Thanks for getting back to me!

application type: Browser

authorization URL: 'https://www.fitbit.com/oauth2/authorize?response_type=code&client_id=${clientId}&redirect_uri=${enco...

syntax to convert authorization code to access token: 

onst authOptions = {
url: 'https://api.fitbit.com/oauth2/token',

method: 'POST',
headers: {
'Authorization': 'Basic ' + Buffer.from(clientId + ':' + clientSecret).toString('base64'),
'Content-Type': 'application/x-www-form-urlencoded'
},

Did you provide the body parameters in your https://api.fitbit.com/oauth2/token endpoint call?

Yes, I do that immediately below the code I pasted above: 

form: {

code: code,

grant_type: 'authorization_code',

redirect_uri: redirectUri,

code_verifier: codeVerifier

}

1. When you extract the authorization code from the redirect URL, are you getting the text as described in step 3 of this part of the documentation: https://dev.fitbit.com/build/reference/web-api/developer-guide/authorization/#Authorization-Code-Gra...

2. Have you verified that you are getting a new code for each authorization attempt, even for the same user?

I am getting a new code everytime for each authorization attempt, but in the callback URL, my authorization codes are longer than the 21 character code shown in step #3 of https://dev.fitbit.com/build/reference/web-api/developer-guide/authorization/#Authorization-Code-Gra....  The codes in my URL's are 40 characters long  

The 40 character code you're getting is correct.  We likely truncated the code to 21 characters since it is public documentation.

I'm going to email you directly to get some more information.