Integrate Fitbit's Web API into your Bolt.new app by registering a developer app at dev.fitbit.com, implementing OAuth 2.0 with PKCE via an API route, and fetching activity, sleep, and heart rate data. Because OAuth callbacks require a stable redirect URI, you must deploy to Netlify or Bolt Cloud before completing authentication. Wearable health dashboards with time-series charts work well once deployed.
Build a Fitbit Health Dashboard in Bolt.new
Fitbit's Web API unlocks a rich stream of personal health data — step counts, active minutes, resting heart rate, sleep stages, calorie burn, and more. For founders building wellness apps, corporate health platforms, or personal productivity tools, connecting to Fitbit data allows users to see their wearable metrics inside your product without leaving it. The API is REST-based with JSON responses, making it a natural fit for Bolt.new's HTTP-based integration model.
The integration centers on OAuth 2.0 with PKCE (Proof Key for Code Exchange), Fitbit's required authorization standard since 2023. This flow involves two round-trips: first redirecting the user to Fitbit's authorization page, then exchanging the returned code for access and refresh tokens. Because the redirect URI must be a stable, registered URL, you cannot complete OAuth in Bolt's WebContainer preview — the preview URL is dynamic and cannot be pre-registered. The standard solution is a quick deploy to Netlify or Bolt Cloud, which gives you a permanent domain to register.
Once authorized, your API routes can query endpoints like `/1/user/-/activities/date/today.json` for daily summaries, `/1/user/-/heart/date/today/1d.json` for heart rate, and `/1.2/user/-/sleep/date/today.json` for sleep stages. Fitbit is in the process of migrating some device data to Google Health Connect following Google's acquisition, but the Web API continues to work for existing Fitbit device users as of March 2026.
Integration method
Bolt generates Next.js API routes that handle the Fitbit OAuth 2.0 PKCE flow server-side and proxy health data requests to the Fitbit Web API. Sensitive tokens are stored in environment variables and never exposed to the browser. Because Fitbit requires a stable redirect URI for OAuth, the integration must be tested on a deployed URL rather than Bolt's WebContainer preview.
Prerequisites
- A Fitbit account (free) and a Fitbit device or the Fitbit mobile app with logged data
- A developer app registered at dev.fitbit.com with OAuth 2.0 credentials
- A Bolt.new project using Next.js (required for server-side API routes)
- A deployed URL on Netlify or Bolt Cloud to use as the OAuth redirect URI
- Basic understanding of OAuth 2.0 concepts (authorization code, access tokens)
Step-by-step guide
Register a Fitbit Developer Application
Register a Fitbit Developer Application
Go to dev.fitbit.com and sign in with your Fitbit account. Click 'Register an App' in the top navigation. Fill in the application details: Application Name (e.g., 'My Health Dashboard'), Description, Application Website URL (your deployed Netlify URL or a placeholder while developing), Organization and Organization Website. For OAuth 2.0 Application Type, select 'Personal' if this is just for your own data, or 'Server' if users will log in with their own Fitbit accounts. Under Redirect URL, enter your deployed domain followed by `/api/fitbit/callback` — for example `https://your-app.netlify.app/api/fitbit/callback`. You can update this after deploying. Set Default Access Type to 'Read Only' unless you need to write data. Submit the form. Fitbit will immediately show your Client ID and Client Secret on the confirmation page — copy both and store them securely. Note that Fitbit requires apps to request specific scopes; the most commonly used are `activity`, `heartrate`, `sleep`, `nutrition`, and `profile`. You will specify these in your authorization URL.
Set up a Fitbit OAuth integration in my Next.js app. Create an API route at app/api/fitbit/auth/route.ts that generates the Fitbit OAuth authorization URL with PKCE (code_verifier and code_challenge), stores the code_verifier in a cookie, and redirects to Fitbit's authorization page. Request scopes: activity, heartrate, sleep, profile. Use environment variables FITBIT_CLIENT_ID and FITBIT_CLIENT_SECRET.
