Client Credentials

Client Credentials Grant Flow

Fitbit follows the OAuth 2.0 Client Credentials flow as specified in RFC 6749. Fitbit strongly recommends that you review the specification and use an OAuth 2 client library for your programming language.

The Client Credentials Grant flow has the following steps:

You application sends a request to https://api.fitbit.com/oauth2/token with its client_id and client_secret
Fitbit authenticates your application and issues an access token

Resource URLs

POST https://api.fitbit.com/oauth2/token

Authorization Header

The Authorization header must be set to Basic followed by a space, then the Base64 encoded string of your application's client id and secret concatenated with a colon. For example, the Base64 encoded string, Y2xpZW50X2lkOmNsaWVudCBzZWNyZXQ=, is decoded as [client_id]:[client_secret].

Body Parameters

URI Parameter Description

grant_type required client_credentials
Type: string

URI Parameter	Description
`grant_type` required	`client_credentials` Type: string
`expires_in`	Specify the desired access token lifetime. Defaults to `28800`. `3600` for 1 hour `28800` for 8 hours `86400` for 1 day `604800` for 1 weeks `2592000` for 30 days `31536000` for 1 year Optional Type: string

expires_in

Specify the desired access token lifetime. Defaults to 28800.

3600 for 1 hour
28800 for 8 hours
86400 for 1 day
604800 for 1 weeks
2592000 for 30 days
31536000 for 1 year

Optional

Type: string

Additional Fitbit OAuth 2.0 Features

Community Resources