Also, it might be possible you could apply the same security guidelines we offer for verifying notifications to verifying the subscriber.   See Subscriber Security.

Thanks @Gordon-C  , ok, so I have made some progress. The API to verify is able to be called via Postman with no issues with the correct response codes. To get around the security issue, I had to do the following ...

https://username:password@myurl/api/verify?verifycode

As opposed to ...

https://myurl/api/verify?verifycode

So this worked fine from postman with all scenarios working fine.

However, when used in the fitbit API console I get an error telling me my API "is not a valid URL".

Is there no way of passing in the security as headers or any other way to verify?

Thanks!

Just another note @Gordon-C I have also passed in the apikey within the URL in place of the username and password and this also works in postman, but doesn't allow me to use it within the fitbit app settings / API console. It says the URL is greater than 255 characters. 

I appreciate the other documentation around enhancing the security for subscriptions, but I am confused at the moment as this is fitbit calling my API just to verify.

Thanks

I've checked with the engineering team and it doesn't look like adding your credentials in the URL.  Also, the passing of URLs is not encrypted.  Passing the user id & password in the URL would not be very secure.   The best solution we can provide is the information here: https://dev.fitbit.com/build/reference/web-api/developer-guide/best-practices/#Subscriber-Security.