Paste this in Bolt.new chat
1// app/api/fitbit/auth/route.ts2import { NextResponse } from 'next/server';3import { cookies } from 'next/headers';4import crypto from 'crypto';56function generateCodeVerifier(): string {7 return crypto.randomBytes(32).toString('base64url');8}910function generateCodeChallenge(verifier: string): string {11 return crypto.createHash('sha256').update(verifier).digest('base64url');12}1314export async function GET() {15 const clientId = process.env.FITBIT_CLIENT_ID!;16 const redirectUri = process.env.FITBIT_REDIRECT_URI!;1718 const codeVerifier = generateCodeVerifier();19 const codeChallenge = generateCodeChallenge(codeVerifier);20 const state = crypto.randomBytes(16).toString('hex');2122 const cookieStore = await cookies();23 cookieStore.set('fitbit_code_verifier', codeVerifier, {24 httpOnly: true,25 secure: process.env.NODE_ENV === 'production',26 maxAge: 600,27 path: '/',28 });29 cookieStore.set('fitbit_state', state, {30 httpOnly: true,31 secure: process.env.NODE_ENV === 'production',32 maxAge: 600,33 path: '/',34 });3536 const scopes = ['activity', 'heartrate', 'sleep', 'profile'].join(' ');37 const authUrl = new URL('https://www.fitbit.com/oauth2/authorize');38 authUrl.searchParams.set('client_id', clientId);39 authUrl.searchParams.set('redirect_uri', redirectUri);40 authUrl.searchParams.set('response_type', 'code');41 authUrl.searchParams.set('scope', scopes);42 authUrl.searchParams.set('code_challenge', codeChallenge);43 authUrl.searchParams.set('code_challenge_method', 'S256');44 authUrl.searchParams.set('state', state);4546 return NextResponse.redirect(authUrl.toString());47}Pro tip: The PKCE code_verifier must be stored somewhere that persists across the redirect. An httpOnly cookie is the cleanest approach in Next.js — never store it in localStorage as it won't survive the page navigation.
Expected result: Clicking 'Connect Fitbit' in your app redirects to the Fitbit authorization page where users can approve the requested scopes.
Handle the OAuth Callback and Exchange Tokens
Handle the OAuth Callback and Exchange Tokens
After the user approves your app on Fitbit's site, Fitbit redirects back to your registered redirect URI with a `code` and `state` parameter. Your callback API route must validate the state, retrieve the stored code_verifier cookie, and exchange the code for access and refresh tokens using Fitbit's token endpoint. The token exchange requires HTTP Basic Authentication using your Client ID and Secret (Base64 encoded as `clientId:clientSecret`), plus the PKCE code_verifier. Fitbit returns an `access_token` (valid for 8 hours), `refresh_token` (long-lived), `user_id`, and granted `scope`. Store the access_token and refresh_token securely — in this example we use encrypted cookies, but in a production app with multiple users you would store them in your database keyed to the user. The callback route should then redirect the user to your dashboard. Handle the token refresh flow: when an API call returns a 401, use the refresh token to get a new access token automatically.
Create a Fitbit OAuth callback handler at app/api/fitbit/callback/route.ts. It should: (1) validate the state parameter against the stored cookie, (2) retrieve the code_verifier cookie, (3) POST to https://api.fitbit.com/oauth2/token to exchange the code for tokens using HTTP Basic auth with FITBIT_CLIENT_ID and FITBIT_CLIENT_SECRET, (4) store the access_token and refresh_token in httpOnly cookies, (5) redirect to /dashboard.
