chevron down


Allows the application to retrieve the active state of an OAuth 2.0 token. This endpoint conforms to RFC 7662.


POST /1.1/oauth2/introspect

Body Parameters

The OAuth 2.0 token to retrieve the current state. Different from the access token used in the Authorization header, this token can be any access token.

Type: string

Request Headers
authorization required Specify the token type and Fitbit user’s access token.
Token type: Bearer
content-type required The original media type of the resource.
Supported: application/x-www-form-urlencoded
accept optional The media type of the response content the client is expecting.
Supported: application/json
accept-language optional The measurement unit system to use for response values. See Localization.
accept-locale optional The locale to use for response values. See Localization.

Authorization: Bearer <access_token>
Content-Type: application/x-www-form-urlencoded

token=<The OAuth 2.0 token to retrieve the state>
curl -X POST "" \
-H "authorization: Bearer <access_token> \"
-H "content-type: application/x-www-form-urlencoded" \
-d "token=<The OAuth 2.0 token to retrieve the state>"


Element Name Description
active Supported: true | false
scope States the scope and ability to read/write.
client_id The client ID for the granted application.
user_id The Fitbit user ID.
token_type Supported: access_token
exp The token's expiration date.
iat The token's issued date.
    "client_id":"<Client Id>",
    "user_id":"<User Id>",
    "exp":<expiration date>,
    "iat":<issued date>

{ "active": false }

Response Headers
content-type The media type of the response content being sent to the client.
Supported: application/json
fitbit-rate-limit-limit The quota number of calls.
fitbit-rate-limit-remaining The number of calls remaining before hitting the rate limit.
fitbit-rate-limit-reset The number of seconds until the rate limit resets.

Note: The rate limit headers are approximate and asynchronously updated. This means that there may be a minor delay in the decrementing of remaining requests. This could result in your application receiving an unexpected 429 response if you don't track the total number of requests you make yourself.

Response Type

HTTP Status Code HTTP response code. List of codes are found in the Troubleshooting Guide.
Status Message Description of the status code.
Response Body Contains the JSON response to the API call. When errors are returned by the API call, the errorType, fieldName and message text will provide more information to the cause of the failure.

Response Codes
200 A successful request.
400 The request had bad syntax or was inherently impossible to be satisfied.
401 The request requires user authentication.

Note: For a complete list of response codes, please refer to the Troubleshooting Guide.

Additional Information

Inactive tokens

When the introspect endpoint response returns "active = false", the token in parameter is not active.
RFC 7662 section 2.2 clearly states that the authorization server should not provide any more detail about the reason for the inactive token. However, it is common that inactive tokens have either expired or been revoked.