Client Credentials Grant Flow
chevron down

Client Credentials Grant Flow

The /oauth2/token endpoint can do the following:

  • Exchange the authorization code for the initial access token and refresh token (See OAuth2 Token).
    This process is required when using the Authorization Code Grant Flow [with PKCE].
  • Obtain a new access token and refresh token when the existing access token has expired (See Refresh Token).
  • Initiate the Client Credentials authorization flow (See Client Credentials).

Fitbit follows the OAuth 2.0 Client Credentials flow as specified in RFC 6749. This authorization flow is used with specific Fitbit API endpoints related to business operations. It is not supported by the public Web APIs to retrieve Fitbit user data.

The Client Credentials Grant flow has the following steps:

  1. The application sends a request to with its client_id and client_secret; and
  2. Fitbit authenticates your application and issues an access token.


POST /oauth2/token

Body Parameters

Supported: client_credentials

Type: string

Pre-select the desired access token lifetime.

3600 for 1 hour
28800 for 8 hours
86400 for 1 day
604800 for 1 week
2592000 for 30 days
31536000 for 1 year

Default: 28800

Type: string

Request Headers
authorization required

Must be set to Basic followed by a space, then the Base64 encoded string of your application's client id and secret concatenated with a colon. For example, the Base64 encoded string, Y2xpZW50X2lkOmNsaWVudCBzZWNyZXQ=, is decoded as "client_id:client secret".

Token type: Basic
accept optional The media type of the response content the client is expecting.
Supported: application/json
accept-language optional The measurement unit system to use for response values. See Localization.
accept-locale optional The locale to use for response values. See Localization.

Authorization: Basic <basic_token>
Content-Type: application/x-www-form-urlencoded

curl -X POST "" \
-H "accept: application/json" \
-H "authorization: Basic <basic_token>" \
-d "grant_type=client_credentials"


Element Name Description
access_token The active access token.
expires_in The time the access token expires in seconds.
scope List of scopes supported by the access token.
token_type Supported: Bearer
"access_token": "eyJhbGciOiJIUzI1...",
"expires_in": 28800,
"scope": "",
"token_type": "Bearer"

Response Headers
content-type The media type of the response content being sent to the client.
Supported: application/json
fitbit-rate-limit-limit The quota number of calls.
fitbit-rate-limit-remaining The number of calls remaining before hitting the rate limit.
fitbit-rate-limit-reset The number of seconds until the rate limit resets.

Note: The rate limit headers are approximate and asynchronously updated. This means that there may be a minor delay in the decrementing of remaining requests. This could result in your application receiving an unexpected 429 response if you don't track the total number of requests you make yourself.

Response Type

HTTP Status Code HTTP response code. List of codes are found in the Troubleshooting Guide.
Status Message Description of the status code.
Response Body Contains the JSON response to the API call. When errors are returned by the API call, the errorType, fieldName and message text will provide more information to the cause of the failure.

Response Codes
200 A successful request.
400 The request had bad syntax or was inherently impossible to be satisfied.
401 The request requires user authentication.

Note: For a complete list of response codes, please refer to the Troubleshooting Guide.