Paste this in Bolt.new chat
1// app/api/fitbit/callback/route.ts2import { NextRequest, NextResponse } from 'next/server';3import { cookies } from 'next/headers';45export async function GET(request: NextRequest) {6 const searchParams = request.nextUrl.searchParams;7 const code = searchParams.get('code');8 const state = searchParams.get('state');9 const error = searchParams.get('error');1011 if (error) {12 return NextResponse.redirect(new URL('/?error=fitbit_denied', request.url));13 }1415 const cookieStore = await cookies();16 const storedState = cookieStore.get('fitbit_state')?.value;17 const codeVerifier = cookieStore.get('fitbit_code_verifier')?.value;1819 if (!state || state !== storedState || !codeVerifier || !code) {20 return NextResponse.redirect(new URL('/?error=invalid_state', request.url));21 }2223 const clientId = process.env.FITBIT_CLIENT_ID!;24 const clientSecret = process.env.FITBIT_CLIENT_SECRET!;25 const redirectUri = process.env.FITBIT_REDIRECT_URI!;2627 const credentials = Buffer.from(`${clientId}:${clientSecret}`).toString('base64');2829 const tokenResponse = await fetch('https://api.fitbit.com/oauth2/token', {30 method: 'POST',31 headers: {32 'Authorization': `Basic ${credentials}`,33 'Content-Type': 'application/x-www-form-urlencoded',34 },35 body: new URLSearchParams({36 code,37 grant_type: 'authorization_code',38 redirect_uri: redirectUri,39 code_verifier: codeVerifier,40 }).toString(),41 });4243 if (!tokenResponse.ok) {44 const err = await tokenResponse.json();45 console.error('Token exchange failed:', err);46 return NextResponse.redirect(new URL('/?error=token_exchange_failed', request.url));47 }4849 const tokens = await tokenResponse.json();5051 const response = NextResponse.redirect(new URL('/dashboard', request.url));52 response.cookies.set('fitbit_access_token', tokens.access_token, {53 httpOnly: true, secure: true, maxAge: 28800, path: '/'54 });55 response.cookies.set('fitbit_refresh_token', tokens.refresh_token, {56 httpOnly: true, secure: true, maxAge: 60 * 60 * 24 * 30, path: '/'57 });58 response.cookies.delete('fitbit_code_verifier');59 response.cookies.delete('fitbit_state');6061 return response;62}Pro tip: Fitbit access tokens expire after 8 hours. Build a token refresh helper that calls /oauth2/token with grant_type=refresh_token whenever a 401 is returned from data endpoints.
Expected result: After authorizing on Fitbit's site, the user is redirected to your /dashboard page with access and refresh tokens stored in httpOnly cookies.
Fetch Health Data from the Fitbit API
Fetch Health Data from the Fitbit API
With valid access tokens stored, create API routes that proxy Fitbit data endpoints to your frontend. The Fitbit Web API uses versioned REST endpoints under `https://api.fitbit.com`. Key endpoints include: `/1/user/-/activities/date/{date}.json` for daily activity summary (steps, calories, distance, active minutes); `/1/user/-/heart/date/{date}/1d/1min.json` for intraday heart rate data; `/1.2/user/-/sleep/date/{date}.json` for sleep stages; `/1/user/-/activities/heart/date/{date}/7d.json` for 7-day heart rate trends. The `-` in the user path is a shorthand for the authorized user's ID. Each request requires the Authorization header with `Bearer {access_token}`. Create a single data proxy route that accepts a query param specifying which data type to fetch, validates the token, makes the Fitbit API call, and returns the JSON to your frontend component. Rate limits: 150 API calls per user per hour. Be mindful when building polling or auto-refreshing dashboards.
Create a Fitbit data API route at app/api/fitbit/data/route.ts that accepts a 'type' query param (activity, heartrate, sleep) and fetches the corresponding data from the Fitbit API using the stored access_token cookie. For activity: GET /1/user/-/activities/date/today.json. For heartrate: GET /1/user/-/heart/date/today/7d.json. For sleep: GET /1.2/user/-/sleep/date/today.json. Return the Fitbit API response as JSON.
