Refresh Token
chevron down

Refresh Token

The /oauth2/token endpoint can do the following:

  • Exchange the authorization code for the initial access token and refresh token (See OAuth2 Token).
    This process is required when using the Authorization Code Grant Flow.
  • Obtain a new access token and refresh token when the existing access token has expired (See Refresh Token).
  • Initiate the Client Credentials authorization flow (See Client Credentials).


POST /oauth2/token

Body Parameters

Supported: refresh_token

Type: string

The refresh token issued to you by Fitbit.

Type: string
required for client apps

This is your Fitbit API application ID from your settings on Apps set to type "client" should use this to pass their ID instead of the Authorization header.

Type: string

Specifies the desired access token lifetime.

28800 for 8 hours

Supported: 28800

Type: integer

Request Headers
authorization (For use with server apps only)

Must be set to Basic followed by a space, then the Base64 encoded string of your application's client id and secret concatenated with a colon. For example, the Base64 encoded string, Y2xpZW50X2lkOmNsaWVudCBzZWNyZXQ=, is decoded as "client_id:client secret".

Token type: Basic
accept optional The media type of the response content the client is expecting.
Supported: application/json
accept-language optional The measurement unit system to use for response values. See Localization.
accept-locale optional The locale to use for response values. See Localization.

App Type: Server
Authorization: Basic <basic_token>
Content-Type: application/x-www-form-urlencoded


App Type: Client
Content-Type: application/x-www-form-urlencoded

Application Type: Server
curl -X POST "" \
-H "accept: application/json" \
-H "authorization: Basic <basic_token>" \
-d "grant_type=refresh_token&refresh_token=<refresh_token>"

Application Type: Client
curl -X POST "" \
-H "accept: application/json" \
-d "client_id=<client_id>&grant_type=refresh_token&refresh_token=<refresh_token>"


Element Name Description
access_token The updated active access token.
expires_in the time the access token expires in seconds.
refresh_token the updated active refresh token.
token_type Supported: Bearer
user_id The Fitbit user ID associated with the access token and refresh token.
"access_token": "eyJhbGciOiJIUzI1...",
"expires_in": 28800,
"refresh_token": "c643a63c072f0f05478e9d18b991db80ef6061e...",
"token_type": "Bearer",
"user_id": "GGNJL9"

Response Headers
content-type The media type of the response content being sent to the client.
Supported: application/json
fitbit-rate-limit-limit The quota number of calls.
fitbit-rate-limit-remaining The number of calls remaining before hitting the rate limit.
fitbit-rate-limit-reset The number of seconds until the rate limit resets.

Note: The rate limit headers are approximate and asynchronously updated. This means that there may be a minor delay in the decrementing of remaining requests. This could result in your application receiving an unexpected 429 response if you don't track the total number of requests you make yourself.

Response Type

HTTP Status Code HTTP response code. List of codes are found in the Troubleshooting Guide.
Status Message Description of the status code.
Response Body Contains the JSON response to the API call. When errors are returned by the API call, the errorType, fieldName and message text will provide more information to the cause of the failure.

Response Codes
200 A successful request.
400 The request had bad syntax or was inherently impossible to be satisfied.
401 The request requires user authentication.

Note: For a complete list of response codes, please refer to the Troubleshooting Guide.

Additional Information

An access token intentionally is short lived. This is an important security mechanism of OAuth 2.0. When using the Authorization Code Grant Flow [with PKCE]. By default, the access tokens have an eight-hour lifetime.

When an access token expires, an HTTP 401 error will be returned.

  "errors": [
      "errorType": "expired_token",
      "message": "Access token expired: eyJhbGciOiJIUzI1NiJ9...."

At this point, your application needs to refresh the access token. The Fitbit API follows RFC6749 specification for refreshing access tokens. A refresh token does not expire until it is used. The refresh token can only be used once, as a new refresh token is returned with the new access token.

If the application makes identical refresh token requests within a two-minute period, the Fitbit Web API will return the same response. This is to assist applications unable to coordinate the refresh token flow between processes.

Alternatively, your application could redirect the user to the authentication flow. If the user is signed in and the scopes requested match the previously granted scopes, the user will be redirected to your redirect URL with a new access token without being prompted.