Fitbit

Fitbit Authorization API

OAuth 2.0 authorization endpoints. Supports Authorization Code Grant with PKCE (recommended), Authorization Code Grant, Implicit Grant, and Client Credentials (for Fitbit Commerce APIs that do not retrieve user data). Tokens can be introspected, refreshed, or revoked.

GitHub OpenAPI

Documentation

📖
Documentation
https://dev.fitbit.com/build/reference/web-api/authorization/

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/fitbit/refs/heads/main/openapi/fitbit-authorization-api-openapi.yml

OpenAPI Specification

fitbit-authorization-api-openapi.yml Raw ↑ 
openapi: 3.0.3
info:
  title: Fitbit Authorization API
  description: |
    OAuth 2.0 authorization endpoints for the Fitbit Web API. Fitbit supports
    Authorization Code Grant with PKCE (recommended for all clients),
    Authorization Code Grant, Implicit Grant, and Client Credentials (for
    Fitbit Commerce APIs that do not retrieve user data). Tokens can be
    introspected, refreshed, or revoked. New integrations should plan for
    migration to the Google Health API's Google OAuth 2.0 framework before the
    legacy Web API turndown in September 2026.
  version: '1'
  contact:
    name: Fitbit Developer
    url: https://dev.fitbit.com/build/reference/web-api/authorization/
servers:
- url: https://www.fitbit.com
  description: Authorization endpoint host
- url: https://api.fitbit.com
  description: Token, introspect, and revoke endpoint host
paths:
  /oauth2/authorize:
    get:
      summary: Authorize
      description: Initiates the OAuth 2.0 authorization flow by presenting the consent screen to the user.
      operationId: authorize
      servers:
      - url: https://www.fitbit.com
      parameters:
      - name: response_type
        in: query
        required: true
        schema:
          type: string
          enum: [code, token]
      - name: client_id
        in: query
        required: true
        schema:
          type: string
      - name: redirect_uri
        in: query
        required: true
        schema:
          type: string
      - name: scope
        in: query
        required: true
        schema:
          type: string
          description: Space-separated list of scopes.
      - name: code_challenge
        in: query
        schema:
          type: string
      - name: code_challenge_method
        in: query
        schema:
          type: string
          enum: [S256]
      - name: state
        in: query
        schema:
          type: string
      - name: prompt
        in: query
        schema:
          type: string
          enum: [consent, login, none, login consent]
      - name: expires_in
        in: query
        schema:
          type: integer
      responses:
        '302':
          description: Redirect to the redirect_uri with an authorization code.
  /oauth2/token:
    post:
      summary: Get Access Token
      description: Exchanges the authorization code for the initial access token and refresh token.
      operationId: getAccessToken
      servers:
      - url: https://api.fitbit.com
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              properties:
                grant_type:
                  type: string
                  enum: [authorization_code, refresh_token, client_credentials]
                code:
                  type: string
                client_id:
                  type: string
                redirect_uri:
                  type: string
                code_verifier:
                  type: string
                refresh_token:
                  type: string
      responses:
        '200':
          description: Access and refresh tokens issued.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenResponse'
  /1.1/oauth2/introspect:
    post:
      summary: Introspect Token
      description: Returns the active state and metadata for an OAuth 2.0 access token.
      operationId: introspectToken
      servers:
      - url: https://api.fitbit.com
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              properties:
                token:
                  type: string
      responses:
        '200':
          description: Token introspection result.
  /oauth2/revoke:
    post:
      summary: Revoke Token
      description: Disables a user's authorization and all associated tokens.
      operationId: revokeToken
      servers:
      - url: https://api.fitbit.com
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              properties:
                token:
                  type: string
      responses:
        '200':
          description: Token revoked.
components:
  schemas:
    TokenResponse:
      type: object
      properties:
        access_token:
          type: string
        expires_in:
          type: integer
        refresh_token:
          type: string
        scope:
          type: string
        token_type:
          type: string
          enum: [Bearer]
        user_id:
          type: string