Paste this in Bolt.new chat
1// app/api/fitbit/data/route.ts2import { NextRequest, NextResponse } from 'next/server';3import { cookies } from 'next/headers';45const FITBIT_ENDPOINTS: Record<string, string> = {6 activity: '/1/user/-/activities/date/today.json',7 heartrate: '/1/user/-/heart/date/today/7d.json',8 sleep: '/1.2/user/-/sleep/date/today.json',9 profile: '/1/user/-/profile.json',10};1112async function refreshToken(refreshToken: string): Promise<string | null> {13 const credentials = Buffer.from(14 `${process.env.FITBIT_CLIENT_ID}:${process.env.FITBIT_CLIENT_SECRET}`15 ).toString('base64');1617 const res = await fetch('https://api.fitbit.com/oauth2/token', {18 method: 'POST',19 headers: {20 Authorization: `Basic ${credentials}`,21 'Content-Type': 'application/x-www-form-urlencoded',22 },23 body: new URLSearchParams({24 grant_type: 'refresh_token',25 refresh_token: refreshToken,26 }).toString(),27 });2829 if (!res.ok) return null;30 const data = await res.json();31 return data.access_token;32}3334export async function GET(request: NextRequest) {35 const cookieStore = await cookies();36 let accessToken = cookieStore.get('fitbit_access_token')?.value;37 const storedRefreshToken = cookieStore.get('fitbit_refresh_token')?.value;38 const type = request.nextUrl.searchParams.get('type') ?? 'activity';3940 if (!accessToken || !storedRefreshToken) {41 return NextResponse.json({ error: 'Not authenticated' }, { status: 401 });42 }4344 const endpoint = FITBIT_ENDPOINTS[type];45 if (!endpoint) {46 return NextResponse.json({ error: 'Unknown data type' }, { status: 400 });47 }4849 let fitbitRes = await fetch(`https://api.fitbit.com${endpoint}`, {50 headers: { Authorization: `Bearer ${accessToken}` },51 });5253 if (fitbitRes.status === 401 && storedRefreshToken) {54 const newToken = await refreshToken(storedRefreshToken);55 if (!newToken) return NextResponse.json({ error: 'Session expired' }, { status: 401 });56 accessToken = newToken;57 fitbitRes = await fetch(`https://api.fitbit.com${endpoint}`, {58 headers: { Authorization: `Bearer ${accessToken}` },59 });60 }6162 const data = await fitbitRes.json();63 const response = NextResponse.json(data);64 if (accessToken !== cookieStore.get('fitbit_access_token')?.value) {65 response.cookies.set('fitbit_access_token', accessToken, {66 httpOnly: true, secure: true, maxAge: 28800, path: '/'67 });68 }69 return response;70}Pro tip: Fitbit's rate limit is 150 requests per user per hour. Cache responses in memory or a database for frequently viewed data like daily summaries, which only update every few minutes anyway.
Expected result: Calling /api/fitbit/data?type=activity from your frontend returns today's steps, calories, and active minutes as JSON.
Build the Health Dashboard UI
Build the Health Dashboard UI
With working data API routes, prompt Bolt to generate the dashboard component that visualizes your Fitbit data. The dashboard should fetch data from your proxy routes using `useEffect` and `fetch`, then display it with summary cards and time-series charts. For charts, Recharts is a popular choice that installs cleanly in WebContainers without native dependencies. Structure the dashboard into sections: a top row of metric cards (steps today, calories burned, active minutes, resting heart rate), a heart rate trend line chart for the past 7 days, and a sleep breakdown showing total hours and time in each sleep stage. Add a loading skeleton while data fetches and an error state for unauthenticated users that shows a 'Connect Fitbit' button. The OAuth flow in the preview will not complete because the WebContainer URL cannot be registered as a redirect URI — add a clear 'Deploy first to test OAuth' note in development mode, or use mock data during development and test the real flow on your deployed URL.
Build a Fitbit health dashboard component at components/FitbitDashboard.tsx. It should: (1) fetch /api/fitbit/data?type=activity, /api/fitbit/data?type=heartrate, and /api/fitbit/data?type=sleep on load; (2) show cards for steps (goal: 10,000), calories burned, active minutes, and resting heart rate; (3) render a Recharts LineChart of heart rate trends over 7 days; (4) show last night's sleep duration and a breakdown bar of sleep stages (deep, light, REM, awake); (5) show a 'Connect Fitbit' button linking to /api/fitbit/auth if unauthenticated (401 response).
Paste this in Bolt.new chat
Pro tip: During development in Bolt's WebContainer, use mock Fitbit data to build and style the UI. Switch to live API calls after deploying — the OAuth flow won't work in the preview environment.
Expected result: The dashboard page displays step count, calories, heart rate chart, and sleep summary using live or mock Fitbit data, with a Connect Fitbit button for unauthenticated users.
