chevron down


The Authorization endpoints allow an application to onboard Fitbit users who want to share their data with the specified application. The application can initiate the consent flow for new users, obtain the access token and refresh tokens, validate the tokens, and revoke consent to the user.

Fitbit supports OAuth 2.0. The authorization models we support are Authorization Code Grant Flow, Authorization Code Grant Flow with PKCE and Implicit Grant Flow. We recommend Authorization Code Grant Flow with PKCE, and our examples demonstrate how to set it up. Client Credentials is supported but does not allow the retrieval of user data. It works only with the Fitbit Commerce APIs.

The endpoints available in this section are

  • Authorize initiates the OAuth 2.0 authorization flow by presenting the consent screen to the Fitbit user.
  • Client Credentials initiates the Client Credentials Grant flow. This authorization flow does not support retrieving Fitbit user data.
  • Introspect allows the application to retrieve the active state of an OAuth 2.0 token.
  • OAuth2 Token exchanges the authorization code for the initial access token and refresh token.
  • Refresh Token creates a new access token and refresh token for a user when the existing access token has expired.
  • Revoke Token disables a user's authorization and all associated tokens.