help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

invalid refresh token

‎12-21-2020 07:29 - edited ‎12-21-2020 07:44

‎12-21-2020 07:29 - edited ‎12-21-2020 07:44

I have read through the following thread hoping to find an answer, but it seems from the responses that there is no solution.

https://community.fitbit.com/t5/Web-API-Development/Invalid-or-expired-refresh-tokens/td-p/1048159

I understand that the refresh token is a one time usage thing. If our data retrieval service errors after the api call for whatever reason and fails to save the new refresh token, it sounds like we're then in a very painful place. From the above thread it sounds like there is no way to refresh the token again without the user disconnecting and reauthorising.
Is there any way to refresh a 'used' refresh token without the user having to re-authorise?

Best Answer
Labels:
0 Votes
1 REPLY 1

‎12-22-2020 15:49

‎12-22-2020 15:49

Hi @BrentFit 

 

When using the Authorization Code Grant Flow, you need to store the user's access token and refresh the token upon authorization. When the access token expires after 8 hours, your application should use the refresh token to obtain a new access token and refresh token pair. In order to minimize the user experience, your application will need to store the new access token and refresh token and discard the old refresh token from your database. That way, your application can use the new refresh token to obtain a new pair of tokens when the time comes.

 

There is no way to reuse an invalid refresh token after it has been used to obtain a new access token and refresh token pair If your application loses the user's refresh token, they'll need to go through the authorization process again in order to obtain a new refresh token from the user.

 

If you haven't done so already, I recommend review the Authorization Code Grant Flow documentation here: https://dev.fitbit.com/build/reference/web-api/oauth2/#authorization-code-grant-flow

 

I hope this helps. Let me know if you have any additional questions.

Best Answer
0 Votes