OAuth 2.0 tutorial page

1: Authorize

- First, choose the type of flow your application will use. Implicit grant flow is for use in client-side applications that cannot keep a secret because they distribute their source code to the client (web apps, mobile apps). The authorization code flow is for server-side applications that can keep a secret. If possible, use the authorization code flow, because while both flows are secure, it provides additional security. Flow type:
- Enter all of your application's relevant data below. You can find this data at dev.fitbit.com.
Fitbit URL:
Fitbit API URL:
OAuth 2.0 Client ID:
Client Secret:
Redirect URI:

- Choose below what user data you'd like to have access to. Select Scopes
- The default expiration times are 1 hour for the authorization code flow, and 1 day for the implicit grant flow.The expiration time for the implicit grant flow can be set to certain values; see the docs for details. Expires In(ms):

- We've generated the authorization URL for you, all you need to do is just click on link below:

1A Get Code

Copy and paste the code that you can find in the redirect URL after the user has clicked the "allow" button. Example: http://localhost:8888/callback?code=7b64c4b088b9c841d15bcac15d4aa7433d35af3e#_=_, the code you need to paste from that example is 7b64c4b088b9c841d15bcac15d4aa7433d35af3e. Don't include the “#_=_”.

2: Parse response

After the user consents and clicks the "allow" button, copy and paste the ending part of the URL, starting from the #. For instance for url: https://localhost/#_=_scope=nutrition&user_id=28GVHZ&token_type=Bearer&expires_in=593433&access_token=blablaToken copy and paste #scope=nutrition&user_id=28GVHZ&token_type=Bearer&expires_in=593433&access_token=blablaToken in input field below
If using the authorization code flow, paste below the response of the CURL that you made in previous step(1A) and we will automatically parse it for you. If using the implicit grant flow, paste below the url returned in step 1 after clicking on the authorization link.
Token response does not match the expected format; please check that you're using the correct OAuth 2.0 flow.

3 Make Request

Finally, when you have an access token, you can start making requests. If you had a token before, you don't need to go through steps 2-3, just paste your token below and make sure you enter your app data in step 1. We only support GET requests at the moment in this tutorial. But please feel free to check out other types of requests in the docs too on your own.
OAuth 2.0 Access Token:
API endpoint URL:

4 Refresh Token( when needed)

- If you followed the Authorization Code Flow, you were issued a refresh token. You can use your refresh tokento get a new access token in case the one that you currently have has expired. Enter or paste your refresh token below. Also make sure you enteryour data in section 1 and 3 since it's used to refresh your access token. Refresh Token: