Revoke Token
chevron down
 

Revoke Token

Used to disable a user's authorization for an application. The revoke endpoint, specifying either the access token or refresh token, will remove the user's authorizations and all associated tokens. This endpoint conforms to RFC 7009.

Revoking the access token or refresh token will provide the same result. When the token is revoked, all tokens are revoked for that user. If an application has multiple sessions (web, mobile, etc.) for the same user, the revocation will remove all sessions (web, mobile, etc.) associated with that user.

In addition, a revocation request can be made for tokens used by public clients. The Authorization header is not used. Instead, the public client's client_id and associated token will need to be specified as parameters in the revocation request.


Request

POST /oauth2/revoke

Body Parameters
token
required

The access_token or refresh_token to be revoked, or The access_token or refresh_token to be revoked on the associated public client.

Type: string
client_id
(For use with public clients only)
optional

The public client's client_id.

Type: string

Request Headers
authorization (For use with server apps only)
required

Must be set to Basic followed by a space, then the Base64 encoded string of your application's client id and secret concatenated with a colon. For example, the Base64 encoded string, Y2xpZW50X2lkOmNsaWVudCBzZWNyZXQ=, is decoded as "client_id:client secret".

Token type: Basic
accept optional The media type of the response content the client is expecting.
Supported: application/json
accept-language optional The measurement unit system to use for response values. See Localization.
accept-locale optional The locale to use for response values. See Localization.

Examples
POST https://api.fitbit.com/oauth2/revoke
Authorization: Basic <basic_token>
Content-Type: application/x-www-form-urlencoded
token=<access_token or refresh_token to be revoked>

Revoking tokens used by public clients
POST https://api.fitbit.com/oauth2/revoke
Content-Type: application/x-www-form-urlencoded
client_id=<public_client_id>&token=<access_token or refresh_token to be revoked>
curl -X POST "https://api.fitbit.com/oauth2/revoke" \
-H "content-type: application/x-www-form-urlencoded" \
-H "Authorization: Basic <basic_token>" \
-d "token=<access_token or refresh_token to be revoked>"

Revoking tokens used by public clients
curl -X POST "https://api.fitbit.com/oauth2/revoke" \
-H "content-type: application/x-www-form-urlencoded" \
-d "client_id=<public_client_id>&token=<access_token or refresh_token to be revoked>"


Response

Response Headers
content-type The media type of the response content being sent to the client.
Supported: application/json
fitbit-rate-limit-limit The quota number of calls.
fitbit-rate-limit-remaining The number of calls remaining before hitting the rate limit.
fitbit-rate-limit-reset The number of seconds until the rate limit resets.

Note: The rate limit headers are approximate and asynchronously updated. This means that there may be a minor delay in the decrementing of remaining requests. This could result in your application receiving an unexpected 429 response if you don't track the total number of requests you make yourself.

Response Type

HTTP Status Code HTTP response code. List of codes are found in the Troubleshooting Guide.
Status Message Description of the status code.
Response Body Contains the JSON response to the API call. When errors are returned by the API call, the errorType, fieldName and message text will provide more information to the cause of the failure.

Response Codes
200 A successful request.
400 The request had bad syntax or was inherently impossible to be satisfied.
401 The request requires user authentication.

Note: For a complete list of response codes, please refer to the Troubleshooting Guide.

Additional Information

Revoked tokens

Users have granular control over read/write access to their data through the Fitbit Web API. When a user revokes consent to your application, their access token becomes invalid and your access to that user's data through the Web API is no longer available. What you do with the data that has already been collected should be clearly documented in your Terms of Service and Privacy Policy. Any guidelines or requirements defined by Fitbit will be specified in our Platform Terms of Service.

Revoking refresh tokens

When a /oauth2/revoke request is made with a refresh_token that is not present in our database, the service will respond with an HTTP status code of 404 (NOT_FOUND). This signifies that the client can safely remove the corresponding refresh_token from their own storage, as it is no longer valid on the server-side. This provides clients with a clear indication to the status of their refresh tokens, enabling them to maintain accurate and efficient token management practices.