Deploy and Register OAuth Redirect URI
Deploy and Register OAuth Redirect URI
Bolt's WebContainer uses a dynamic URL that changes between sessions and cannot be registered as a stable OAuth redirect URI. This is the primary reason Fitbit OAuth cannot be tested in the preview — Fitbit validates the redirect_uri in the token exchange against the registered value, and a mismatch returns an error. Deploy your app to Netlify or Bolt Cloud to get a permanent URL. For Netlify: go to Settings → Applications in Bolt, connect to Netlify via OAuth, and click Publish. Your app gets a permanent `*.netlify.app` URL. Add your environment variables in Netlify's dashboard under Site Configuration → Environment Variables: `FITBIT_CLIENT_ID`, `FITBIT_CLIENT_SECRET`, and `FITBIT_REDIRECT_URI` (set to `https://your-app.netlify.app/api/fitbit/callback`). Then go back to dev.fitbit.com, find your registered application, and update the Redirect URL field to match. Redeploy the app after adding environment variables. Now test the full OAuth flow by visiting your deployed URL and clicking 'Connect Fitbit'.
Add a .env.local file with placeholder values: FITBIT_CLIENT_ID=your_client_id_here, FITBIT_CLIENT_SECRET=your_client_secret_here, FITBIT_REDIRECT_URI=https://your-deployed-domain.netlify.app/api/fitbit/callback. Also create a middleware.ts that protects the /dashboard route and redirects unauthenticated users (no fitbit_access_token cookie) to the homepage.
Paste this in Bolt.new chat
1// .env.local (add real values after deploying)2FITBIT_CLIENT_ID=your_client_id_here3FITBIT_CLIENT_SECRET=your_client_secret_here4FITBIT_REDIRECT_URI=https://your-deployed-domain.netlify.app/api/fitbit/callbackPro tip: After updating environment variables in Netlify, trigger a new deploy for the changes to take effect. Fitbit allows multiple redirect URIs per app — add both your Netlify URL and any custom domain so you can test both.
Expected result: The full OAuth flow works on your deployed URL: users click Connect Fitbit, authorize on Fitbit's site, and are redirected back to your dashboard with live data.
Common use cases
Personal Health Dashboard
Display a user's daily steps, calories burned, active minutes, and resting heart rate alongside sleep quality scores — all pulled live from Fitbit. The dashboard gives users a single view of their fitness trends without opening the Fitbit app.
Build a personal health dashboard that connects to the Fitbit API. It should show today's step count, calories burned, active minutes, resting heart rate, and last night's sleep duration. Use a card layout with a line chart for heart rate trends over the past 7 days. Handle OAuth login with a 'Connect Fitbit' button.
Copy this prompt to try it in Bolt.new
Corporate Wellness Tracker
Let employees connect their Fitbit accounts to an internal wellness portal that tracks team-level activity goals, step challenges, and sleep wellness scores. Data is aggregated anonymously for team leaderboards.
Create a corporate wellness app where employees can connect their Fitbit account. Show each user's weekly step total, compare it against a 70,000-step goal, and display a team leaderboard sorted by steps. Use Fitbit OAuth and store tokens securely in API routes.
Copy this prompt to try it in Bolt.new
Sleep Quality Journal
Pull Fitbit sleep stage data — time in REM, deep, light, and awake — and combine it with a user's mood journal entries to surface correlations between sleep patterns and daily energy levels.
Build a sleep journal app that pulls sleep stage data from the Fitbit API (REM, deep, light, awake minutes) and lets users add a daily mood rating from 1-5. Show a combined chart of sleep quality vs mood over the past 30 days.
Copy this prompt to try it in Bolt.new
Troubleshooting
OAuth callback returns 'redirect_uri_mismatch' error from Fitbit
Cause: The redirect_uri sent in your authorization request does not exactly match the one registered in your Fitbit developer app. Even a trailing slash difference causes a mismatch.
Solution: Go to dev.fitbit.com, open your app settings, and check the Redirect URL field. It must exactly match the FITBIT_REDIRECT_URI environment variable — same protocol (https), same domain, same path (/api/fitbit/callback). Update one or both to match.
OAuth flow works in Bolt's preview but redirects to a broken URL after authorization
Cause: The WebContainer preview URL is dynamic and different from the URL registered as the redirect URI. Fitbit sends the callback to your registered URL, but if you're testing in the preview, the browser is on a different origin.
Solution: Deploy to Netlify or Bolt Cloud first. Register your deployed domain as the redirect URI. Test the OAuth flow on the deployed site, not in Bolt's browser preview. During development, use mock data.
