help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Do OAuth 1.0a user access tokens expire?

ANSWERED

‎06-05-2014 21:20

‎06-05-2014 21:20

OAuth 1.0a user access tokens do not expire. However, a user may revoke access to your application from their application settings page. Also, if a user re-authorizes your application, previously granted access tokens will be invalidated.

Best Answer
Labels:
0 Votes
2 BEST ANSWERS

Accepted Solutions

‎02-09-2015 19:18

In response to ecbrodie

‎02-09-2015 19:18

The access token will never expire unless user revokes access to your app.

Ivan Bahdanau
Senior Software Developer at Fitbit

View best answer in original post

Best Answer

‎04-30-2015 11:12

In response to 6hoursdaily

‎04-30-2015 11:12

@6hoursdaily: We have momentarily disabled new access token generation when the authorization has not changed (meaning, it has not been revoked by the user). You should use the Fitbit user id, not the access token, to identify a Fitbit user.

View best answer in original post

Best Answer
12 REPLIES 12

‎07-23-2014 12:32

‎07-23-2014 12:32

Is this a new behaviour? The old tokens did not use to expire when a user re-authorized an app. When did this change take effect?

 

Best Answer
0 Votes

‎07-23-2014 13:11

In response to snobben

‎07-23-2014 13:11

The change is in effect since hearbleed bug(http://heartbleed.com/) discovered back in April 2014.

Ivan Bahdanau
Senior Software Developer at Fitbit
Best Answer

‎02-08-2015 14:36

‎02-08-2015 14:36

@JeremiahFitbit wrote:

OAuth 1.0a user access tokens do not expire.

I would like to confirm, is this quote still valid? IE, if I am making a web service that requires our users to "link" their fitbit accounts to our service via OAuth access tokens, can we ensure that the access token will last indefinitely without require re-authentication from the user?

Best Answer
0 Votes

‎02-09-2015 19:18

In response to ecbrodie

‎02-09-2015 19:18

The access token will never expire unless user revokes access to your app.

Ivan Bahdanau
Senior Software Developer at Fitbit
Best Answer

‎02-10-2015 17:17

In response to ibahdanau

‎02-10-2015 17:17

Thank you!

Best Answer
0 Votes

‎04-10-2015 03:23 - edited ‎04-10-2015 03:26

In response to ibahdanau

‎04-10-2015 03:23 - edited ‎04-10-2015 03:26

Are you sure?

My tokens expire in one hour after the authentication. 
I use my own fitbit account so i know that i'm not revoking the access.

Best Answer
0 Votes

‎04-10-2015 10:40

In response to freeubi

‎04-10-2015 10:40

@freeubi wrote:

Are you sure?

My tokens expire in one hour after the authentication. 
I use my own fitbit account so i know that i'm not revoking the access.

Sounds like you're not doing the final access token exchange and you're using your request token.

Best Answer
0 Votes

‎04-10-2015 10:48

In response to JeremiahFitbit

‎04-10-2015 10:48

Nope, i'm doing all the steps, i exchange the first tokens to the permanent token.

Best Answer
0 Votes

‎04-10-2015 13:58

In response to freeubi

‎04-10-2015 13:58

It's 100% given that tokens once issued currently are ONLY expired when user revokes access.

If you somehow observing that your tokens are expiring I there is probably something wrong with the oauth 1.0a flow you're implementing.

The temporary tokens expire approx in 24 hours though, but I guess you were talking about permanen acces tokens.

Ivan Bahdanau
Senior Software Developer at Fitbit
Best Answer
0 Votes

‎04-30-2015 02:24

‎04-30-2015 02:24

Hi guys, wondering if this still holds true:

@JeremiahFitbit wrote:

OAuth 1.0a user access tokens do not expire. However, a user may revoke access to your application from their application settings page. Also, if a user re-authorizes your application, previously granted access tokens will be invalidated.

I've tried re-authorizing my Fitbit account under the same application and both authentications seem to return the same user access tokens.

 

The problem is that with both authentications active in my system (and potentially many more authentications if the scenario is recreated multiple times), my system hits the Fitbit API multiple times given each authentication remains valid, making it hit the user's rate limit.

 

Thanks!

Best Answer
0 Votes

‎04-30-2015 11:12

In response to 6hoursdaily

‎04-30-2015 11:12

@6hoursdaily: We have momentarily disabled new access token generation when the authorization has not changed (meaning, it has not been revoked by the user). You should use the Fitbit user id, not the access token, to identify a Fitbit user.

Best Answer

‎09-18-2015 03:30

In response to ibahdanau

‎09-18-2015 03:30

Do oauth1-tokens still not expire? Are there plans to change this behaviour in the future?

Best Answer
0 Votes