Fitbit Web API

REST API providing access to Fitbit device data including activity (steps, calories, distance), sleep stages and scoring, heart rate (resting and intraday), SpO2, body composition, menstrual health, nutrition logging, and device/app management. Requires user OAuth2 authorization to access personal health data.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Other fitbit wearable health fitness sleep heart-rate steps oauth2 google-health activity
⚙ Agent Friendliness
54
/ 100
Can an agent use this?
🔒 Security
87
/ 100
Is it safe for agents?
⚡ Reliability
69
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
72
Error Messages
70
Auth Simplicity
72
Rate Limits
78

🔒 Security

TLS Enforcement
100
Auth Strength
85
Scope Granularity
90
Dep. Hygiene
78
Secret Handling
82

Granular OAuth2 scopes allow requesting only the data types needed. Health data is sensitive — GDPR consent requirements apply. Users can revoke access at any time and agents must handle token invalidation gracefully. Data portability requests under GDPR require Fitbit, not your app, to fulfill.

⚡ Reliability

Uptime/SLA
72
Version Stability
70
Breaking Changes
65
Error Recovery
70
AF Security Reliability

Best When

Your users already own Fitbit devices and you want to enrich an application with their historical health and activity data with minimal friction via OAuth2 authorization.

Avoid When

You need real-time or near-real-time data streams, medical-grade accuracy, or coverage across multiple wearable ecosystems.

Use Cases

  • Building personal health dashboards that aggregate Fitbit activity, sleep, and heart rate trends over time
  • Research applications collecting longitudinal wearable data from consenting participants
  • Corporate wellness platforms that reward employees for meeting activity goals based on Fitbit data
  • Sleep coaching applications that analyze sleep stage data and HRV trends to provide personalized recommendations
  • Health and fitness apps that supplement manual logging with automatic Fitbit activity sync

Not For

  • Clinical or medical-grade applications requiring FDA-cleared device data (Fitbit is consumer-grade)
  • Real-time biometric streaming — Fitbit syncs are periodic, not continuous streaming
  • Applications requiring data from non-Fitbit wearables (use Apple HealthKit or Google Health Connect instead)

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
No
SDK
No
Webhooks
Yes

Authentication

Methods: oauth2
OAuth: Yes Scopes: Yes

OAuth2 Authorization Code flow with PKCE. Scopes are granular per data type: activity, heartrate, sleep, nutrition, oxygen_saturation, respiratory_rate, settings, social, weight, profile. Access tokens expire in 8 hours; refresh tokens are long-lived. Intraday data (per-minute heart rate) requires approval from Fitbit for third-party apps — it is not available to all developers.

Pricing

Model: free
Free tier: Yes
Requires CC: No

Fitbit's commercial partnership model changed after Google acquisition. Apps intending commercial use or accessing sensitive data types must apply for access and agree to Fitbit Platform Terms. Intraday (per-minute resolution) data requires a separate application and approval process that can take weeks.

Agent Metadata

Pagination
none
Idempotent
Partial
Retry Guidance
Not documented

Known Gotchas

  • The rate limit is 150 requests/hour per user OAuth token, not per application — a user with multiple connected apps shares the same quota, so your app may get 429s even with low request volume if the user has other Fitbit integrations
  • Intraday (per-minute) heart rate and activity data requires separate developer approval that is not automatic — building a feature that relies on this data before approval is approved will result in 403s on production users
  • Date parameters use YYYY-MM-DD format based on the user's Fitbit account timezone, not UTC — querying 'today' in UTC may return yesterday's data for users in UTC+ timezones
  • Sleep data is attributed to the day the sleep session ends, not starts — a sleep session from 11pm Monday to 7am Tuesday appears under Tuesday's date
  • Access tokens expire in 8 hours; agents that cache tokens without tracking expiry will silently fail overnight; implement proactive refresh before expiry
  • The webhooks (subscriptions) API delivers notifications without a payload — agents must make a follow-up API call to fetch the changed data, meaning one webhook event requires one additional authenticated request
  • After Google's acquisition of Fitbit, some developer documentation and endpoints have been deprecated or migrated with minimal notice; always validate endpoints against current docs before building

Alternatives

apple-healthkit google-fit-api withings-api oura-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Fitbit Web API.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5173
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered