavaScript. For client-based applications running on a device (e.g. smartphone, desktop, etc.) which don't use a web service, Authorization Code Grant Flow with Proof Key for Code Exchange (PKCE) is recommended for added security."

I initially tried to authenticate without using my client secret, but it failed; once I specified the client secret, it succeeded.  However, the docs seem to say I should not use the client secret in an app, lest it be extracted from the binary.  Am I missing something here?  Is there a way to authenticate in an iOS/Android app without using the client secret?