help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

403 Forbidden Writing Weight Data – Works Until May 20, Only Weight Fails (Steps/Calories OK)

10 hours ago - last edited 10 hours ago

10 hours ago - last edited 10 hours ago

 

We're encountering a persistent issue when calling the Fitbit Web API to write weight data using the endpoint:

POST /1/user/-/body/log/weight.json

Starting from the evening of **May 20, 2025**, this call consistently returns `403 Forbidden`. Before that, it had been working reliably for months.

---

**Platform & Scope Info:**

- Client ID: 22C4KQ
- App Type: Server (recently changed from Client)
- OAuth Flow: Authorization Code Grant (server-side)
- Affected Platforms: Both iOS and Android
- Token Scopes Granted: SETTINGS=READ_WRITE, PROFILE=READ_WRITE, WEIGHT=READ_WRITE, ACTIVITY=READ_WRITE

Token introspection confirms all scopes are active.

---

**What's Working (Confirmed):**

- Reading weight data via GET /body/log/weight.json
- Writing steps, calories, and distance data (via /activities.json)
- Reading profile, activity, and settings
- Fitbit user account is functional with other third-party Fitbit apps (writing weight still works there)

**What’s Not Working:**

- Only `POST /body/log/weight.json` returns 403 Forbidden, even with proper request body and valid token

---

**Hypothesis:**

We suspect Fitbit recently added additional restrictions to writing sensitive health data (such as weight) based on app identity (e.g. client_id-level policy). Our app may now require whitelisting or explicit approval.

---

**Request for Assistance:**

1. Was there a recent backend policy change affecting `/body/log/weight.json`?

2. Does our app now require additional authorization to write sensitive data like weight?

3. What is the formal procedure to apply for this level of access?

Any guidance is appreciated. This feature had been functioning as expected until May 20.

Thank you!

Best Answer
0 REPLIES 0