How to import Fitbit data into WordPress Part 1: The authentication process

March 23, 2021

Fitbit is serious about security. (Or at least is complicated about security.) If your users have data on Fitbit that you want to bring into your WordPress MySQL database, there are a few non-intuitive hoops you need to jump through. I’ve broken this down into three parts. It is a convoluted process but once you are set up properly you will not have to do it again.

You’ll need a working Fitbit device that has been set up on the Fitbit.com web site and a passing familiarity with the Postman app. Have your Fitbit username and password handy. You will not be working on the regular Fitbit site. Instead go to dev.fitbit.com. If you are brave you can check out all the documentation including the Web API. But if you want the basics stick around.

Go to dev.fitbit.com/apps/new and start registering a new app. You can’t use Fitbit in the name of the app and you do have to give a short description. For all boxes requesting an URL you have two choices. If you have a server running on your computer just put in http://localhost. Otherwise you should be able to just enter the name of your web site (for example in my case https://www.dowling.ca.)

The next screen should look like this. Copy and paste the Client ID and the Client Secret in a separate text file. You’ll need them in a bit. Click on the link: “OAuth 2.0 tutorial page”.

Once on the OAuth tutorial page, check the boxes for the data you want (activity, heart rate, settings, etc). Take note of the OAuth 2.0 Client ID and the Client Secret. Select “Authorization Code Flow” (circled). Click on the Authorization URL (also circled below).

Nearly there. When you click on the Authorization URL you should see a page like the one below. This is where the user gives the app permission to see the data. Check the “Allow All” box and click “Allow”.

If all goes well you should see a page like this. Actually what is on the actual page is not important. Look at the address bar. Copy the code in the address bar between “code=” and “#-=_” (shown in blue below).

You now have three critical pieces of data: Client ID, Client Secret and a temporary authorization code. You need one more item before you can go further: a Base64 Authorization header. To make this you need to combine the Client ID with the Client Secret separated by a colon (ClientID:ClientSecret) and then encode it with Base64 encoding.

So it would look something like 22CCNG:71933c71bc79834ee43c0185bb20dc71

Go to https://www.base64encode.org/ and follow the instructions. In my example the result would be MjJDQ05HOjcxOTMzYzcxYmM3OTgzNGVlNDNjMDE4NWJiMjBkYzcx

This ends part one. Before you leave this page make sure you’ve got your Client ID, Client Secret, temporary authorization code and the Base64 Authorization header saved in a text file for easy reference. Believe it or not the authorization code expires in 10 minutes! So let’s go!
Fitbit Authorization, Part 2