API calls return 401 Unauthorized after the user has already connected
Cause: Fitbit access tokens expire after 8 hours. If the user's session outlasts the token, all API calls will return 401 until the token is refreshed.
Solution: Implement token refresh logic: when any Fitbit API call returns 401, call /oauth2/token with grant_type=refresh_token and your stored refresh_token. The data proxy route in Step 3 already includes this logic — ensure your refresh_token cookie is persisted with a long maxAge (30 days).
Heart rate or sleep data endpoints return empty arrays even though the Fitbit app shows data
Cause: The authorized scopes don't include 'heartrate' or 'sleep', or the user's Fitbit device hasn't synced recently enough.
Solution: Check that your authorization URL includes all required scopes: activity, heartrate, sleep, profile. If scopes are missing, delete the stored tokens and re-initiate the OAuth flow — Fitbit will show the permission screen again. Prompt the user to sync their device in the Fitbit mobile app.
1const scopes = ['activity', 'heartrate', 'sleep', 'profile', 'nutrition'].join(' ');Best practices
- Always use PKCE (code_challenge + code_verifier) for the OAuth flow — Fitbit deprecated the implicit flow and now requires PKCE for all applications
- Store refresh tokens in httpOnly cookies or a server-side database — never in localStorage or client-accessible storage
- Respect Fitbit's 150 requests per user per hour rate limit by caching activity summaries that only change a few times per day
- Register your deployed domain (Netlify or Bolt Cloud URL) as the redirect URI before testing OAuth — the WebContainer preview URL is not suitable for OAuth callbacks
- Handle token expiry gracefully by automatically refreshing the access token on 401 responses rather than forcing users to re-authorize
- Request only the scopes your app actually needs — users are more likely to approve a limited set of permissions
- Note the ongoing Fitbit-to-Google Health Connect migration: new Fitbit devices may route some data through Google's API in the future, requiring a second integration path for future-proofing
Alternatives
Garmin Connect IQ is preferred by serious athletes and endurance sports enthusiasts who use Garmin GPS watches with more detailed workout metrics.
Google Fit aggregates data from multiple sources including Android phones, and is the likely long-term home for Fitbit data after Google's Health Connect migration.
Apple HealthKit covers iOS users with iPhone or Apple Watch health data and is the dominant health data platform for iPhone-heavy audiences.
Withings focuses on clinically-accurate health metrics from smart scales, blood pressure monitors, and sleep trackers, making it better for health-monitoring apps.
Frequently asked questions
Can I use the Fitbit API in Bolt's preview environment?
You can build and test the UI and data-fetching logic in Bolt's WebContainer preview, but the full OAuth flow cannot be completed because the preview URL is dynamic and cannot be registered as a stable redirect URI. Use mock data during development and test the real Fitbit connection on your deployed Netlify or Bolt Cloud URL.
Does the Fitbit API still work after Google's acquisition?
Yes, as of March 2026 the Fitbit Web API at api.fitbit.com is still operational for existing Fitbit devices. Google is gradually migrating Fitbit to the Google Health Connect platform, but has not announced an end-of-life date for the legacy Web API. New apps should be aware of the migration and may eventually need to add Google Health Connect support.
How do I handle multiple users connecting their Fitbit accounts?
For a multi-user app, store each user's access_token and refresh_token in your database (e.g., Bolt Database or Supabase) keyed to your app's user ID rather than in cookies. On each data request, look up the current user's stored tokens, refresh if expired, and make the Fitbit API call server-side.
What data does Fitbit allow me to access with the API?
With appropriate scope authorization, you can access activity (steps, calories, distance, floors, active minutes), heart rate (resting HR, time-series intraday data), sleep (stages: light, deep, REM, awake), nutrition (food logs, water intake), body (weight, BMI, body fat), and profile data. Each scope must be separately requested and approved by the user.
How do I deploy a Bolt.new app with Fitbit integration to Netlify?
Connect Netlify in Bolt's Settings → Applications panel, then click Publish. After deploying, go to Netlify's Site Configuration → Environment Variables and add FITBIT_CLIENT_ID, FITBIT_CLIENT_SECRET, and FITBIT_REDIRECT_URI with your *.netlify.app callback URL. Update the registered redirect URI in dev.fitbit.com to match, then redeploy to apply the environment variables.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation