help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

insufficient_permissions at last oauth2 step (https://api.fitbit.com/oauth2/token)

‎11-10-2025 03:00

‎11-10-2025 03:00

Hi, I have a fitbit integration that suddenly stopped working few weeks ago. Nothing changed in the code. We use the same code with 3 other fitbit integrations (dev/test/beta) and they still work, only 1 (prod!) doesn't.

The problem is at the last oauth2 step, the one when we call https://api.fitbit.com/oauth2/token to exchange the code with the user's tokens. We always get:

{
  "success": false,
  "errors": [
    {
      "errorType": "insufficient_permissions",
      "message": "API client is not authorized by Fitbit to access the resource requested. Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process."
    }
  ]
}

We use the Authorization Code Grant Flow (without PKCE for now).

The app is set to use "OAuth 2.0 Application Type": Server (but we also tried Client and the problem is the same). The problem is also the same regardless of what scopes we request, or if we use the "state" parameter to prevent CSRF.

Any idea on what the problem could be?

Thanks.

Best Answer
Labels:
0 Votes
2 REPLIES 2

‎11-10-2025 15:17

‎11-10-2025 15:17

Hi @michele.amati 

Thanks for sharing your question!

To proceed with our investigation, we will need a bit more information from you (such as your Client ID). I have just sent a separate email to your email. We will be moving our conversation to the issue tracker. Please reply to the email with the requested information, and we will continue our communication there.

Thank you!

Best Answer
0 Votes

‎11-25-2025 22:04 - edited ‎11-27-2025 23:05

‎11-25-2025 22:04 - edited ‎11-27-2025 23:05

Hi @michele.amati,

I believe @DorisFitbit has tried to reach you via issue tracker, as we might need some information to proceed investigating your issue.

Although, I tried to search for similar questions by other developers and wanted to confirm with you -- have you received any emails from Google Devices and Services Ecosystem Security Team noting about having "developer email and company URL domain mismatch"?

If you did, you will need to follow the instructions they've provided. They disable the app's access to the APIs if the instructions weren't done even after sending follow-ups. Once you've completed the instructions, you can let us know via Issue Tracker with your Client ID, so that our team can check internally and have your app's access back.

Looking forward to your reply!

Best Answer
0 Votes