PHPackages jmitchell38488/oauth2-fitbit - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. jmitchell38488/oauth2-fitbit ActiveLibrary[Authentication & Authorization](/categories/authentication) jmitchell38488/oauth2-fitbit ============================ OAuth 2.0 wrapper for the FitBit API using thephpleague OAuth 2.0 client v0.1.3(10y ago)5785[2 issues](https://github.com/jmitchell38488/oauth2-fitbit/issues)MITPHPPHP >=5.5.0 Since Nov 11Pushed 10y ago2 watchersCompare [ Source](https://github.com/jmitchell38488/oauth2-fitbit)[ Packagist](https://packagist.org/packages/jmitchell38488/oauth2-fitbit)[ RSS](/packages/jmitchell38488-oauth2-fitbit/feed)WikiDiscussions master Synced 2mo ago READMEChangelogDependencies (2)Versions (5)Used By (0) FitBit OAuth 2.0 Provider ========================= [](#fitbit-oauth-20-provider) [![Source Code](https://camo.githubusercontent.com/1c985b2c2a1e01578da24b3291e0ff34af819c8ca77795f8a23eb8c01baee221/687474703a2f2f696d672e736869656c64732e696f2f62616467652f736f757263652d6a6d69746368656c6c33383438382f6f61757468322d2d6669746269742d626c75652e7376673f7374796c653d666c61742d737175617265)](https://github.com/jmitchell38488/oauth2-fitbit)[![Latest Version](https://camo.githubusercontent.com/1f258a1c69b3b8e37106f0ac12fa01f49f7c9ca0a0c82145d9917a7039b5c999/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f72656c656173652f6a6d69746368656c6c33383438382f6f61757468322d6669746269742e7376673f7374796c653d666c61742d737175617265)](https://github.com/jmitchell38488/oauth2-fitbit/releases)[![Software License](https://camo.githubusercontent.com/55c0218c8f8009f06ad4ddae837ddd05301481fcf0dff8e0ed9dadda8780713e/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d627269676874677265656e2e7376673f7374796c653d666c61742d737175617265)](https://github.com/jmitchell38488/oauth2-fitbit/blob/master/LICENSE)[![Total Downloads](https://camo.githubusercontent.com/e70577d98deef48568950db103a3b661813e2eaa8cfdf1a27c8097e1484bca2f/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6c65616775652f6f61757468322d6669746269742e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/league/oauth2-fitbit) This package makes it simple to integrate your application with the [FitBit OAuth 2.0](https://dev.fitbit.com/docs/oauth2/) service provider. Installation ------------ [](#installation) ``` composer require jmitchell38488/oauth2-fitbit ``` Usage ----- [](#usage) The FitBit provides two different methods for authenticating with the OAuth 2.0 service, an [authorization grant flow](https://dev.fitbit.com/docs/oauth2/#authorization-code-grant-flow) and an [implicit grant flow](https://dev.fitbit.com/docs/oauth2/#implicit-grant-flow). Both require different configuration when instantiating the provider and the implicit grant flow will require once less step. FitBit also uses a different Authorization header than is provided by the parent library. When a user authenticates with the FitBit 2.0 API, they need to set Authorization: Basic to generate the access token, and provide the Authorization header with each subsequent request, however using Bearer instead of Basic. Included in the package are three concrete provider classes and an abstract provider class. The abstract provider class provides shared functionality for the Authorization and Implicit implementations. The **FitBit** class extends the **Authorization**class, so you can use that instead of the **Authorization** class if you prefer. It is there for clarity when making authenticated requests. In any case, if you are supporting either Implicit or Authorization grant flows, you will need to keep track of which one you've used to authenticate a session, since one will timeout and you can refresh it, whereas the other will require a user to re-authorize once it has timed out. Authorization Grant Flow ------------------------ [](#authorization-grant-flow) #### Authenticate session [](#authenticate-session) ``` session_start(); use Jmitchell38488\OAuth2\Client\Provider\FitBitAuthorization; require_once __DIR__ . '/vendor/autoload.php'; $provider = new FitBitAuthorization([ 'clientId' => $my_client_id_from_fitbit, 'clientSecret' => $my_client_secret_from_fitbit, 'redirectUri' => $my_callback_url, ]); // 1st step: Has the user authorised yet? if (!isset($_SESSION['oauth2state'])) { $authorizationUrl = $provider->getAuthorizationUrl([ 'prompt' => FitBitAuthorization::PROMPT_CONSENT, 'response_type' => FitBitAuthorization::RESPONSETYPE_CODE, 'scope' => $provider->getAllScope(), ]); // Set the session state to validate in the callback $_SESSION['oauth2state'] = $provider->getState(); header('Location: ' . $authorizationUrl); exit; // 2nd step: User has authorised, now lets get the refresh & access tokens } else if (isset($_GET['state']) && $_GET['state'] == $_SESSION['oauth2state'] && isset($_GET['code']) && !isset($_SESSION['fitbit']['oauth'])) { try { $token = base64_encode(sprintf('%s:%s', $my_client_id_from_fitbit, $my_client_secret_from_fitbit)); $accessToken = $provider->getAccessToken('authorization_code', [ 'code' => $_GET['code'], 'access_token' => $_GET['code'], 'token' => $token, ]); unset($_SESSION['oauth2state']); $_SESSION['fitbit']['oauth2'] = array( 'accessToken' => $accessToken->getToken(), 'expires' => $accessToken->getExpires(), 'refreshToken' => $accessToken->getRefreshToken(), ); } catch (Exception $ex) { print $ex->getMessage(); } // 3rd step: Authorised, have tokens, but session needs to be refreshed } else if (time() > $_SESSION['fitbit']['oauth2']['expires']) { try { $token = base64_encode(sprintf('%s:%s', $my_client_id_from_fitbit, $my_client_secret_from_fitbit)); $accessToken = $provider->getAccessToken('refresh_token', [ 'grant_type' => FitBitAuthorization::GRANTTYPE_REFRESH, 'access_token' => $_SESSION['fitbit']['oauth2']['accessToken'], 'refresh_token' => $_SESSION['fitbit']['oauth2']['refreshToken'], 'token' => $token, ]); unset($_SESSION['oauth2state']); $_SESSION['fitbit']['oauth2'] = array( 'accessToken' => $accessToken->getToken(), 'expires' => $accessToken->getExpires(), 'refreshToken' => $accessToken->getRefreshToken(), ); } catch (Exception $ex) { print $ex->getMessage(); } } ``` Implicit Grant Flow ------------------- [](#implicit-grant-flow) #### Authenticate session [](#authenticate-session-1) ``` session_start(); use Jmitchell38488\OAuth2\Client\Provider\FitBitImplicit; require_once __DIR__ . '/vendor/autoload.php'; $provider = new FitBitImplicit([ 'clientId' => $my_client_id_from_fitbit, 'clientSecret' => $my_client_secret_from_fitbit, 'redirectUri' => $my_callback_url, ]); // 1st step: Has the user authorised yet? Or do we need to refresh? if (!isset($_SESSION['oauth2state'])) { $authorizationUrl = $provider->getAuthorizationUrl([ 'prompt' => FitBitImplicit::PROMPT_CONSENT, 'response_type' => FitBitImplicit::RESPONSETYPE_TOKEN, 'scope' => $provider->getAllScope(), 'expires_in' => FitBitImplicit::EXPIRES_IN_DAY // This can be set to 1, 7 or 30 days ]); // Set the session state to validate in the callback $_SESSION['oauth2state'] = $provider->getState(); header('Location: ' . $authorizationUrl); exit; // 2nd step: User has authorised, now lets get the refresh & access tokens // The return URL uses fragments, so you will need to implement front-end logic to redirect the // user back to the server with the relevant information, since the URL will look like: // my_callback_uri#scope=nutrition+weight+location+social+heartrate+settings+sleep+activity+profile&state=abcdef1234567890&user_id=ABC123&token_type=Bearer&expires_in=86400&access_token=abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890 } else if (isset($_GET['state']) && $_GET['state'] == $_SESSION['oauth2state'] && isset($_GET['access_token']) && !isset($_SESSION['fitbit']['oauth'])) { unset($_SESSION['oauth2state']); $_SESSION['fitbit']['oauth2'] = array( 'accessToken' => $_GET['access_token'], 'expires' => $_GET['expires_in'], 'refreshToken' => null, ); } ``` Making requests --------------- [](#making-requests) The API endpoints can be found in either the [official API docs](https://dev.fitbit.com/docs)or the [API explorer](https://apigee.com/me3/embed/console/fitbit?apig_cc=1). It's important to use the FitBit class intead of the grant flow classes, because FitBit API requires that you use the Bearer token in the Authorization header, rather than the Basic token. If you don't use the FitBit class, the API will return a 401 unauthorized error. ### To make a request [](#to-make-a-request) ``` $endpoint = $provider->getBaseApiUrl() . "user/-/profile." . FitBit::FORMAT_JSON; $provider = new FitBit([ 'clientId' => $my_client_id_from_fitbit, 'clientSecret' => $my_client_secret_from_fitbit, 'redirectUri' => $my_callback_url, ]); $request = $provider->getAuthenticatedRequest( FitBit::METHOD_GET, $endpoint, $_SESSION['fitbit']['oauth2']['accessToken'] ); $response = $provider->getResponse($request); ``` ### Health Score 25 — LowBetter than 37% of packages Maintenance12 Infrequent updates — may be unmaintained Popularity18 Limited adoption so far Community8 Small or concentrated contributor base Maturity51 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 4 Last Release 3833d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/4c13fb3de9cc986cfebccaf6f2e033e854325db186fd7f433ea0acde455bb1b6?d=identicon)[jmitchell38488](/maintainers/jmitchell38488) --- Top Contributors [![jmitchell38488](https://avatars.githubusercontent.com/u/12840052?v=4)](https://github.com/jmitchell38488 "jmitchell38488 (5 commits)") --- Tags oauthoauth2fitbit ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/jmitchell38488-oauth2-fitbit/health.svg) ``` [![Health](https://phpackages.com/badges/jmitchell38488-oauth2-fitbit/health.svg)](https://phpackages.com/packages/jmitchell38488-oauth2-fitbit) ``` ### Alternatives [league/oauth2-google Google OAuth 2.0 Client Provider for The PHP League OAuth2-Client 41721.2M118](/packages/league-oauth2-google)[knpuniversity/oauth2-client-bundle Integration with league/oauth2-client to provide services 83416.7M61](/packages/knpuniversity-oauth2-client-bundle)[thenetworg/oauth2-azure Azure Active Directory OAuth 2.0 Client Provider for The PHP League OAuth2-Client 2509.6M48](/packages/thenetworg-oauth2-azure)[stevenmaguire/oauth2-keycloak Keycloak OAuth 2.0 Client Provider for The PHP League OAuth2-Client 2275.9M27](/packages/stevenmaguire-oauth2-keycloak)[league/oauth2-facebook Facebook OAuth 2.0 Client Provider for The PHP League OAuth2-Client 32013.0M65](/packages/league-oauth2-facebook)[patrickbussmann/oauth2-apple Sign in with Apple OAuth 2.0 Client Provider for The PHP League OAuth2-Client 1132.5M6](/packages/patrickbussmann-oauth2-apple) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)