help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

subscriber verification security

‎06-14-2022 10:10

‎06-14-2022 10:10

Hi, 

 

Ref the documentation here - https://dev.fitbit.com/build/reference/web-api/developer-guide/using-subscriptions/#Verifying-a-Subs...

 

How can I add security when carrying out the initial verification. Our security measures will not accept API requests without security?

 

Thanks!

Best Answer
Labels:
0 Votes
5 REPLIES 5

‎06-16-2022 08:59

‎06-16-2022 08:59

Hi @daiwilliams 

 

Does your organization have any specific security requirements that need to be implemented?   I might be able to provide suggestions.   One thing to note when verifying the subscriber, Fitbit is going to send you a correct and incorrect verification code.   If you don't receive the correct verification code, then your code should fail.   

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎06-16-2022 13:16

In response to Gordon-C

‎06-16-2022 13:16

Also, it might be possible you could apply the same security guidelines we offer for verifying notifications to verifying the subscriber.   See Subscriber Security.

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎06-18-2022 02:34 - edited ‎06-18-2022 02:55

In response to Gordon-C

‎06-18-2022 02:34 - edited ‎06-18-2022 02:55

Thanks @Gordon-C  , ok, so I have made some progress. The API to verify is able to be called via Postman with no issues with the correct response codes. To get around the security issue, I had to do the following ...

 

https://username:password@myurl/api/verify?verifycode

 

As opposed to ...

 

https://myurl/api/verify?verifycode

 

So this worked fine from postman with all scenarios working fine.

 

However, when used in the fitbit API console I get an error telling me my API "is not a valid URL".

 

Is there no way of passing in the security as headers or any other way to verify?

 

Thanks!

Best Answer
0 Votes

‎06-18-2022 02:55

In response to Gordon-C

‎06-18-2022 02:55

Just another note @Gordon-C I have also passed in the apikey within the URL in place of the username and password and this also works in postman, but doesn't allow me to use it within the fitbit app settings / API console. It says the URL is greater than 255 characters. 

 

I appreciate the other documentation around enhancing the security for subscriptions, but I am confused at the moment as this is fitbit calling my API just to verify.

 

Thanks

Best Answer
0 Votes

‎06-24-2022 12:29

In response to daiwilliams

‎06-24-2022 12:29

I've checked with the engineering team and it doesn't look like adding your credentials in the URL.  Also, the passing of URLs is not encrypted.  Passing the user id & password in the URL would not be very secure.   The best solution we can provide is the information here: https://dev.fitbit.com/build/reference/web-api/developer-guide/best-practices/#Subscriber-Security.

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer